EiweNov 16, 2022

Time for some CISO tool talk (and question). I've found two helpful #NIST #CSF #self-assessment tools over the last few years.

There's this one from John Masserini: https://johnmasserini.com/2022/02/18/new-version-of-the-nist-csf-tool/

And this one from Expel: https://expel.com/expel-self-scoring-tool-for-nist-csf/

They take a slightly different approach with the Expel one being a bit simplified and better suited for a smaller growth-stage organization.

I've used CIS CSAT in the past but curious to learn if fellow CISOs and #infosec folks in the fediverse have opinions about NIST CSF specifically.

What self-assessment tools and approach would you use for a lean org? Do you have any free resources or affordable #GRC tools to assist?

Show threadRyan Black 

@eiwe I am a HUGE fan of Blue Lava and have implemented it twice now at different organizations. There are many reasons why, regarding UX, reporting, planning but the most immediately compelling may be the idea of assess once and use many times.

As far as framework, I prefer to run a full assessment with their encompassing maturity model which readily maps, in platform, to NIST CST and other frameworks.

I'm happy to chat directly or answer any questions. I have no financial stake in the company but simply appreciate their platform and CISO community efforts.

Nov 16, 2022 at 10:47pmWeb
Show threadEiweNov 16, 2022
@digitalwoot I appreciate the insight. I’ve seen it pop up a few times but have never talked to anyone with personal experience. I think a platform may become relevant in H2. I wouldn’t mind picking your brain on it at some point before then though 😀 One of the things I like about CIS is the easy mapping to other frameworks directly in their CSAT platform.