Find out which standard is the best for your business and how you can find out how well you are doing against each.
It is important to keep in mind that the standard you select be best suited for both your internal needs and also the needs of your clients and regulators who may require you to meet a certain standard.
For businesses with immature or unknown capability i.e this is the first time you are assessing your business we recommend starting with a Health Check. It is the shortest assessment and focusses on assessing key controls across all 16 practice areas.
If you do well in the Health Check then you can move on to one of the standards such as ISO 27001 or NIST CSF (if you have a business account) to complete amore in-depth assessment of how mature your controls are across each practice area while also finding out how mature your controls are against the in-scope standards requirements.
The InfoSecAssure Health Check looks at 25 key controls from across all practice areas that give organisations a view of how well they are managing the fundamentals of information security.
For businesses with immature or unknown capability i.e this is the first time you are assessing your business we recommend starting with a Health Check. It is the shortest assessment and focusses on assessing key controls across all 16 practice areas.
ISO 27001 Information Security Management Systems is an international standard for information security. ISO 27001’s best-practice approach helps organisations manage their information security by addressing people, processes, and technology.
Any business who wishes to implement risk-based security program and/or achieve ISO 27001 Certification. The standards set out under the ISO 27000 family propose a risk based approach to managing information security. Some organisations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.
In 2017, The Australian Cyber Security Centre (ACSC) published a set of mitigation strategies that were designed to help organisations to protect themselves against cyber security incidents. These strategies, which became known as the Essential Eight, are designed specifically for use on Windows networks, although variations of these strategies are commonly applied to other platforms.
Businesses who wish to ensure their primarily Windows based environment is secured against the most common threats and/or companies who wish to provide services to Australian Government departments.
The NIST Cybersecurity framework is a voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk. The NIST Cybersecurity Framework (NIST CSF) was created via a collaboration between the United States government and industry as a voluntary framework to promote the protection of critical infrastructure, and is based on existing standards, guidelines, and practices.
NIST CSF controls should be considered by companies who wish to employ a broad information security control framework which could be later uplifted to meet more prescriptive U.S security standards and for organisations planning to bid for U.S. defence contracts.
AICPA's Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria) guideline is intended for use by CPA's to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program. Management teams can also use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls. There are two types of SOC 2 reports for organisations. Type 2 report covers management’s description of a service organisation’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report covers management’s description of a service organization’s system and the suitability of the design of controls.
For businesses who need to provide third parties with a independent audit report that has evaluated the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.
