richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Vault restructure

Browse source
This commit is contained in:
Richard Kranendonk 2026-04-23 11:51:51 +02:00
parent d45797d121
commit ff77508bd1
1433 changed files with 415450 additions and 1201 deletions
Download patch file Download diff file Expand all files Collapse all files

9
Corpus/Standards/NIST/NIST AI RMF.md Normal file
View file

@ -0,0 +1,9 @@
# NIST AI Risk Management Framework
[Explainer Video](https://www.nist.gov/video/introduction-nist-ai-risk-management-framework-ai-rmf-10-explainer-video?mc_cid=6b60bcf8b4&mc_eid=6ed2f698ef)
[Playbook](https://airc.nist.gov/AI_RMF_Knowledge_Base/Playbook)
[Framework PDF](https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf)
Comparable to ISO/IEC 23894:2023 ?
See [Risk management](../../🎇%20Sparks/Risk%20management.md)

8
Corpus/Standards/NIST/NIST CSF 2.0 Incident Response.md Normal file
View file

@ -0,0 +1,8 @@
[NIST project page](https://csrc.nist.gov/pubs/sp/800/61/r3/ipd)
[NIST CSF 2.0 incident life cycle.png]
The Govern, Identify, and Protect activities are now outside the primary incident response life cycle, which consists of Detect, Respond, and Recover.
NIST encourages people to utilize online resources, including the selected examples listed for [Preparation Resources](https://csrc.nist.gov/projects/incident-response/preparation-resources) and [Life Cycle Resources](https://csrc.nist.gov/projects/incident-response/life-cycle-resources), in conjunction with [SP 800-61 Revision 3](https://csrc.nist.gov/pubs/sp/800/61/r3/ipd) and [NIST CSF 2.0](https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final), to access additional information on implementing the recommendations and considerations in the publication.

BIN
Corpus/Standards/NIST/NIST CSF 2.0 incident life cycle.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 206 KiB

13
Corpus/Standards/NIST/NIST CSF 2.0.md Normal file
View file

@ -0,0 +1,13 @@
# NIST Cybersecurity Framework
[NIST project page](https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final)
- [Incident Response](NIST%20CSF%202.0%20Incident%20Response.md)
-
Related:
- [CSF Tools for NIST CSF and PF](../other/CSF%20Tools%20for%20NIST%20CSF%20and%20PF.md) - is this 2.0?
This voluntary _Framework_ consists of standards, guidelines and best practices to manage cybersecurity risk.
https://www.nist.gov/cyberframework/framework-documents

