Use of a Framework

            The use of a framework is an excellent way to ensure that the
            security program is complete and thorough. A framework
            provides a skeleton that can be adapted for use in many
            organizations, even in different regions of the world. The use of
            a structure that is internationally recognized may provide more
            assurance to auditors or reviewers. This often adds additional
            assurance that the security program is complete and did not miss
            any critical issues. Some examples of common frameworks are
            shown here:



            ISO/IEC27002:2013 Information Technology - Security
            Techniques - Code of Practice for Information Security
            Management
            The ISO/IEC27002 outlines best practices and guidelines for
            Information Security Management. It, like most other best
            practices in the information security field, is based on the
            principles of risk management. It outlines the requirement to
            assess and treat security risks through a risk assessment
            methodology that balances business risk with the cost or
            expenditure of controls to manage the risk of harm to the
            business.

            The ISO/IEC27002 breaks controls into 14 security control
            categories with control objectives and 114 security controls that
            can be applied to meet the control objectives. The fourteen
            security control clauses are:
            - Information security policies
            - Organizing of information security
            - Human resources security
            - Asset management