Governance: Understanding guidelines, frameworks & standards
Estimated Reading Time: 4 Minutes
Written by: Aaron Nolan
Having a Guideline, Framework or Standard is fundamental for a business to define policy and assess its risk. Many companies are restrained in how they operate by guidelines, frameworks or standards whether this is Central Bank, HIPPA or ISO27001. The levels at which these can be brought to vary, depending on the company’s view of risk.
Guidelines
A guideline is a recommendation, typically by a governing body, on the operational actions an organisation should take when there is no defined standard or framework in place.
An example of this is the Central Bank of Ireland’s handbook for Credit Unions or Financial Services, which is very suggestive in nature but not mandatory for institutes to follow. Guidelines assist the organisation in strengthening its legal and regulatory requirements, by offering best practice advice. They provide recommendations on how standards or baselines should be implemented.
The main benefits of guidelines are that they can be adapted to suit the context of the business, allowing flexibility in implementation. They can be adjusted, modified and scoped to work with the companies’ needs.
However, one of the main drawbacks of working based on a guideline is that these are subjective and not clearly defined, leaving a lot of grey areas of uncertainty.
Frameworks
A framework is a conceptual structure defined by the governance of an organisation to set out policies within the company. This is a top-down approach with the main stakeholders identified first, along with their needs and their appetite for risk. Those who will manage the policies on a day-to-day basis are determined at a later stage.
An example of a framework would be NIST or COBIT, with clearly defined policies and controls to be implemented. Frameworks do not specifically need to come from one source as organisations can draw from several standards to develop their own structure.
The benefits of having a Framework over a Guideline is that there are clear controls and policies that need to be in place to adhere to. Another advantage is that you can draw from several resources to adopt your own framework.
The main disadvantage from pulling from several frameworks is that it may not make you fully compliant with any specific standard or regulation. Be mindful of which frameworks you use as a reference and if they resonate with each other.
Standards
A standard is a mandatory activity, action or rule which is usually verified by a third party and certified. These are typically organisational security standards that specify how hardware and software must be used, in order to satisfy the needs of the standard. Standards are created to support and reinforce policies while providing more detail and direction on the controls.
IASME gold standard or ISO27001 are examples of standards which have precise controls which organisations must adhere to if they wish to be certified. Independent auditors are employed to verify that the required controls are in place so that the organisation can remain certified by the standard.
A crucial advantage to having standards in place is that it provides reassurance to your customers, third parties and authorising bodies that you take the necessary standards seriously. They are beneficial for an organisations’ reputation, and also reassure stakeholders that all is being adhered to.
While there aren’t many drawbacks for adopting a standard, they can be costly to implement and upkeep. Regular reviews are required to keep the standard live, so resources are required – adding additional costs.
The One we Recommend the Most
We have a great deal of experience with compliance across several different verticals, which allows us to work with customers in highly regulated industries, such as healthcare and financial services. Over the years we have discovered which frameworks are easier for the majority of people to understand, apply and follow.
One of these Frameworks is the NIST Cyber Security Framework, the most commonly used in the USA to evaluate a business’ technology infrastructure. It serves as an excellent place to start because it allows companies to identify what their most significant weaknesses and strengths are, which in turn makes it easier to decide where to focus first.
Looking for a comparison between NIST and ISO27001?
Read ISO27001 versus NIST: Why choose one?
The NIST Cyber Security Framework covers a business’ capacity to thrive against threats in a wide range. There are five main categories, which are: identify, protect, detect, respond and recover. Each of these can be rated from 0 to 4, depending on a business’s readiness. Overall, these ratings provide an accurate and profound knowledge of how a business tech infrastructure behaves, which is why we recommend and utilise it with our customers.
We have a guide explaining how to effectively leverage the NIST Framework to bring your security and compliance to the highest level. With it, you can build a risk management system tailored to your organisation. It’s available in this link.
In Conclusion
Depending on the maturity level, risk appetite and resources available; an organisation’s governance structure should be able to select a guideline, framework or standard that works best for the company.
The implementation of a framework such as NIST should be the foundation for any risk-averse company. Having a framework like NIST allows for the budgeting of resources, capacity planning and cost technology improvements.
Security Frameworks are vital for the success and progression of a company, whereas standards are “nice to haves”. Once the organisation has implemented a framework and brought it to its highest level, only then should they look at standards in order to improve its reputation or marketing value.
Thank you for reading! For more compliance advice, visit our Blog.
Follow Spector on our Social Media channels for more exclusive content.
