This discussion is locked.
You cannot post a reply to this discussion. If you have a question start a new discussion

cybersecurity assurance

Hello all,

I am the newly appointed lead cyber authority for a large energy company.  I am interested in your thoughts on what an assurance framework or assurance model  might look like in providing an independent view on cyber risk. 


Thanks,


Mike Ramesar
Parents
  • Hi Michael,

    A good start is the C2M2 (cybersec capability maturity model) developed by Homeland Security for the Energy Sector in the US. Very simple checklist to gauge your company's maturity on the OT but also IT side. Even if you use something else like ISO 27001 info sec policies, the C2M2 can still be a simple checklist to use for KPIs/Maturity. 

    Cybersecurity Capability Maturity Model (C2M2) | Department of Energy

    I assume the IT side of the business will already be using ISO 27001 so maybe it is a matter of widening the scope to include OT if it was previously ignored/excluded?

    Regards,

    Omar A

Reply
  • Hi Michael,

    A good start is the C2M2 (cybersec capability maturity model) developed by Homeland Security for the Energy Sector in the US. Very simple checklist to gauge your company's maturity on the OT but also IT side. Even if you use something else like ISO 27001 info sec policies, the C2M2 can still be a simple checklist to use for KPIs/Maturity. 

    Cybersecurity Capability Maturity Model (C2M2) | Department of Energy

    I assume the IT side of the business will already be using ISO 27001 so maybe it is a matter of widening the scope to include OT if it was previously ignored/excluded?

    Regards,

    Omar A

Children
  • Thanks for sharing this.  I did download  this and explored the questions, etc.  I do think is very useful to start off if you have nothing in place and I would recommend it.  It would be good to have an integrated tool for risk assessments that auto-connects to the C2M2 model.