Where NIST CSF training fits in the GRC Certification Roadmap

Study GRC Meeting: Questions and Answers

Author

Steve McMichael
July 27, 2024

Hey there,

On Wednesday I had a great time coming back to Simply Cyber squad leader Chris Whitlock’s Study GRC weekly meeting. The group discussion focused on AKYLADE Certified Cyber Resilience Fundamentals (A/CCRF) and where it fits in the GRC Certification Roadmap.

Please find below the recording and a roundup of key points we covered.

If you have any questions please don’t be shy! 🙋‍♂️ 🙋‍♀️ 

#TeamSC Let’s Go!

Steve

GRC Career Insights

Value of NIST Cybersecurity Framework (CSF)

An insight about NIST Cybersecurity Framework (CSF) in Chapter 2 of the GRC Masterclass was very helpful for me to bring back to my day job. I had been looking for a “Generally Accepted Accounting Principles (GAAP)” equivalent among the fragmented options to facilitate cyber risk management.

Dr. Auger highlighted that:

It’s not just about the controls in the framework, it’s the approach to laying them out. ISO27k just pukes a bunch of controls out, and in my opinion there’s no logical grouping of it. I mean they have some but it’s not great. With NIST cybersecurity framework, it is basically written for practitioners in the context of how an information security program should work

Gerald Auger, PhD

Wow - mic drop moment! 💥🎤🚶‍♂️

From that point on, I aligned my ISO27k and SOC2 control-based program to CSF. Not just for compliance but for risk work too. Distilling all of the complexity of cybersecurity into just 6 functions (for executives), then 22 categories (for managers), and 106 categories (for practitioners) is super helpful in this diverse team sport.

Should You Take Security+ Before A/CCRF?

That’s what the GRC Cert Roadmap says as an initial guideline, but there are no formal prerequisites for the course noted by AKYLADE and there's no one-size-fits-all answer here. Having a basic understanding of cybersecurity terminology and fundamentals is certainly beneficial before jumping into the CSF. Security+ is a good option and helpful on your resume, but there are other ways to get up to speed, such as immersion in books, podcasts, blogs, YouTube and other options noted in the Beginner section of the roadmap.

The A/CCRF course covers cybersecurity and risk management fundamentals in Chapters 1-3 before starting with CSF in Chapter 4, and even if you don't have a formal certification like Security+, you can benefit from it.

Another important point is that A/CCRF isn’t a substitute for Security+ or the Google Cybersecurity Certification or Cyber 101 etc. It’s a complementary addition to give you an edge among a possible sea of applicants.

The Importance of Risk Management

Risk management is 20% of the A/CCRF, and two of ten chapters in the Mastering Cyber Resilience textbook are dedicated to it:

  • Chapter 3: Risk Management Fundamentals

  • Chapter 10: Assessing Cybersecurity Risk

Risk management is the cornerstone of any cybersecurity framework. The NIST CSF includes Risk Assessment (ID.RA) as one of its 22 categories, and NIST strongly emphasized that their voluntary framework is non-prescriptive and risk-based.

Understanding your current cybersecurity risk baseline is crucial. Whether you're a small pharmaceutical company focused on confidentiality of intellectual property or an online training provider concerned with availability of your e-learning platform, the objective is to reduce cyber risk, not just pass audits.

How Does This CSF Course Help with ISO 27001?

I’ve personally found CSF very helpful for ISO27001 and SOC2 programs, and I see more and more SOC2 reports with NIST CSF-influenced control numbers.

The CSF includes “Informative References” that link CSF outcomes to ISO27001 controls.

CSF 2.0 Informative References

Informative References help inform how an organization may achieve the Core’s outcomes. Given the diversity of use cases, this page allows the user to choose how to best consume Informative References.

www.nist.gov/informative-references

The “new” 2022 release of ISO 27001 (undergoing a 3-year transition period) has even started to include elements from the CSF, acknowledging its better approach to organizing cybersecurity outcomes that Dr Auger noted in the GRC Masterclass.

What’s a “CR-MAP”?

A Cyber Risk Management Action Plan (CR-MAP) is a tool that helps translate NIST’s CSF outcomes into actionable steps. It’s the focus of the AKYLADE Certified Cyber Resilience Practioner (A/CCRP) certification that follows A/CCRF.

First you learn enough about CSF to be part of the cybersecurity team in A/CCRF. Then you can stand on that foundation and learn how to lead the team in A/CCRP.

Education is Only Part of a Career Development Plan

Education is just 10% of a 70-20-10 career development plan. Relationships and experiences are more critical, according to industry research. While education unlocks opportunities, it's your network and hands-on experience that will propel your career forward.

Career Development Plan Template

So you want to become a GRC Analyst? Awesome! Here’s a free Career Development Plan template full of resources that I think you’ll find helpful.

www.cpatocybersecurity.com/p/cdp

More Frequently Asked Questions

A/CCRF FAQ

1. What certs for GRC? 2. How long is the course? 3. How hard is the exam? 4. How will it help my resume? 5. Will you make an A/CCRP course?

www.cpatocybersecurity.com/p/accrf-faq

How to Unlock AKYLADE Cert Value on Your Resume

A common question from people considering the AKYLADE Certified Cyber Resilience Fundamentals (CCRF) exam is how it can help their resume when it’s brand new and not yet prevalent on job postings.

www.cpatocybersecurity.com/p/unlock-cert-value

Bottom Line

The NIST CSF deserve’s the chef’s kiss Dr. Auger gives it here!

It offers a structured approach to understanding and managing cybersecurity risks, making it invaluable whether you're new to the field or looking to deepen your expertise. By aligning your programs with the CSF, you'll not only meet compliance requirements but also achieve meaningful risk reduction. And remember, while education is essential, it's your relationships and experiences that will truly define your career in GRC.