NIST 800 series gaining traction as industry standard
http://blog.ca-grc.com/2008/12/us-federal-it-security-mandates-broadly-accepted/
At my company we have been promoting NIST 800-series as a golden standard in risk and control management for years. We like it becuase:
– it fills gaps in other standards (the older ISO 27001 series, etc)
– because it’s comprehensive, it’s easy to generate crosswalks to other standards. The reverse is not always true. In today’s era of ‘flowdown’ auditing, it’s helpful to have a comprehensive standard so you can assess once and map it to whatever requirement is crammed down your throat by your suppliers and customers.
– unlike other standards which are descriptive (they tell you what to do but not how to do it), the 800-series is prescriptive in that it provides guidance on how to implement controls. In fact, there are hundreds of complementary NIST pubs that do just this.
– It’s free. ISO wants $995 for their standard
– It makes it easy for our customer to do business with us. Because there is such a large body of knowledge available (did I mention it’s free?), our customers can choose to have us help them as much or as little as they need to, and competition helps control their costs. We cannot hold them hostage to proprietary methods, but we stay competitive and add value by leveraging our processes, instruments and other intellectual property we’ve developed over the years.
Steve-
I completely agree. I too have used elements of the NIST 800 series in many of the organizations I have worked in. Of course, my first reason for ever using it was because of the price.
The only gripe (if you can call it that) is that to follow the risk management and controls guidance seems to generate a mountain of documentation. In more than one instance, I had to assign dedicated resources to drafting everything up. Once it was all up, however, it became just a matter of updating/refreshing on a periodic basis.
Brandon Dunlap