The scope of a Cybersecurity assessment will vary with organizational size, complexity, and industry, but the end goal of any assessment is to reduce the overall attack surface. An assessment is a great starting point for any organization that isn’t sure of their cyber strengths and weaknesses and needs a roadmap in order to address immediate and future security priorities. Understanding strengths and weaknesses is a key foundation for the improvement of any cybersecurity program.

Once you have decided to complete an assessment, the next step is to determine the scope and scale. What is the goal of your cybersecurity assessment? Are you looking to build a roadmap for improving your security posture? Are you looking to establish benchmarks for your present performance?

Many industries are required to comply with specific regulations and standards so it’s important to factor those requirements into your assessment process and framework. Because assessments and related frameworks include company policy and procedure implications, it is a process in which senior management and company leadership should be involved. This executive involvement is highlighted when you view a framework as a risk management tool, and not merely an IT issue.

While it is true that most comprehensive and battle-tested frameworks are a good starting point for developing a security roadmap, it is important to ensure that your chosen framework can accommodate regulatory and security standards requirements as directed by senior management. A list of major regulations and standards to consider is included at the end of this article.

Which assessment framework is the best starting point for you?

The two broadest cybersecurity frameworks are the NIST Cybersecurity Framework and the ISO 27000 standards. There are a number of additional frameworks that are specialized by industry or geographic region.

The NIST Cybersecurity Framework is popular among companies in the US. Developed by Executive Order and in collaboration with academia, the private sector, and governmental agencies, the Cybersecurity Framework was originally aimed at helping to shore up weaknesses in organizations considered to be part of the critical infrastructure.

The NIST Cybersecurity Framework has since been adopted for use across a wide variety of industries because of its comprehensive nature and sound guidance. The framework addresses five important aspects of cybersecurity including: identify, detect, protect, respond, and recover.

Internationally, the ISO 27000 series provides comprehensive cybersecurity guidance. In particular, 27001 specifies how to implement an information security management system while 27002 helps organizations develop “organizational security standards and effective security management practices and to help build confidence in inter-organizational activities”.

One of the downsides of the ISO standards is that they are not free like the NIST Cybersecurity Framework. One of the advantages, however, is that there is a corresponding accreditation process that provides confidence to partner firms.