ISO/IEC 27032, ISO/IEC 27002, And CMMC Frameworks Achieving Cybersecurity Maturity
In an increasingly interconnected world, the importance of cybersecurity has never been more apparent. As organizations grapple with evolving cyber threats and regulatory requirements, achieving cybersecurity maturity has become a top priority. Our recent webinar titled “ISO/IEC 27032, ISO/IEC 27002, and CMMC frameworks – Achieving Cybersecurity Maturity” shed light on key strategies and frameworks for bolstering cybersecurity defenses and achieving maturity in cybersecurity practices.
The webinar brought together cybersecurity experts, industry leaders, and practitioners to explore the intricacies of cybersecurity maturity and the role of ISO/IEC 27032, ISO/IEC 27002, and the Cybersecurity Maturity Model Certification (CMMC) frameworks in this journey. Through insightful presentations and interactive discussions, attendees gained valuable insights into the principles, methodologies, and best practices for enhancing cybersecurity resilience and maturity. There is a pretty impressive amount of EU Cybersecurity legislation that puts a lot of pressure on companies to maintain a high level of security for their business, data, and infrastructure.
Customers, partners, and employees expect you to be on top of your game to protect their data.
Our panel of experts, Peter Geelen, Oz Erdem, and George Usi, answered some questions on cybersecurity maturity, ISO/IEC 27032, ISO/IEC 27002, and how CMMC frameworks can empower organizations to achieve resilience, readiness, and confidence in the face of evolving cyber threats.
Q: What is the difference between cybersecurity and information security?
A: Information security is a general approach to protect enterprise data and processes. Cybersecurity focuses on processes, services, and systems connected to the internet, to protect these internet-connected systems from internet-based threats. In short, cybersecurity is a subset of information security.
To elaborate a bit further, data protection (or privacy) in general focuses on protecting personal data, which usually expands the scope of enterprise protection.
The PECB Chief Information Security Officer training course identifies the differences between cybersecurity and Information security as separate: ‘Information Security: Preservation of confidentiality, integrity, and availability of information’ – For clarification, information security focuses on information security principles centered around information being accessible to authorized individuals or entities (confidentiality), proper controls that maintain the accuracy, completeness, and reliability of information and systems (integrity), and assurance that information and systems are accessible authoritatively and in a timely manner for authorized users as needed (availability).
Generally, I often refer to information security as information, regardless of the format. Examples of nondigital formats to think about could be a conversation or the right authorized people in a meeting discussing intellectual property, physical forms, and/or printed materials in a file cabinet, company secrets, and much more.
‘Cybersecurity: Safeguarding of people, society, organizations, and nations from cyber risks’ – More simply, cybersecurity resides within the CIA triad focusing on keeping cyber risk at a tolerable level through actionable safeguards, tools, risk approaches, trainings, procedures, etc., that focuses on the digital data within systems, programs, and networks. Think data at rest and in motion generally connected to cyberspace.
Notably, these definitions are often used interchangeably although I highly recommend the PECB CISO training course for a better understanding of the differences.
Q: Will we learn the technical aspects of cybersecurity in the PECB CISO training course?
A: For the PECB CISO training course, the overall content focuses on leading a security program in its entirety through right-sizing risk management and treatment regardless of the technical security controls. Although the training course does touch on some technical security controls and frameworks that may apply to an overall security program, the learning goals are structured in four days of learning that cover:
- Day 1) The fundamentals of information security leadership and the role of CISO
- Day 2) Compliance, risk management, security architecture, and security design
- Day 3) Security Controls, incident management, and change management (how to apply the ‘technicals’ referenced in the question)
- Day 4) Security awareness, monitoring/measurement metrics, and continual improvement
You are welcome to reach out to a PECB reseller or George, Oz, or Peter for any clarifications or questions on the training course content.
Q: How many controls are there in NIST SP 800-53 Rev. 5?
