CyberSecurity Program Mandatory and Discretionary Control Points
The CyberSecurity Program must be built on a solid proven and tested control
framework with international acceptance. The information security standard
framework of choice would be ISO/IEC 27001:2013. This framework has been used by
many countries to create regulations and statutes designed to protect information
assets. This is a benchmark set of security controls that can be added to depending
on the nature of the business and its risk exposure.
The standard has two sets of controls, one considered to be mandatory outlined in
ISO/IEC 27001:2013 provides the overarching management system. The second set of
controls can be risk justified in or out of scope for the CyberSecurity Program. These
controls are outlined in Annex ‘A’. More details describing these control points are
available is supplementary standard documents like ISO/IEC 27002:2013.
Below I have provided a high-level summary of each section and the total control
points. These control points are important to identify as each one has been designed
to mitigate a specific known risk that is common within all business environments
that utilize technology to process and safeguard information.
This information has been shared freely by Mark E.S. Bernard. If you find it useful please
acknowledge this contribution. If you would like additional information or assistance with the
customization and implementation of a balanced risk management process for your security
program then please contact Mark @ 604-349-6557 or email@example.com