As G2's engineers help to implement the Cybersecurity Framework around the world, we often find that clients are using (or plan to use) the ISO/IEC 27000 family of standards to help establish, implement, maintain, and continually improve their Information Security Management Systems. These organization currently receive recognition for their work in implementing ISO; however, their use of the Framework is not acknowledged or readily recognizable by other organizations. If a Framework "certification" was established, would companies use and/or trust the “certification”? The very use of and model for Framework is voluntary, and Framework isn’t set up to be a conformance standard, yet it’s well-structured and interchangeable.
Many Framework users are already working toward formal assessment of their conformance to ISO/IEC 27001 procedures and controls. If an accredited assessor is already assessing the implementation of those ISO procedures and controls (which align with many of the Framework outcomes), would it be valuable to assess the reasonableness of how the organization has implemented the Framework itself? It might be – that’s what we’re looking to find out.
BSI has released an RFI to determine if such a "certification" would provide value to the community and how organizations could leverage the "certification" to help them make business decisions. The RFI is available at BSI via this link – pro or con, we’d welcome your input at http://pages.bsigrou...16-08-11/61k6wf.