A: (Oz) Security and privacy controls described in NIST SP 800-53 Rev. 5 have a well-defined organization and structure. The controls are organized into 20 families. Each family contains controls that are related to the specific topic of the family. There are around 1,189 controls that are designed to provide a detailed approach to both the security and privacy of the information.
Q: How should one deal with the NOFORN category, CUI-wise?
A: (Oz) “NOFORN” is one of the limited dissemination control markings that are applicable to Controlled Unclassified Information (CUI). It is short for “No Foreign Dissemination”. NOFORN marked CUI may not be provided in any form to foreign governments, international organizations, coalition partners, foreign nationals, and non-U.S. citizens in the U.S. without foreign disclosure approval.
In many cases, NOFORN marked information may also be subject to the International Traffic in Arms Regulations (ITAR), which means an additional authorization/license may be required from the U.S. Department of State for export/submission or disclosure to a foreign national.
Q: How does this relate to FISMA?
A: (Oz) The Federal Information Security Modernization Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. The risks would be managed by implementing cybersecurity frameworks including the NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) and NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). The main difference between 800-53 and 800-171 is that 800-171 is used for non-federal systems and organizations, while 800-53 is used for federal organizations.
Q: Is it easier to shift from NIST SP 800-171 Rev. 2 to ISO/IEC 27001:2022 or from ISO/IEC 27001:2022 to NIST 800-171 Rev. 2?
A: (Oz) ISO/IEC 27001:2022 was introduced a few years after the NIST SP 800-171 Rev. 2, and as such some of the previously existing gaps between the areas covered by the NIST SP 800-171 Rev. 2 and ISO/IEC 27001:2013 seem to be closed with the publication of ISO/IEC 27001:2022. NIST 800-171 Rev. 2 contains a mapping table that compares itself with the ISO/IEC 27001:2013, and the table shows several NIST requirements that did not exist in ISO/IEC 27001.
Therefore, one would say it is easier to implement ISO/IEC 27001 first and then gradually move from there to implement NIST SP 800-171. However, NIST has just published the initial public draft version of Rev. 3 of the NIST SP 800- 171, and the final public version will be published soon. There is currently no mapping table in this new version, and NIST confirmed that they would rather compare NIST SP 800-53 Rev. 5 with ISO/IEC 27001:2022 and not NIST SP 800-171. Nevertheless, considering the addition of a large number of requirement controls to 800-171 with the new revision, we can say it is possibly easier to implement ISO/ IEC 27001:2022 first and implement NIST SP 800-171 Rev. 2 or Rev. 3 next.
Q: For those professionals who are already certified with the older version of ISO/IEC 27032, what is the procedure for upgrading to the newer version?
A: For PECB certified individuals, a new and updated training course has been published. You will need to pass a new exam for this training course, due to major changes in the course and standard. With any upgrade of a standard, a major version upgrade applies. The current version is Lead Cybersecurity Manager, while the previous training course and certification was: ISO/IEC 27032 Lead Manager.
Q: What is the equivalent of NIST SP 800-172 in Europe (APTs protection-wise)?
A: (Oz) From the coverage of the Advanced Persistent Threats (APT) perspective, the closest international standard to NIST SP 800-172 would be ISO/IEC 27032:2023.
Q: Some experts in Europe consider CMMC 2.0 an economic warfare tool. Do you agree with that?
A: (Peter) It would be interesting to see the argumentation built to support that opinion. However, from a framework or schema perspective, you see a lot of common ground with other existing maturity models, such as ISO or the other NIST models, and certainly now with the updated NIS 2 approach, on which the EU is building cybersecurity legislation to protect critical infrastructure.
Many best practices are similar. NIS 2 is not an economic warfare model either, however, it is focused on protecting people and businesses from cybercrime and is getting more and more aggressive/assertive with increasing impact on the global economy.
Q: Do you have a mapping of the CMMC 2.0 ecosystem?
A: (Oz) CMMC ecosystem contains various organizations and persons, such as the Cyber Accreditation Board (Cyber AB), Organizations Seeking Certification (OSC), Certified Third Party Assessor Organizations (C3PAO), LPPs, LTPs, CCPs, CCAs, CCIs, RPs, and RPOs.
Information on the key stakeholders in the CMMC ecosystem can be found by clicking here.
Q: Are C3PAOs supposed to be ISO/IEC 27001 compliant or certified?
A: As of the latest from cyberab.org town halls, Yes.
You are welcome to reach out to George, our panelist, for any questions about the requirement or to learn about our journey to ISO/IEC 27001 certification as a pending C3PAO.
C3PAOs are not required to be ISO/IEC 27001 certified. Compliance with ISO/IEC 27001, on the other hand, will certainly benefit the C3PAO during the accreditation process. However, as an assessor organization, C3PAO is required to be ISO/IEC 17020 accredited. ISO/IEC 17020 accreditation will be conducted by the Cyber AB after the organization applies to be a C3PAO.
Q: Who determines data classification and how the data classification is done, for CMMC 2.0 certification purposes?
A: The government executive agency that owns or releases the information is responsible for classifying the information as CUI. If the information is determined to be a CUI the agency will also note this designation in the contract, and the bidders will be notified in advance. Sometimes contracts/projects may not contain CUI at the beginning or during the first phases, and CUI may be received from the government agency during the next phases of the project or can be developed/generated by the contractors during the project.
Q: What do you think of using CMMC 2.0 level 1 as an EBIOS security baseline?
A: Recently, we used the CMMC 2.0 level 1 as a security baseline to handle an EBIOS session for a large account (our clients were very pleased by this unexpected initiative; it appears it fits perfectly for international entities). It all depends on the context, but if CMMC is relevant to your company, running a business in the US, or if you consider it relevant, it might help to integrate it in EBIOS. There are a lot of similar processes or equivalence between EBIOS and, for example, ISO/IEC 27005. It is worth noting that the EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité) has very strong French roots, while CMMC is directed by the US DoD. Thus, the regional/ political roots and objectives are different.
Q: If an enterprise already certified by ISO/IEC 27001 opts to supplement its practices with the NIST standard in select areas, how will the ISMS audit proceed?
A: CMMC does not have a reciprocity with the existing ISO/ IEC 27001 certification. Although the existing ISO/IEC 27001 certificate cannot be used toward the CMMC certification, it certainly helps the organization and facilitates the CMMC level 2/3 implementation, saving cost and time.
Q: Am I correct in assuming that self-assessment is sufficient today for NIST SP 800-171 compliance? Is a third-party audit or certification required?
A: That is correct. During this time frame, until the proposed federal rule is finalized, U.S. defense contractors may continue doing self-assessments for NIST SP 800-171 Rev. 2 compliance and enter/update their scores into the SPRS system.
Q: Have you used the UCF (Unified Compliance Framework) for determining all regulations globally required for a specific data type? This tool helps map the requirements to the controls.
While the UCF is referenced as the largest library database of compliance documents in the world, it is a commercial platform, and as such, not mentioned in the seminar.
On the other hand, you might have a look at the Secure Controls Framework, an open-source and free mapping of controls, best practices, and international regulations that might help you map the requirements to controls.
Q: What tool was shown for managing the overview of your cybersecurity program? See video recording and publication of slide deck. Links published, earlier in this article.
A: The tool shown for managing the overview of the cybersecurity program is Hypeproof, a GRC tool listed by the instructors for the PECB Certified CISO course. Notably, other tools are available with similar functions, and we encourage everyone to consider ‘the right tool for the job’ by evaluating the market for the most suitable application for your specific governance, risk, and compliance needs and requirements.
You are welcome to reach out to George for any clarifications, demos, or questions on the Hyperproof GRC tool.
