- CPA to Cybersecurity
- Posts
- Where NIST CSF training fits in the GRC Certification Roadmap
Where NIST CSF training fits in the GRC Certification Roadmap
Study GRC Meeting: Questions and Answers
Hey there,
On Wednesday I had a great time coming back to Simply Cyber squad leader Chris Whitlock’s Study GRC weekly meeting. The group discussion focused on AKYLADE Certified Cyber Resilience Fundamentals (A/CCRF) and where it fits in the GRC Certification Roadmap.
Please find below the recording and a roundup of key points we covered.
If you have any questions please don’t be shy! 🙋♂️ 🙋♀️
#TeamSC Let’s Go!
Steve
GRC Career Insights
Value of NIST Cybersecurity Framework (CSF)
An insight about NIST Cybersecurity Framework (CSF) in Chapter 2 of the GRC Masterclass was very helpful for me to bring back to my day job. I had been looking for a “Generally Accepted Accounting Principles (GAAP)” equivalent among the fragmented options to facilitate cyber risk management.
Dr. Auger highlighted that:
It’s not just about the controls in the framework, it’s the approach to laying them out. ISO27k just pukes a bunch of controls out, and in my opinion there’s no logical grouping of it. I mean they have some but it’s not great. With NIST cybersecurity framework, it is basically written for practitioners in the context of how an information security program should work
Wow - mic drop moment! 💥🎤🚶♂️
From that point on, I aligned my ISO27k and SOC2 control-based program to CSF. Not just for compliance but for risk work too. Distilling all of the complexity of cybersecurity into just 6 functions (for executives), then 22 categories (for managers), and 106 categories (for practitioners) is super helpful in this diverse team sport.
Should You Take Security+ Before A/CCRF?
That’s what the GRC Cert Roadmap says as an initial guideline, but there are no formal prerequisites for the course noted by AKYLADE and there's no one-size-fits-all answer here. Having a basic understanding of cybersecurity terminology and fundamentals is certainly beneficial before jumping into the CSF. Security+ is a good option and helpful on your resume, but there are other ways to get up to speed, such as immersion in books, podcasts, blogs, YouTube and other options noted in the Beginner section of the roadmap.
The A/CCRF course covers cybersecurity and risk management fundamentals in Chapters 1-3 before starting with CSF in Chapter 4, and even if you don't have a formal certification like Security+, you can benefit from it.
Another important point is that A/CCRF isn’t a substitute for Security+ or the Google Cybersecurity Certification or Cyber 101 etc. It’s a complementary addition to give you an edge among a possible sea of applicants.
The Importance of Risk Management
Risk management is 20% of the A/CCRF, and two of ten chapters in the Mastering Cyber Resilience textbook are dedicated to it:
Chapter 3: Risk Management Fundamentals
Chapter 10: Assessing Cybersecurity Risk
Risk management is the cornerstone of any cybersecurity framework. The NIST CSF includes Risk Assessment (ID.RA) as one of its 22 categories, and NIST strongly emphasized that their voluntary framework is non-prescriptive and risk-based.
Understanding your current cybersecurity risk baseline is crucial. Whether you're a small pharmaceutical company focused on confidentiality of intellectual property or an online training provider concerned with availability of your e-learning platform, the objective is to reduce cyber risk, not just pass audits.
How Does This CSF Course Help with ISO 27001?
I’ve personally found CSF very helpful for ISO27001 and SOC2 programs, and I see more and more SOC2 reports with NIST CSF-influenced control numbers.
The CSF includes “Informative References” that link CSF outcomes to ISO27001 controls.
The “new” 2022 release of ISO 27001 (undergoing a 3-year transition period) has even started to include elements from the CSF, acknowledging its better approach to organizing cybersecurity outcomes that Dr Auger noted in the GRC Masterclass.
What’s a “CR-MAP”?
A Cyber Risk Management Action Plan (CR-MAP) is a tool that helps translate NIST’s CSF outcomes into actionable steps. It’s the focus of the AKYLADE Certified Cyber Resilience Practioner (A/CCRP) certification that follows A/CCRF.
First you learn enough about CSF to be part of the cybersecurity team in A/CCRF. Then you can stand on that foundation and learn how to lead the team in A/CCRP.
Education is Only Part of a Career Development Plan
Education is just 10% of a 70-20-10 career development plan. Relationships and experiences are more critical, according to industry research. While education unlocks opportunities, it's your network and hands-on experience that will propel your career forward.
More Frequently Asked Questions
Bottom Line
The NIST CSF deserve’s the chef’s kiss Dr. Auger gives it here!
It offers a structured approach to understanding and managing cybersecurity risks, making it invaluable whether you're new to the field or looking to deepen your expertise. By aligning your programs with the CSF, you'll not only meet compliance requirements but also achieve meaningful risk reduction. And remember, while education is essential, it's your relationships and experiences that will truly define your career in GRC.