Tools are important. Using the right tool for the job can mean the difference between success and failure in certain scenarios. While the ramifications of the wrong tool are not always that extreme, the wrong tool usually creates more problems, wastes time, and results in frustrating rework.
At its essence, a framework is a tool. It exists to serve a purpose – to make work easier, faster, and better. In the context of Information Security, it is a tool that helps us manage risk and implement effective safeguards to protect our businesses.
A framework is a set of principles and best practices that provide the foundational structure to build an Information Security program in an organization. Furthermore, a framework represents a defined and accepted industry standard that can be used to measure and communicate the state of an organization’s Information Security program in common terms. Just as an architect and a carpenter use a blueprint to build a house, business leaders use frameworks to build successful Information Security programs.
Frameworks are designed to address a common set of risks that businesses inherently face simply by operating in industry. The framework provides the blueprint and general guidance needed to build an effective foundation that business leaders can then customize and mature to meet the organization’s own unique needs, priorities, and risk profiles.
Some professionals will eschew a particular framework because they have seen that framework implemented poorly once, or even many times. The truth is that no framework is perfect. Different frameworks are useful for different purposes. It is what you do with the framework that matters, and you get out of it what you put in.
Two different organizations may use the same framework and achieve vastly different outcomes. The organization that understands Information Security as a competitive advantage will invest resources and mindfully implement safeguards in a way that prioritizes tangible improvements to security, reduced risk, and enhanced operational efficiency. The organization that views security as an impediment to business and an unavoidable inconvenience, on the other hand, will prioritize checking boxes on a checklist with little concern for the true efficacy of the overall program. Both organizations can say that they are compliant with the framework, but only one will have implemented it in a meaningful way that benefits the organization and its customers.
There are many Information Security frameworks to choose from, and each one may be an appropriate choice for a variety of reasons. Business leaders should approach framework selection as a strategic decision – the right tool for the job. The table below summarizes a few common frameworks and identifies some considerations that might play into the decision to use that framework. The information is provided as a simplified example, and it is far from exhaustive.
Framework | Useful For | 3rd-Party Assurance | Free |
Initial first-time implementation of an IT driven Information Security program in small or medium businesses | None | Yes | |
Good all-around framework for small and medium sized organizations that want to mature the program and build a security team. | None | Yes | |
Vendor assurance for IT service providers and Software as a Service vendors | Attestation | No | |
Manufacturers and organizations with international operations | Certificate | No | |
Healthcare IT Service and Software as a Service providers | Certificate | No |
What questions do you have about using a framework to implement or mature your organization’s Information Security program? Use the buttons at the top right corner of the page to connect with us on social media and let us know. Better yet, join us as a caller on a future episode of The Mindful Business Security Show and ask your questions on our podcast!