DOCU-04

Do you conform with a specific industry standard security framework (e.g., NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)?

Explanation

This question is asking whether your organization follows a recognized security framework to structure and guide your security practices. Security frameworks are standardized sets of guidelines, best practices, and recommendations that help organizations establish and maintain effective security controls. Why it's being asked: 1. Frameworks provide a common language for discussing security practices 2. They demonstrate a structured approach to security rather than ad-hoc measures 3. They help assessors understand the breadth and maturity of your security program 4. Compliance with recognized frameworks suggests your organization is following industry best practices 5. It helps the assessor understand what security standards you're measuring yourself against The question specifically mentions examples like NIST Cybersecurity Framework (focused on identifying, protecting, detecting, responding to, and recovering from cyber threats), CIS Controls (a prioritized set of actions to protect against common attacks), and ISO 27001 (an international standard for information security management). To best answer this question: - Be specific about which framework(s) you follow - Mention if you're formally certified (e.g., ISO 27001 certification) or if you use the framework as guidance - If you follow multiple frameworks, explain how they complement each other - If you've customized a framework, briefly explain your approach - If you don't follow any standard framework, explain your alternative approach to security

Example Responses

Example Response 1

Yes, our organization is ISO 27001:2013 certified as of January 2023, with annual surveillance audits and recertification every three years We also align our security practices with the NIST Cybersecurity Framework (CSF) to ensure comprehensive coverage across the five core functions: Identify, Protect, Detect, Respond, and Recover Our most recent ISO 27001 audit was completed in February 2024 with zero non-conformities identified.

Example Response 2

We follow the CIS Controls v8 framework as our primary security standard While we are not formally certified, we conduct annual self-assessments against all 18 control categories, with quarterly reviews of our Implementation Group 1 controls We also incorporate elements of the NIST 800-53 controls for areas specific to our cloud infrastructure Our security team maps all our controls to these frameworks and tracks implementation progress through our GRC platform, with current implementation at approximately 92% of applicable controls.

Example Response 3

We do not currently conform to a specific industry standard security framework in a formal capacity Our security program has evolved organically based on our specific business needs and risk profile We have implemented various security controls based on industry best practices and requirements from our clients, but we haven't mapped these to a specific framework like NIST CSF, CIS Controls, or ISO 27001 We recognize this as a gap in our security program and have initiated a project to adopt the NIST Cybersecurity Framework over the next 12 months, with completion targeted for Q2 of next year.

Context

Tab
Organization
Category
Documentation

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron