Since 2005, I have been developing and refining this piece of intellectual capital, evolving it to adapt to the ever-changing security landscape. Over the years, I’ve applied it across numerous engagements, tailoring it to meet the unique requirements of various environments and tasks.
Is it complete? No, and it never can be. The threat landscape, the security controls we work with, and the needs of organisations are constantly shifting. As such, this framework is designed to evolve continually to remain relevant and effective.
It has been downloaded and shared many times, and I have met individuals from all over who have surprised me with stories of how the product has helped. This makes me happy and proud and inspires me to develop this into something even better. I am working with my son, who is building a dynamic version of the matrix complete with descriptions of each control to make it even more information-rich.
What’s New in Version 2.11? This major update introduces a re-engineered structure built around layers, improving the document’s organisation and making it easier to maintain and expand. I’ve also reviewed and updated several controls to better align with current threats and operational realities. There is, of course, more to do, but this version is a significant step forward.
What Is It? This is a generic control set designed to help security professionals select the controls they need for specific situations. It has proven invaluable for various purposes, including: 1. Gap Analysis: When auditing or reviewing architectures, I use this model as a comprehensive reference to ensure all critical areas are covered. 2. Requirements Definition and Control Selection: The model ensures that I don’t overlook any key inputs when defining security requirements. It helps me consider all relevant control groups to identify the most suitable controls for addressing specific threats within the constraints of the operating environment. 3. Capability Reviews and Definition: I use this model to develop Capability Views, which describe how people, processes, and controls work together to deliver a specific capability. These views are instrumental in assessing or designing operational effectiveness. For instance, many organisations invest in solutions like Certificate Management or SIEM without ensuring their operational processes are complete and effective or that the correct information reaches the appropriate stakeholders. Without this, the PDCA (Plan-Do-Check-Act) cycle cannot function effectively. This model helps close those gaps.
While these are the primary use cases, the control set can be adapted for other purposes. It has been a reliable and effective tool in my work, and I hope others will find it equally valuable.
How to Access and Contribute This framework is my intellectual capital, but I’ve shared it freely so others can benefit from it. If you find it useful, feel free to use it, and if you have ideas for improvement, I’d love to hear from you. • Contact: Reach me at esa@assuredcontrol.com or via linkedin . • Downloadable Versions: Visit the useful tools page./) • Architecture Models: Explore the Archi page for related models.
Let’s collaborate to refine and enhance this tool for the benefit of the broader security community.
I don't capture anything or share, sell, or anything else to third parties.