141
Corpus/Standards/NIST/NIST Cybersecurity Framework's five Functions.md Normal file
View file

@ -0,0 +1,141 @@
---
reviewdate: 2024-09-09
---
See also:
- [NIST vs ISO 27001](NIST%20vs%20ISO%2027001.md)
-
[Journey To CSF 2.0](https://www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-csf-20)
[NIST CSWP 29](https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd) (Initial Public Draft)
The CSF 2.0 draft reflects a number of major changes, including: 
[source](https://www.nist.gov/news-events/news/2023/08/nist-drafts-major-update-its-widely-used-cybersecurity-framework)
- The frameworks scope has expanded — explicitly — from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This difference is reflected in the CSFs official title, which has changed to “The Cybersecurity Framework,” its colloquial name, from the more limiting “Framework for Improving Critical Infrastructure Cybersecurity.” 
- Until now, the CSF has described the main pillars of a successful and holistic cybersecurity program using [five main functions](https://www.nist.gov/cyberframework/online-learning/five-functions "The Five Functions"): identify, protect, detect, respond and recover. To these, NIST now has added a sixth, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership. 
- The draft provides improved and expanded guidance on implementing the CSF, especially for creating [profiles](https://www.nist.gov/cyberframework/examples-framework-profiles "Examples of Framework Profiles"), which tailor the CSF for particular situations. The cybersecurity community has requested assistance in using it for specific economic sectors and use cases, where profiles can help. Importantly, the draft now includes implementation examples for each functions subcategories to help organizations, especially smaller firms, to use the framework effectively.
## Discussion Draft of the NIST Cybersecurity Framework 2.0 Core
April 24, 2023 [source](https://www.nist.gov/system/files/documents/2023/04/24/NIST%20Cybersecurity%20Framework%202.0%20Core%20Discussion%20Draft%204-2023%20final.pdf)
*This Table and the text below shows the proposed CSF 2.0 Core Functions, Categories, and Subcategories.*
| Function | Category | Identifier |
| ------------- | ------------------------------------------------------- | ---------- |
| Govern (GV) | Organizational Context | GV.OC |
| | Risk Management Strategy | GV.RM |
| | Roles and Responsibilities | GV.RR |
| | Policies and Procedures | GV.PO |
| Identify (ID) | Asset Management | ID.AM |
| | Risk Assessment | ID.RA |
| | Supply Chain Risk Management | ID.SC |
| | Improvement | ID.IM |
| Protect (PR) | Identity Management, Authentication, and Access Control | PR.AA |
| | Awareness and Training | PR.AT |
| | Data Security | PR.DS |
| | Platform Security | PR.PS |
| | Technology Infrastructure Resilience | PR.IR |
| Detect (DE) | Adverse Event Analysis | DE.AE |
| | Continuous Monitoring | DE.CM |
| Respond (RS) | Incident Management | RS.MA |
| | Incident Analysis | RS.AN |
| | Incident Response Reporting and Communication | RS.CO |
| | Incident Mitigation | RS.MI |
| Recover (RC) | Incident Recovery Plan Execution | RC.RP |
| | Incident Recovery Communication | RC.CO |
[](Screenshot%202024-02-16%20at%2014.35.03.png)
### Govern (GV)
#### Organizational Context (GV.OC)
The organization's risk context, including mission, mission priorities, stakeholders, objectives, and direction, is understood (formerly ID.BE)
- GV.OC-01: ==Organizational mission== is understood in order to prioritize cybersecurity risk management (formerly ID.BE-2 and ID.BE-3)
- GV.OC-02: ==Internal and external stakeholders==, and their expectations regarding cybersecurity risk management, are determined
- GV.OC-03: ==Legal, regulatory, and contractual requirements== regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed (formerly ID.GV-3)
- GV.OC-04: ==Critical objectives, capabilities, and services that stakeholders expect== are determined and communicated (formerly ID.BE-4 and ID.BE-5)
- GV.OC-05: ==Critical outcomes, capabilities, and services that the organization relies on== are determined and communicated (formerly ID.BE-1 and ID.BE-4)
#### Risk Management Strategy (GV.RM)
The organizations priorities, constraints, risk tolerance and appetite statements, and assumptions are established and used to support operational risk decisions (formerly ID.RM)
- GV.RM-01: Cybersecurity risk management ==objectives== are established and agreed to by organizational stakeholders (formerly ID.RM-1)
- GV.RM-02: Cybersecurity ==supply chain risk management== strategy is established, agreed to by organizational stakeholders, and managed (formerly ID.SC-1)
- GV.RM-03: ==Risk appetite and risk tolerance statements== are determined and communicated based on the organizations business environment (formerly ID.RM-2 and ID.RM-3)
- **GV.RM-04**: ==Cybersecurity risk management is considered part of enterprise risk management== (formerly ID.GV-4)
- GV.RM-05: Strategic direction describing ==appropriate risk response options==, including cybersecurity risk transfer mechanisms (e.g., insurance, outsourcing), investment in mitigations, and risk acceptance is established and communicated
- GV.RM-06: ==Responsibility and accountability== are determined and communicated for ensuring that the risk management strategy and program are resourced, implemented, assessed, and maintained
- GV.RM-07: Risk management ==strategy is reviewed and adjusted== to ensure coverage of organizational requirements and risks
