Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular requirements of the CSF. While an improvement over custom assessment questionnaires and the now legacy SAS 70, the relying organization would still need to identify any gaps between the two reports (which will almost surely exist), go through the process of requesting additional information from the ISO-certified entity, and then evaluate the response(s).

While an organization could conceivably support ISO certification as a ‘first step” in the assurance process, it could not and should not rely solely on ISO certification. At some point the ISO-certified organization must demonstrate that the complete set of CSF control requirements relevant to their organization have been implemented appropriately if it is to ascertain what residual risk(s) remain. And since this is best accomplished through the CSF Assurance Program, it just makes sense—from both an economic and resource perspective—to simply require a CSF validated or certified assessment from the onset.

References: Risk Management Frameworks, CSF Assurance Program Requirements and Risk Analysis Guide


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment