How an ISO 27001 ISMS will improve your NERC CIP or PCI compliance

When it comes to Management Systems SANS CSC 20, NERC-CIP AND PCI DSS have not integrated the concept of a management system. This section of ISO/IEC 27001:2013 is so important that it’s considered to be mandatory for success adoption and registration /certification. 148 control points have been documented within clauses 4 – 10. SANS CSC 20, NERC-CIP AND PCI DSS standard are missing the following mandatory policies, procedures and standards defined within ISO/IEC 27001:2013 and the 148 control points therein.

Primary policies, procedures & standards
• Governance /Management Support
• Risk Management
• Quality Management /Continuous Improvement
• Information Security Policy
• Internal Audit
• Communications /Dissemination of knowledge
• Competency /Awareness Training
• Document Control
• Records Management
• Legal Obligations /Compliance Management
• Asset Management
• Monitoring

Additional recommendations
• Identity & Access Management
• Information & Knowledge Management

The Information Security Management System program provides a single point of contact and leadership for Enterprise Security based on strategic organizational goals and objectives. The ESMS brings together physical security with information security in support of Business Architecture guided by organizational Governance and Risk Management. The following list is based on the Enterprise Security Management System program sub – processes.
• Governance
• Risk Management
• Vulnerability Management
• Compliance Management
• Communication Strategy
• Awareness Training
• Identity /Access Management
• Information and Knowledge Management
• Document and Records Management
• Monitoring and Reporting
• Internal Audit /External Audit

When it comes to ISO/IEC 27001:2013 ISMS Annex A domains A5 – A8 PCI DSS has most significant GAPS in Security Organization and Human Resources while SANS CSC 20 was weak on Management and NERC-CIP is weak on Organization of Information Security. On a more positive side each standard seems to recognize the need for asset management.
When it comes to ISO/IEC 27001:2013 ISMS Annex A domains A9 – A12 NERC-CIP has most significant GAPS in Access Control and Cryptography while SANS CSC 20 was weak on Cryptography. All three were seemed to recognize the important of Physical, Environmental and Operational Security.
When it comes to ISO/IEC 27001:2013 ISMS Annex A domains A13 – A15 each standard SANS CSC 20, PCI DSS and NERC-CIP recognized the need Communications and System Acquisition, Development and Maintenance Security.
However when it comes to Vendors and Suppliers SANS CSC 20 and NERC-CIP did not seem to recognize the importance of External Party Security.
When it comes to ISO/IEC 27001:2013 ISMS Annex A domains A16 – A18 PCI DSS is the weakest with GAPS in incident management, business continuity and compliance. Each of the three standards SANS CSC 20, PCI DSS and NERC-CIP do not seem to have recognized the importance of Compliance Management.
Enterprise Security additional considerations
• Access Control
• Active Shooter
• Asset Protection and Management
• Background Screening/Due Diligence
• Bomb Threats
• CCTV
• Compliance Management
• Corruption/Ethics
• Crime, Prevention
• Cryptography
• Data/Information Security
• Data Privacy
• Disaster/Crisis Management
• Environmental
• Executive Protection/Personnel Security
• Facilities (General)
• Health and Safety
• Incident Management
• Investigations
• Mail Security
• Pandemics
• Physical Security, General
• Quality Management
• Risk Management
• Risk/Vulnerability Assessment and Site Surveys
• Security Personnel/Duties
• Security Planning and Management
• Sexual Harassment/Discrimination
• Social Media
• Social Engineering
• Supply Chain
• Strikes/Demonstrations/Unrest
• Substance Abuse
• Telecommunications
• Travel
• Utilities
• Vehicles and Vehicle Operation
• Visitors
• Water
• Workplace Violence

ESMS Examples: Applicable Industries
• Agriculture
• Aviation
• Banking
• Chemical
• Cities
• Distribution Centers
• Educational Institutions
• Energy Industry
• Factories
• FDIC
• Government
• Healthcare
• Industrial Sites
• Insurance
• Mass Transit
• Manufacturing
• Media
• Oil and gas/Energy
• Seaports
• Stadiums and Arenas
• Telecommunications
• Technology
• Theme Parks
• Universities

Conclusion
SANS CSC 20, NERC-CIP & PCI-DSS are all good standards, but they still don’t meet the minimum security requirements defined by ISO 27001:2013.
Organizations should consider adopting one information security framework that would address all security requirement. This sustainable approach would control costs while improving business resilience and agility.