I’m all in favour of using a good template, founded on best practise, to drive cyber security programs. What is to be avoided is the ‘tick the box’ approach that we’ve seen both in cyber security and in data privacy. For example, I can’t think of a single case where an organisation had not passed PCI certification before their payment systems were breached…:
[…] What most people think of when they hear “template” is almost incongruous with the notion of risk – what caused the shift from compliance-based to risk-focused cybersecurity program management was the need for a more tailored approach to address the risks specific to the organization that may not have been considered by the governing body that created the compliance requirement.
However, there is good news; in the context of risk assessments, many gold-standard frameworks that organizations already have in place or are working to adopt include guidance to assess the risk to the organization as it relates to cyber and IT.