- GV.RM-08: ==Effectiveness and adequacy== of cybersecurity risk management strategy and results are assessed and reviewed by organizational leaders
#### Roles and Responsibilities (GV.RR)
Cybersecurity roles and responsibilities are coordinated and aligned with all internal and external stakeholders to enable accountability, performance assessment, and continuous improvement (formerly
ID.GV-2)
- **GV.RR-01**: ==Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner, and promotes continuous improvement==
- GV.RR-02: ==Roles and responsibilities related to cybersecurity risk management== are established and communicated (formerly ID.GV-2, ID.AM-6, and DE.DP-1)
- GV.RR-03: ==Roles and responsibilities for customers, partners, and other third-party stakeholders== are established and communicated (formerly ID.AM-6)
- GV.RR-04: ==Roles and responsibilities for suppliers== are established, documented in contractual language, and communicated (formerly ID.AM-6)
- GV.RR-05: ==Lines of communication across the organization== are established for cybersecurity risks, including supply chain risks
- GV.RR-06: ==Resourcing and authorities for cybersecurity== are decided commensurate with risk strategy, roles, and policies
- GV.RR-07==: Cybersecurity is included in human resources practices== (e.g., training, deprovisioning, personnel screening) (formerly PR.IP-11)
#### Policies and Procedures (GV.PO)
Organizational cybersecurity policies, processes, and procedures are established and communicated (formerly ID.GV-1)
- GV.PO-01: Policies, processes, and procedures for managing cybersecurity risks are established based on organizational context, risk management strategy, and priorities and are communicated (formerly ID.GV-1)
- GV.PO-02: The same policies used internally are applied to suppliers
- GV.PO-03: Policies and procedures are reviewed, updated, and communicated to reflect changes in requirements, threats, technology, and organizational mission
### Identify (ID)
#### Asset Management (ID.AM)
Assets (e.g., data, devices, software, systems, facilities, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organizations risk strategy.
- ID.AM-01: ==Inventories of physical devices== managed by the organization are maintained
- ID.AM-02: ==Inventories of software and services== managed by the organization are maintained
- ID.AM-03: ==Representations of the organizations authorized network communication and network data flows== are maintained (formerly ID.AM-3 and DE.AE-1)
- ID.AM-04: ==Inventories of external assets and suppliers== are maintained
- ID.AM-05: ==Assets are prioritized== based on *classification*, criticality, resources, and organizational value
- ID.AM-06: Dropped (moved to GV.RR-02, GV.RR-03, and GV.RR-04)
- ID.AM-07: ==Sensitive data and corresponding metadata== are inventoried and tracked
- ID.AM-08: Systems, devices, and software are ==managed throughout their life cycle==, including pre-deployment checks, preventive maintenance, transfers, end-of-life, and disposition (formerly PR.DS-3, PR.IP-2, PR.MA-1, and PR.MA-2)
#### Risk Assessment (ID.RA)
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
- ID.RA-01: Vulnerabilities in first-party and third-party assets are identified, validated, and recorded (formerly ID.RA-1 and DE.CM-8)
- ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources
- ID.RA-03: Threats, both internal and external, are identified and recorded
- ID.RA-04: Potential business impacts and likelihoods are identified and recorded
- ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to determine exposure and inform risk prioritization
- ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated (formerly ID.RA-6 and RS.MI-3)
- ID.RA-07: Changes are managed, assessed for risk impact, and recorded (formerly part of PR.IP-3)
- ID.RA-08: Risks associated with technology suppliers and their supplied products and services are identified, recorded, prioritized, and monitored (formerly ID.SC-2 and PR.DS-8)
- ID.RA-09: Processes for receiving, analyzing, and responding to vulnerability disclosures are established (formerly RS.AN-5)
- ID.RA-10: Exceptions to security measures are reviewed, tracked, and compensated for
#### Supply Chain Risk Management (ID.SC)
The organizations supply chain risks are identified, assessed, and managed consistent with the organizations priorities, constraints,
risk tolerances, and assumptions.
- ID.SC-01: Dropped (moved to GV.RM-02)
- ID.SC-02: Dropped (moved to ID.RA-08)
- ID.SC-03: Cybersecurity requirements are integrated into contracts with suppliers and third-party partners
- ID.SC-04: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations
- ID.SC-05: Dropped (moved to ID.IM-02)
- ID.SC-06: Supplier termination and transition processes include security considerations
#### Improvement (ID.IM)
Improvements to organizational cybersecurity risk management processes and activities are identified.
- ID.IM-01: Continuous evaluation, including through reviews, audits, and assessments (including self-assessments), is applied to identify opportunities for improvement across all Framework Functions
- ID.IM-02: Security tests and exercises, including in coordination with suppliers and third-party providers, are carried out to identify improvements (formerly ID.SC-5, PR.IP-10, and DE.DP-3)
- ID.IM-03: Improvements for processes and activities across all Framework Functions are identified based on lessons learned (formerly PR.IP-7, PR.IP-8, DE.DP-5, RS.IM-1, RS.IM-2, and RC.IM-2)

