A public draft of NIST SP800-53 revision 5 is worth checking out.
Major changes in this draft:
- "Making the security and privacy controls more outcome-based by changing the structure of the controls;
- Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
- Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
- Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
- Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
- Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability."
Comments are invited by September 12th to NIST.
NIST’s evolving Cybersecurity Framework is also worth a look. Although it's a little too cyber-centric for my liking, it has application well beyond the critical US national infrastructure for which it is intended (e.g. organizations have their own 'critical infrastructures'). I suspect the Framework Core Structure (particularly the 5 functions corresponding to the timeline of an incident) may be one of several ways to 'tag' controls in the next release of ISO/IEC 27002:
Dr Gary Hinson PhD MBA CISSP
CEO of IsecT Ltd., New Zealand
Passionate about information risk and