There are so many fast routes to establish security management as well as controls that the risks of going by the book might be overlooked. It is easy to use frameworks, standards like ISO 27001 or other regulatory requirements and never get into the habit of continuous improvement. For this very reason, this articles explores the process for selecting security controls, the industry best practices and some experiences along the way.
To lay out a plan for getting a strong table of security controls, we have written a whitepaper about this topic that explains the process of selecting security controls in detail based on the internationally used NIST Risk Management Framework and the Special Publication 800-53. This paper concludes all necessary steps to complete a list of selected controls, examples, industry experience and widely used misconceptions to optimally implement this process in your risk or information security processes as well as a full example on how the result of this process would look like. You can find the whitepaper following this link:
The process to select security controls is widely known but oftentimes overlooked, or scheduled for after getting the first results but improvement can happen even before compliance, so that the selection process starts right at the start of setting up an ISMS. The selection of security controls contains three steps: The selection of a minimum baseline, identification of common controls and the selection of hybrid and system-specific controls. Each step should be taken carefully for an optimal effectiveness of the security program. Going by the process described in the NIST risk management framework, the result should be stated in a security plan, but any other document would also suffice. An example of such a document can be found at the end of the whitepaper.