Why does MS2 map controls to standards such as NIST and ISO?

In the last few years, activity in developing and instituting authoritative IT Control Standards has increased. Unfortunately, there is not one authoritative standard in place today, and there will probably not be one in the foreseeable future. Nevertheless, many professional and governmental organizations publish their own standards.

These published standards and frameworks are important because they are used by auditors, IT security professionals, and consultants to determine the adequacy of controls or safeguards over information systems and data. They can also provide an important tool for managing a security program.
These standards share or recommend information security such as:

• Controls or security safeguards should be based upon the risks, threats, and vulnerabilities of the organization.
• Non-technical and technical security safeguards should be regularly reviewed.
• IT Security policies, procedures, and practices should be approved by management, documented, and monitored.
• IT security is a process not a project. It must be updated as business and technology circumstances change.

There are several widely used standards or frameworks including:

• NIST SP 800-14 (Generally Accepted Principles and Practices for Technology System)
• See FAQ below for more detail about this standard.
• ISO 17799 (International Standard Organization) Information Security Standard
• See FAQ below for more detail about this standard.
• COBIT Framework promoted by ISACA
• See FAQ below for more detail about this framework.

While some of the published standards can be quite comprehensive, they have tended to be general without specifying the detailed controls or safeguards required. In other words, they are intended to only be used as guidelines.

MS2 maps IT security safeguards to the most common standards (e.g., NIST, ISO, COBIT, etc.) to document and evaluate an organization’s controls within the context of each of these standards.