Jump to content


Scoping the Effort

  • Please log in to reply
1 reply to this topic

#1 Phil Wilson

Phil Wilson


  • User
  • Pip
  • 8 posts

Posted 17 May 2017 - 05:19 AM

Our organization has received numerous questions from our members on the number of implied controls and implementation requirements that we need to implement, based on the current 98 lower level control objectives the we find in the Rev 1.1 Draft.

We did an assessment of CSF 1.0 using Common Controls Hub and came out with just over 1,000 specific requirements. Let us know if you have completed a Scoping assessment of 1.1.

Phil Wilson
The GRC Sphere

#2 Greg Witte

Greg Witte


  • Administrators
  • 25 posts

Posted 18 May 2017 - 08:14 AM

That's cool insight, Phil. It's great to be able to understand the derived requirements that result from a relatively simple outcome like "Data-at-rest is protected".


One point to consider that came up in this week's NIST workshop - some orgs have misinterpreted the Informative Reference column as required controls. Those are simply examples for inspiration, and one could find replacement or supplemental inspiration through GRCsphere and CCH. I don't know how that might impact the resulting derived controls, but I hope an organization wouldn't try to do ISA and ISO and COBIT 5 and RMF and CCS. That would be hard!


Thanks for bringing the question to CForum. After a great week at NIST with hundreds of friends and peers, I'd love to have conversations like this every day!



G2, Inc

0 user(s) are reading this topic

0 users, 0 guests, 0 anonymous users