8
Corpus/Standards/NIST/NIST Privacy Framework (PF).md Normal file
View file

@ -0,0 +1,8 @@
Related:
- [CSF Tools for NIST CSF and PF](../other/CSF%20Tools%20for%20NIST%20CSF%20and%20PF.md)
The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals privacy.
https://www.nist.gov/privacy-framework

BIN
Corpus/Standards/NIST/NIST RMF implementation diagram.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 203 KiB

2
Corpus/Standards/NIST/NIST RMF.md Normal file
View file

@ -0,0 +1,2 @@
![](NIST%20RMF%20implementation%20diagram.png)

15
Corpus/Standards/NIST/NIST articles list.md Normal file
View file

@ -0,0 +1,15 @@
[NIST RMF](NIST%20RMF.md)
[NIST Asset Types](../../📚️%20Literature%20notes/NIST%20Asset%20Types.md)
[NIST AI RMF](NIST%20AI%20RMF.md) - is this 2.0?
[NIST CSF 2.0](NIST%20CSF%202.0.md)
[NIST Asset Types](../../📚️%20Literature%20notes/NIST%20Asset%20Types.md) - is this 2.0?
[NIST vs ISO 27001](NIST%20vs%20ISO%2027001.md) - is this 2.0?
[NIST vs ISO 27001 ChatGPT](NIST%20vs%20ISO%2027001%20ChatGPT.md)
[NIST Privacy Framework (PF)](NIST%20Privacy%20Framework%20(PF).md)- is this 2.0?
[NIST CSF 2.0 Incident Response](NIST%20CSF%202.0%20Incident%20Response.md)
[](NIST%20CSF%202.0%20incident%20life%20cycle.png)
[NIST Cybersecurity Framework's five Functions](NIST%20Cybersecurity%20Framework's%20five%20Functions.md) - is this 2.0?
[Mapping NIST Controls to ISO Standards](../../📚️%20Literature%20notes/Mapping%20NIST%20Controls%20to%20ISO%20Standards.md) - is this 2.0?
[CSF Tools for NIST CSF and PF](../other/CSF%20Tools%20for%20NIST%20CSF%20and%20PF.md) - is this 2.0?

57
Corpus/Standards/NIST/NIST vs ISO 27001 ChatGPT.md Normal file
View file

@ -0,0 +1,57 @@
---
reviewdate: 2024-09-09
---
Requested 9 september 2024
*Prompt: How does NIST differ from ISO 27001 in its approach to cybersecurity?*
https://chatgpt.com/share/15932bec-3679-4943-8886-4b5881a98c7d
NIST (National Institute of Standards and Technology) and ISO 27001 are both widely recognized cybersecurity frameworks, but they have different approaches, origins, and structures. Heres how they differ in their approach to cybersecurity:
### 1. Framework vs. Standard
* **NIST**: NIST provides a framework, particularly through its **NIST Cybersecurity Framework (CSF)** and **NIST 800-53** series. The NIST CSF is voluntary, flexible, and provides guidelines, best practices, and recommendations for organizations to improve cybersecurity risk management. NIST is more focused on continuous improvement, allowing organizations to adopt practices based on their unique risk profile.
* **ISO 27001**: ISO 27001 is an **international standard** for Information Security Management Systems (ISMS). It is more prescriptive and focuses on setting up, implementing, maintaining, and continuously improving an ISMS. Certification against ISO 27001 is also possible, whereas NIST frameworks are typically adopted without a certification process.
### 2. Scope
* **NIST**: Primarily focused on **U.S.-based organizations**, though the framework is applicable internationally. NIST emphasizes improving cybersecurity risk management and critical infrastructure protection. Its guidelines, like NIST 800-53, cover a broader range of controls, including privacy and supply chain risk management.
* **ISO 27001**: Has a **global focus** and is used internationally. It provides specific requirements for setting up and managing an ISMS and emphasizes establishing a risk management process across the organization.
### 3. Risk Management Approach
* **NIST**: NIST CSF focuses on five core functions: **Identify, Protect, Detect, Respond, and Recover**. This approach highlights a holistic view of cybersecurity, from understanding risks to recovering from incidents. NIST is more focused on **risk-based decision-making**, allowing organizations to prioritize actions based on their risk profile.
* **ISO 27001**: ISO 27001 has a more formalized and structured approach to risk management, emphasizing the establishment of a **risk assessment and treatment process**. It provides specific requirements for managing risks to information security and requires organizations to document their controls, risks, and actions.
### 4. Control Sets
* **NIST**: NIST 800-53 provides a comprehensive catalog of security controls for federal information systems. These controls are organized into 20 different families (e.g., Access Control, Incident Response, etc.). NISTs controls can be customized based on the organizations needs and are more detailed, especially in areas like privacy and systems development.
* **ISO 27001**: ISO 27001 Annex A contains a set of **114 controls** across 14 categories (e.g., Asset Management, Access Control, etc.). These controls are broader and more general, focusing on high-level information security management practices.
### 5. Certification and Compliance
* **NIST**: NIST does not offer certification. Organizations typically use the NIST frameworks as a guide to improving their cybersecurity posture and managing risks. Compliance with NIST guidelines is often required for U.S. government agencies or organizations working with federal data.
* **ISO 27001**: ISO 27001 offers **formal certification** through accredited bodies. Many organizations, particularly internationally, pursue ISO 27001 certification to demonstrate their commitment to information security to customers, partners, and regulators.
### 6. Audience and Use Cases
* **NIST**: Initially developed for **U.S. federal agencies**, NIST is widely adopted by various industries, especially critical infrastructure sectors, and companies wanting a flexible, risk-based cybersecurity approach.
* **ISO 27001**: Aimed at organizations that want an **internationally recognized certification** for their information security management system. It is often favored by multinational companies and organizations looking to meet global security standards.
### 7. Focus and Flexibility
* **NIST**: More **flexible** and risk-based, making it adaptable to organizations of different sizes and sectors. The framework allows companies to tailor the approach based on their specific risk tolerance and needs.
* **ISO 27001**: More **formalized and prescriptive**, with a focus on compliance and establishing a structured ISMS. ISO 27001 requires more documentation and audits, leading to a more formalized security management process.
### 8. Documentation and Implementation
* **NIST**: NIST frameworks, especially NIST CSF, are designed to be implemented at varying levels of maturity. The focus is on improving security posture continuously rather than following a rigid set of documentation requirements.
* **ISO 27001**: Requires significant **documentation**, including policies, procedures, and records, to prove that the ISMS is working effectively. This is necessary for certification purposes and is part of the ongoing audit process.
### Summary
* **NIST**: Flexible, risk-based framework tailored for continuous improvement in cybersecurity. It is more focused on addressing U.S. federal standards but can be adapted globally.
* **ISO 27001**: A formal, internationally recognized standard aimed at building and maintaining a structured ISMS with the option for certification.
Both frameworks are highly respected and can complement each other, with NIST providing more granular guidelines and ISO 27001 offering a structured, certifiable management system.

