Adapt the Framework to the Business, not the Business to the Framework
- Choosing a framework often means borrowing from different standards and adapting those to an operational framework designed to serve your business objectives.
- Adopting a framework that suits your business gives you visibility that enables you to anticipate what will be required for reporting to regulatory bodies.
“A framework facilitates an understanding of risk within the business, and those understandings allow you to identify the most critical projects that you must have.”
“I have a love-hate relationship with frameworks,” says Russ Kirby, chief information security officer (CISO) of Creditsafe, an international provider of business credit reports with offices in Europe and North America. “One problem with frameworks is that many are industry specific or preferred in certain industries. Another is they are slow to evolve.” ISO 27001, for instance, was first published in 2005 after years of development. Then it was not revised until 2013, which is its most recent incarnation. Kirby points out that changes in enterprise computing and regulatory environments are outpacing changes in security frameworks.