Author of the Month: Andrew Pattison – IT Governance Blog

Andrew Pattison is the global head of GRC and PCI consultancy at GRC International Group, a GRC Solutions company. He has been working in information security, risk management and business continuity since the mid-1990s, helping large international organisations across many sectors. Andrew is a certified auditor, as well as holding CISM® and CRISC® certifications. He has provided extensive training in multiple GRC fields and is an approved APMG trainer.

We sat down with Andrew to discuss the book and why organisations should explore the benefits of NIST CSF 2.0.

Congratulations on your second book with ITGP: NIST CSF 2.0 – Your essential introduction to managing cybersecurity risks. This book explores the latest version of the NIST CSF (Cybersecurity Framework) 2.0. What has changed in this updated version?

Although the first version of NIST was impressive, the vital aspect it lacked was governance. In the updated version, a new top-level function for governance has been introduced. This has been done to provide a better understanding of risk in an organisation. There is also greater emphasis on managing risk in the supply chain.

The NIST CSF is easy to adapt in organisations of any size, and not just US-based companies. When NIST was first introduced, it was well-known for being implemented by US organisations involved in critical national infrastructure. However, as Version 2.0 states:

“The CSF is designed to be used by organizations of all sizes and sectors, including industry, government, academia, and nonprofit organizations, regardless of the maturity level of their cybersecurity programs.”

NIST CSF 2.0 seems less prescriptive than standards such as ISO 27001. What are the benefits of this?

NIST is slightly different from ISO 27001, as it’s a framework rather than a specification, and at present you cannot be certified against the NIST CSF. It focuses on functions and outcomes rather than prescriptions and allows comparison of an organisation’s current cyber security status against its desired future status. It also provides for classification of a given function or outcome in one of four maturity ‘tiers’, helping organisations plan the development of future improvements.

Yet, it does share a lot in common with ISO 27001. Therefore, an organisation could implement both the CSF and ISO 27001 to ensure an incredibly robust cyber security defence strategy.

That leads onto the next question quite nicely; the book describes how NIST, ISO 27001 and ISO 22301 can work together concurrently – is this the best line of defence an organisation should take to become as secure as possible?

ISO standards are designed using a shared structure. This makes it much easier to implement ISO standards alongside each other, creating an integrated management system (IMS). An IMS enables an organisation to incorporate processes and systems from various standards so that they work under – and towards – one set of policies and objectives. NIST can also fit into this system, as it can be adapted to work with the ISO 27001 standard.

Why should those outside of the US seek to adopt NIST 2.0 in their cyber defence strategy?

NIST is an effective approach to cyber security, as it allows you to evaluate the maturity level of your organisation’s current defence strategy. You can understand the gaps in your defences and then start to look at how you can rectify them and implement tighter controls.

All our books are available in physical, eBook and ePub formats. Find out which format is right for you:

We also offer a range of audiobooks. Find out more about this format in this interview.

We’re also offering a 15% discount throughout April! Just use ‘NIST15’ at the IT Governance checkout. Please note, the discount code only applies to purchases made through the IT Governance website.

The book is also available in print, eBook and audiobook formats from Amazon:

To explore all our Author of the Month interviews, click here.