32
Corpus/Standards/NIST/NIST vs ISO 27001.md Normal file
View file

@ -0,0 +1,32 @@
---
reviewdate: 2024-09-09
---
See also:
- [NIST vs ISO 27001 ChatGPT](NIST%20vs%20ISO%2027001%20ChatGPT.md)
**Target organizations**
NIST CSF provides a high-level scope and flexible framework any organization can use to build an information security program. In contrast, NIST 800-53 is a special publication designed to help implement NIST CSF in private businesses that work with the US federal government.
NIST 800-53 includes both NIST CSF and ISO 27002 requirements, as well as many others, making NIST 800-53 one of the most granular cybersecurity frameworks available.
**Similarities**
ISO 27001 and NIST CSF are complementary frameworks based on similar risk management processes:
- Identify risks to the organizations information
- Implement controls appropriate to the risk
- Monitor their performance
There are many other overlaps between the two security frameworks. In fact, an organization that holds an ISO 27001 certification has already met about 83% of its NIST CSF requirements. Conversely, an organization thats NIST CSF compliant is already 61% of the way to the ISO 27001 finish line.
### **Key differences: NIST Framework vs. ISO 27001** 
| | |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| **NIST Framework** | **ISO 27001** |
| NIST was primarily created to help US federal agencies and organizations better manage their risk | ISO 27001 is an internationally recognised method of creating and managing an Information Security Management System |
| Consists of various control catalogs - 5 functions, 21 categories & 78 sub categories | Consists of an Annex A that has 14 Control Domains, with 114 total controls |
| Made up of three main sections; Framework Core, Implementation Tiers & Profiles. Each Core Function consists of categories that are required to be completed for that function to be considered fulfilled. | Utilises a risk-based management that consists of recommendations on how best to secure information in the organization. |
| Has voluntary self-assessment and self-compliance. | Relies on independent audit and certification bodies. Organizations will get a certification on completion. |
| Uses five main functions to customise cybersecurity controls | Has 10 clauses to guide an organization through their Information Security Management System |

BIN
Corpus/Standards/NIST/Screenshot 2024-02-16 at 14.35.03.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 157 KiB