The Real Difference Between Frameworks and Compliance

Published On: August 15, 2017

August 14, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

Frameworks are important. They lay the foundation for what will eventually be built. Whether building a structure, a vehicle, a medical device or a security program, the need to begin construction using an established set of requirements is critical. It allows for standardization of approach, measurement of quality and improvement over time.

Within the information security space, there are several established frameworks available. Some, such as ISO 27001, have been around for several years. Others are relatively new. The NIST Cybersecurity Framework (CSF) is a good example of a recently released framework that is steadily growing in popularity among security leaders. All provide an excellent starting point when building or improving an information security program and allow for a leader to choose a framework (or frameworks) best suited to accomplish organizational security objectives.

Interestingly, there also exists an industry notion of ‘compliance’ with these frameworks. This is a misnomer. Compliance obligations are typically established by governing entities and have associated penalties if evidence of compliance cannot be demonstrated.

Frameworks, by comparison, are a collection of best practices designed to provide the building blocks upon which to create or improve information security functions. There are no ‘official’ penalties if you choose not to implement a framework, but there are tremendous advantages gained by putting a framework in place.

The security program can be categorized into enterprise level functions. Each function can be assigned a responsible owner and strategic objectives can be established, built, monitored and communicated. Performance of the key functions of the program can be assessed against enterprise risk and compliance obligations. People, process and technology can be aligned in a strategic fashion versus attempting to address multiple risks or compliance obligations individually in a more tactical manner.

TrustMAPP empowers IT and Security Leaders to quickly build a prioritized, strategic roadmap. Its ease of use and incredible flexibility provides leaders a platform to measure and manage the foundational building blocks of their programs. Leaders in multiple industries are using TrustMAPP to assess and measure the capability of their organizations to mitigate enterprise risk and achieve and maintain alignment with their compliance requirements. With powerful built-in analytics and clear, concise reporting capabilities, leaders can communicate the capacity and status of their programs to executive leadership and to the Board of Directors, without the need for spreadsheets and hundreds of human hours of effort. To begin building a NIST CSF roadmap, download our white paper entitled “Roadmap to Success”.

Browse These Topics

Tags

automate and visualize information security risk management better understanding of their information security management boost the confidence of board members boost the protection of your data bridge the gap in your information security challenges create a security roadmap cyber attack Cyber defense experts cyber security cyber security goals Cybersecurity management developing security programs across the business Easy to Understand Data Security Solution effective cyber security software Effective Data Security Measures effectively communicate with board members regarding cyber issues or threats guide development of a strong information security high quality cyber security tools house being robbed Identify Potential Security Weaknesses Implementing a Comprehensive Cyber Security Plan information security management information security managers information security platform Information Security Programs information security protection agency maintain the control and strength of your firm’s cyber security manage security programs success Managing information security managing your information security effectively professional information security Progressive Data Security Solutions Proposing solutions to cyber threats proprietary software can help you to protect your company reliable information security dashboard responsibilities of a CISO risk assessment software risk management advisor strengthening your company’s security measures strength of your company’s information security strong information security programs successful information security vCISO Visualization of Information Security Risk Management Visualize Information Security Risks