KuppingerCole Report
Advisory Note
By Mike Small

Cyber Risk – Choosing the Right Framework

As organizations undergo Digital Transformation the business impact of cyber risks increases. It is essential that organizations manage these risks. There are several frameworks that organizations could adopt to help them to manage these risks, but they need guidance to choose which is right for them. This report describes the main cyber risk management frameworks and identifies the factors that organizations should consider when choosing which one to use.
By
sm@kuppingercole.com

1 Executive Summary

Organizations need to take a risk-based approach to cyber security. Adopting and using a cyber security framework provides a consistent approach irre ...

Login Free 30-day Select Access Get full Access

2 Highlights

  • As organizations undergo Digital Transformation the business impact of cyber risks increases. It is essential that organizations manage these risks ...
Login Free 30-day Select Access Get full Access

3 The need for a Cyber Risk Framework

Digital Transformation delivers many benefits, but it also increases the organization’s dependency on their IT systems. The hybrid IT delivery model ...

Login Free 30-day Select Access Get full Access

4 Essential Capabilities

A cyber security framework must cover the complexities introduced by the hybrid IT delivery model. It should also provide a structured approach to ma ...

Login Free 30-day Select Access Get full Access

4.1 Support for Hybrid IT

Organizations typically exploit multiple ways in which to deliver their IT services including the use of services from different cloud vendors. At th ...

The complexities introduced by the hybrid delivery model are illustrated in Figure 1. There are multiple technology layers and the responsibility for ...

Login Free 30-day Select Access Get full Access

4.2 Information Security Management System

An Information Security Management System (ISMS) provides a systematic and consistent approach to cyber security. The concept of an ISMS forms the ba ...

The six key elements are:

  • Governance: defines the objectives, policies and organization which form the foundation, and these should be based on be ...
Login Free 30-day Select Access Get full Access

4.3 Expected Capabilities

A cyber security framework should cover the six elements described in the previous section. However, when an organization is choosing which framework ...

Login Free 30-day Select Access Get full Access

5 Cyber Security Frameworks

A Framework helps an organization to achieve cyber security objectives using the best practices based on industry knowledge and practical experience. ...

Login Free 30-day Select Access Get full Access

5.1 Frameworks Overview

There is a wide range of standards and frameworks relating to the governance of risk, IT services and cyber security. In order to understand how thes ...

This categorisation is illustrated in Figure 3, in this figure the frameworks included in this document are shown in black and the related standards a ...

Login Free 30-day Select Access Get full Access

5.2 Frameworks Included

There are several commonly used cyber security and risk management frameworks. This report includes the following:

  • The CIS ControlsTM are a pri ...
Login Free 30-day Select Access Get full Access

5.3 Related standards

There are several standards with that are related to cyber security, some of these have a wider scope or are not a framework. Some of these are summa ...

Login Free 30-day Select Access Get full Access

5.4 CIS Controls

The CIS ControlsTM are a prioritized set of actions that collectively form a set of best practices based on in-depth controls that are intended to m ...

Login Free 30-day Select Access Get full Access

5.5 Cloud Security Alliance

The Cloud Security Alliance (CSA) is an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud co ...

Login Free 30-day Select Access Get full Access

5.6 Isaca

COBIT2019 is a framework for the governance and management of information and technology (I&T), aimed at the whole enterprise. It defines the compo ...

Login Free 30-day Select Access Get full Access

5.7 ISO

The ISO/IEC 27000 series of standards cover best practices for information security, including but not limited to the security of information processe ...

Login Free 30-day Select Access Get full Access

5.8 ITU

The ITU X.805 Security Architecture was created to address the global security challenges of service providers, enterprises, and consumers and is appl ...

Login Free 30-day Select Access Get full Access

5.9 NIST

The NIST CSF focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’ ...

Login Free 30-day Select Access Get full Access

5.10 PCI

The Payment Card Industry Data Security Standard was first created in 2008 imposing obligations on organizations that accept payment cards and process ...

PCI-DSS provides an approach to cyber security that applies to all forms of sensitive data not just payment card data and is relevant to all organizat ...

Login Free 30-day Select Access Get full Access

5.11 SABSA

SABSA is a methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level th ...

Login Free 30-day Select Access Get full Access

6 Recommendations

It is recommended that IT organizations select, adopt and use a standard Framework for their approach to cyber security.

A Cyber security framework ...

Login Free 30-day Select Access Get full Access

6.1 Catalogue Existing Standards

Identifying what is in use and what is already working is the essential first step to a structured approach to cyber security.

Most organizations wi ...

Login Free 30-day Select Access Get full Access

6.2 Existing Frameworks

If the organization has already adopted a framework prefer this. If it has not, then adopt the one that most closely meets your organization’s circu ...

Login Free 30-day Select Access Get full Access

6.3 Choose your Framework

Use this report to help to choose the framework that is best for your organization.

This report has described several available standard frameworks ...

Login Free 30-day Select Access Get full Access

6.4 Complement what you already have

Choose a framework to complement what you already have.

Review the standards and frameworks your organization is already using to get the balance be ...

Login Free 30-day Select Access Get full Access

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top