Hi, folks!
We have a new product for you - a gap analysis template for the NIST Cybersecurity Framework 2.0.
Recently, the National Institute of Standards and Technology from the U.S. updated its Cybersecurity Framework, or short for NIST CSF.
It's a big deal actually since the NIST CSF is widely used as the standard for creating information security programs. Aside from it being created by a government agency of one of the leading countries when it comes to cybersecurity, it's also free.
Yes, if you want to be cost-efficient at starting your information security program, look no further than the NIST CSF 2.0. Aligning to the items listed in the CSF will guide you on the things you'll need when creating your program, but of course, as with any other frameworks, they only provide guidance.
If you're looking on how to implement them, it is still up to your company. Each company has its own business strategy and priorities, budget, risk appetite, and culture.
Anyhow, moving onto the template:
- The template contains the 6 functions (with Govern being the new and 6th function), and its respective categories and subcategories.
- There is a column on compliance just so you'll be able to keep track on how much you're compliant to the NIST standards. There is also a separate pivot table so that in case anyone asks, you'll be able to immediately show numbers on compliance.
- Since this is a gap analysis document, there are columns on identifying the current and desired states, gaps - where we are, where we want to be, how far behind are we.
- Finally, the gap analysis doesn't just end with identifying the gaps. It is used for continuous improvement. We have columns essentially addressing the question How do we get there? Now that you have identified the gaps, What do you plan to do? What do you implement? By when should you implement these improvements? Who is responsible? The last few columns should address those questions. To make sure something is implemented, someone has to be always accountable.
We also added a PowerBI dashboard so you can share the results of the gap analysis. After all, you can't really say an activity has concluded without sharing the results to a group or management or any other committee. From reporting, hopefully there'll be a discussion on the next steps (and the budget).
Hope this helps!