Jump to content
Phil Wilson

Scoping the Effort

Recommended Posts

Our organization has received numerous questions from our members on the number of implied controls and implementation requirements that we need to implement, based on the current 98 lower level control objectives the we find in the Rev 1.1 Draft.


We did an assessment of CSF 1.0 using Common Controls Hub and came out with just over 1,000 specific requirements. Let us know if you have completed a Scoping assessment of 1.1.



Phil Wilson

The GRC Sphere


Share this post

Link to post
Share on other sites

That's cool insight, Phil. It's great to be able to understand the derived requirements that result from a relatively simple outcome like "Data-at-rest is protected".


One point to consider that came up in this week's NIST workshop - some orgs have misinterpreted the Informative Reference column as required controls. Those are simply examples for inspiration, and one could find replacement or supplemental inspiration through GRCsphere and CCH. I don't know how that might impact the resulting derived controls, but I hope an organization wouldn't try to do ISA and ISO and COBIT 5 and RMF and CCS. That would be hard!


Thanks for bringing the question to CForum. After a great week at NIST with hundreds of friends and peers, I'd love to have conversations like this every day!



G2, Inc

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now