« Yellow Book meets yellow cake and all sorts of delicious changes | Main | 4 strategies to capture the growing Hispanic market »

5 cybersecurity frameworks accountants should know about

Shutterstock_797485732You’ve seen all the news stories: Cyberattacks are happening almost daily, and they can have devastating consequences. You know you need to protect your organization’s data. But where do you even start?

A cybersecurity framework can guide you in the right direction. These frameworks help you design a cybersecurity risk and controls process that is right for your organization. Whether you’re interested in helping set up your own organization’s cyber program, or you’re interested in providing assurance on other organizations’ cybersecurity systems, you should be familiar with different cybersecurity frameworks and what types of companies they’re best for. I’ve listed a few common ones you should know about below.

However, keep in mind that none of these frameworks should be used as simple, cookie-cutter solutions; instead, you should use a risk-based approach. You can use the controls listed in a framework as a starting point and tailor them based on how your organization operates—you may not need all of them, and you may need to customize others. Your organization may even require multiple frameworks. Cybersecurity frameworks can start you off on the right foot, but you should use your best judgment for how to best protect your data.

  1. NIST CSF: National Institute of Standards and Technology Cybersecurity Framework

Who it’s good for: Organizations of all sizes in any industry based in the United States, although it could also be used by multinational companies

This framework from the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce, is a good starting place for most organizations in the United States. It’s a popular cybersecurity framework; according to Gartner, by 2020, more than 50 percent of all organizations will use the NIST CSF. In addition to United States Executive Order 13800 requiring government agencies to use the NIST CSF, many US regulatory examiners (e.g., the Securities and Exchange Commission, the Federal Deposit Insurance Corporation, etc.) also leverage it

The NIST CSF is thorough and risk-based, which makes it good for organizations in a wide variety of industries. Because the NIST CSF was developed by a US governmental agency, it may be a better fit for US-based organizations; however, multinational organizations expanding to the US could also consider either the NIST CSF or ISO/IEC 27001:2013 (discussed below) for their general cybersecurity purposes. Both are good frameworks—and either is certainly better than no framework at all.

  1. ISO/IEC 27001:2013

Who it’s good for: Organizations of all sizes in any industry who have a multinational presence

This framework, created and published by the International Organization for Standardization (ISO), is another general framework that works well for companies of varying sizes in a variety of industries. It is similar to the NIST CSF; however, it’s more common outside of the United States due to its international focus, making it a good choice for multinational companies. The framework is respected and widely known internationally.

  1. COBIT

Who it’s good for: Medium to large organizations in most industries

COBIT was developed by ISACA, an independent, nonprofit global organization that focuses on IT governance. This framework is similar to NIST and ISO’s framework in that it’s a more general framework that most organizations can use. It’s also business-focused and process-oriented. COBIT is often adopted by auditors of public companies and is used as a compliance tool for Sarbanes-Oxley.


Who it’s good for: Organizations in the healthcare industry, although it could be used by other organizations

HITRUST CSF was developed by the Health Information Trust Alliance (HITRUST) and is the most widely adopted security framework in the United States healthcare industry. HITRUST originally developed their CSF to focus on key elements and risks inherent in the healthcare industry, such as HIPAA (Health Insurance Portability and Accountability Act) considerations, but they have since been updating the framework with broader controls that would apply to any organization.

HITRUST CSF is both a risk- and compliance-based framework and is updated quite frequently. It can also be tailored based on a variety of factors, including organization type, size and systems as well as regulatory requirements.

  1. CSA Cloud Controls Matrix

Who it’s good for: Cloud vendors of all sizes and organizations that rely on cloud providers

The Cloud Controls Matrix was developed by the Cloud Security Alliance (CSA) specifically for cloud vendors. The structure of cloud data storage comes with unique risks that require specific security controls, which are laid out in this framework. The Cloud Controls Matrix is updated frequently and is useful for cloud vendors of any size. Organizations that rely heavily on cloud providers may also find this resource useful for evaluating the security of their cloud providers.

Although some frameworks are tailored for certain types of organizations, there is no clear-cut answer for which framework(s) a company should use. Your strategy may vary based on your customers and where you expect growth for the future. And while these frameworks will get you off to a good start, the key to adding value is right-sizing the framework to your organization using a risk-based approach and your sound judgement. And, as always, continue to stay abreast of the latest cyber activity, as new cyber risks continue to present themselves.

Setting up a cybersecurity risk and controls process for your organization will take time. You’ll need to really commit to the work if you want to get value out of it. If you want to learn more about cybersecurity, you can visit the AICPA’s Cybersecurity Resource Center or consider earning a cybersecurity certificate. And regardless of which framework(s) you end up using, the AICPA’s Cybersecurity Risk Management Reporting Framework can help you evaluate if your program has been implemented successfully and provide you with the means to effectively share how you are managing cybersecurity risks with your stakeholders.

Joel White, CPA, CGMA, CISA, CIA, CFE, Senior Director – Internal Audit, Risk & Compliance, Association of International Certified Professional Accountants


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily