NIST SP800-53 draft v5

A public draft of NIST SP800-53 revision 5 is worth checking out.

Major changes in this draft:

• "Making the security and privacy controls more outcome-based by changing the structure of the controls;
• Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
• Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
• Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
• Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability."

Comments are invited by September 12^th to NIST.

NIST’s evolving Cybersecurity Framework is also worth a look. Although it's a little too cyber-centric for my liking, it has application well beyond the critical US national infrastructure for which it is intended (e.g. organizations have their own 'critical infrastructures'). I suspect the Framework Core Structure (particularly the 5 functions corresponding to the timeline of an incident) may be one of several ways to 'tag' controls in the next release of ISO/IEC 27002: