To date, folks have chosen a best practice framework such as Cobit or ISO and then cherry picked specific controls to align along their audit and operational requirements. Unfortunately, there is a lot of mismatch between organizations with regard to what controls get chosen, how often they are tested, and in general, they have been struggling to figure out which controls are the right ones for them. This falls back to the basic concept of “due care”: loosely defined as “what a reasonable person in similar circumstances would do.” I fought with this while I was running InfoSec in the past, and we tried to fix the problem with the solution we developed and later sold off. I think we missed something though.
This brings us to The Consensus Controls Project, a free service for security and audit professionals whereby they can crowdsource compliance for themselves. You will be able to upload and share controls with peers, search for companies with similar risk profiles, and once and for all define due care by having access to what is both similar and reasonable based upon industry, auditor of record, geography, or other such company demographics.
The days of “off the rack” compliance are going away. Now is the time for “bespoke” control environments, custom tailored by company need. No more need to reply on any “academic” frameworks, instead, you can rely on the wisdom of your peers. Peer-reviewed due care.
