Cybersecurity Frameworks & Standards

This section provides detailed guidance on implementing internationally recognized cybersecurity frameworks, adapted for South African regulatory requirements and business contexts. Includes templates and tools for implementation.





NIST Cybersecurity Framework 2.0

Updated: February 2024 | Applicability: All sectors and organization sizes

New in CSF 2.0: Enhanced governance function, expanded beyond critical infrastructure, improved implementation guidance, and stronger integration with other NIST guidance.

Six Core Functions

🎯

GOVERN (GV)

Establish and monitor cybersecurity risk management strategy, expectations, and policy.

  • Organizational Context (GV.OC)
  • Risk Management Strategy (GV.RM)
  • Roles & Responsibilities (GV.RR)
  • Policy (GV.PO)
  • Oversight (GV.OV)
  • Supply Chain Risk Management (GV.SC)
🔍

IDENTIFY (ID)

Understand organizational cybersecurity risk to systems, people, assets, data, and capabilities.

  • Asset Management (ID.AM)
  • Risk Assessment (ID.RA)
  • Improvement (ID.IM)
🛡️

PROTECT (PR)

Implement appropriate safeguards to ensure delivery of critical services.

  • Identity Management & Access Control (PR.AA)
  • Awareness & Training (PR.AT)
  • Data Security (PR.DS)
  • Information Protection (PR.IP)
  • Maintenance (PR.MA)
  • Protective Technology (PR.PT)
👁️

DETECT (DE)

Implement appropriate activities to identify occurrence of cybersecurity events.

  • Continuous Monitoring (DE.CM)
  • Adverse Event Analysis (DE.AE)

RESPOND (RS)

Implement appropriate activities to take action regarding detected cybersecurity incidents.

  • Response Planning (RS.PL)
  • Response Communications (RS.CO)
  • Response Analysis (RS.AN)
  • Response Mitigation (RS.MI)
🔄

RECOVER (RC)

Implement appropriate activities to maintain resilience plans and restore capabilities.

  • Recovery Planning (RC.PL)
  • Recovery Implementation (RC.IM)
  • Recovery Communications (RC.CO)

Implementation Tiers

Tier Description Risk Management Threat Intelligence External Participation
Tier 1: Partial Ad hoc, reactive approach Limited awareness Minimal threat intelligence Limited external cooperation
Tier 2: Risk Informed Risk-informed decisions Risk-based approach Uses threat intelligence Some external cooperation
Tier 3: Repeatable Formal policies & procedures Organizational-wide risk approach Regular threat intelligence updates Active external participation
Tier 4: Adaptive Adaptive & predictive Enterprise-wide risk management Advanced threat intelligence Extensive external collaboration

NIST CSF Official Site

Download NIST CSF Template

ISO/IEC 27001:2022 Information Security Management

Latest Version: October 2022 | Certification Body: SABS, SGS, Bureau Veritas (SA)

Management System Requirements (Clauses 4-10)

Context of Organization (4)

Understanding organizational context, interested parties, and ISMS scope determination.

Leadership (5)

Management commitment, information security policy, and organizational roles/responsibilities.

Planning (6)

Risk assessment, risk treatment, Statement of Applicability, and information security objectives.

Support (7)

Resources, competence, awareness, communication, and documented information management.

Operation (8)

Operational planning, risk assessment and treatment implementation.

Performance Evaluation (9)

Monitoring, measurement, analysis, evaluation, internal audit, and management review.

Improvement (10)

Nonconformity management, corrective action, and continual improvement processes.

Annex A: Reference Controls (93 Controls across 4 themes)

Theme Controls Key Areas SA Compliance Notes
Organizational (37) A.5.1 – A.5.37 Policies, risk management, supplier relationships, incident management Must align with POPIA requirements
People (8) A.6.1 – A.6.8 Terms of employment, disciplinary actions, remote working Consider Labour Relations Act compliance
Physical (14) A.7.1 – A.7.14 Secure areas, equipment protection, clear desk Enhanced requirements for financial sector
Technological (34) A.8.1 – A.8.34 Access management, cryptography, system security, vulnerability management Must support ECT Act digital signature requirements
SA-Specific Implementation: Ensure controls support compliance with POPIA, Cybercrimes Act, and sector-specific regulations.

ISO 27001 Official Site

Download ISO 27001 Checklist

COBIT 2019: Enterprise Governance of IT

Focus: IT governance and management framework for enterprise IT

Governance System Components

Governance Framework

  • 40 governance and management objectives
  • Comprehensive guidance on governance practices
  • Performance management approach

Design Factors

  • Enterprise strategy and goals
  • Risk profile and threat landscape
  • Role of IT and enterprise architecture
  • Compliance requirements (POPIA, etc.)

Key Focus Areas for Cybersecurity

Process Objective Cybersecurity Relevance SA Implementation Priority
APO12 Managed Risk Enterprise risk management including cyber risks High – POPIA compliance
APO13 Managed Security Information security management Critical – Core cybersecurity
DSS05 Managed Security Services Security operations and incident management High – Cybercrimes Act compliance
MEA02 Managed System of Internal Control Internal controls for IT systems Medium – Audit requirements

COBIT Official Site

SANS Critical Security Controls (CIS Controls)

Version: CIS Controls v8 | Focus: Prioritized cybersecurity actions

Implementation Groups

IG1 – Basic Cyber Hygiene

Target: Small organizations with limited cybersecurity expertise

Safeguards: 56 essential safeguards

SA Context: Suitable for SMEs, startups

IG2 – Risk Management

Target: Organizations with some cybersecurity resources

Safeguards: Additional 74 safeguards (130 total)

SA Context: Medium enterprises, growing companies

IG3 – Advanced Cybersecurity

Target: Organizations with significant cybersecurity resources

Safeguards: All 153 safeguards

SA Context: Large corporations, financial institutions

18 CIS Controls

Control Title Priority SA Implementation Notes
1 Inventory and Control of Enterprise Assets Basic Critical for POPIA compliance – know what data you process
2 Inventory and Control of Software Assets Basic Essential for vulnerability management
3 Data Protection Basic Direct POPIA compliance requirement
4 Secure Configuration of Enterprise Assets Basic Reduces attack surface, supports compliance
5 Account Management Basic Critical for access control and audit trails
6 Access Control Management Basic Supports POPIA processing limitations
7 Continuous Vulnerability Management Foundational Proactive threat mitigation
8 Audit Log Management Foundational Essential for incident investigation and compliance

CIS Controls Official Site

Cloud Security Frameworks

Cloud Security Alliance (CSA) Controls

Cloud Controls Matrix v4

Comprehensive cloud security controls mapped to multiple standards including ISO 27001, NIST, and PCI DSS.

Security Guidance v4

Best practices for cloud computing security across all deployment models.

CAIQ (Consensus Assessment)

Questionnaire for cloud security assessment and vendor evaluation.

AWS Well-Architected Security Pillar

  • Identity and Access Management
  • Detective Controls
  • Infrastructure Protection
  • Data Protection in Transit and at Rest
  • Incident Response

Microsoft Azure Security Framework

  • Azure Security Benchmark
  • Cloud Adoption Framework Security
  • Zero Trust Architecture
  • Security Operations Center (SOC) guidance
SA Cloud Considerations: Ensure cloud deployments comply with POPIA cross-border transfer requirements and maintain data sovereignty where required by regulation.

CSA Official Site

Leave a Reply

Your email address will not be published. Required fields are marked *