Should You Buy A DSP or WISP?
ANSWER: In simple terms, the Written Information Security Program (WISP) is designed to address a specific framework (e.g., ISO 27002, NIST 800-53 or the NIST Cybersecurity Framework), whereas the Digital Security Program (DSP) is designed to address them all as a hybrid, "best-in-class" framework.
There are two factors that will assist you in determining which product is best suited to your business: (1) content and (2) functionality. However, while both cover common requirements, only your organization's needs (current AND future needs in terms of meeting specific statutory, regulatory and contractual requirements) will ultimately determine which is the best fit for you.
In terms of content, the scope of the DSP surpasses both versions of the WISP, due to its structure and additional materials.
- “Best-In-Class” Structure – The WISP versions are designed to stay true to NIST CSF, ISO 27002 or NIST 800-53, so their scopes are constrained by those specific frameworks.
We designed the DSP to avoid similar constraints by creating a hybrid framework that takes of best components of leading frameworks, while avoiding their weaknesses.
- The DSP currently covers over 100 laws, regulations and industry frameworks to allow alignment with multiple requirements with one document!
- The DSP is directly mapped to the Secure Controls Framework (SCF), which is a free resource for companies that need cybersecurity and privacy controls.
Controls & Metrics - While both the WISP and DSP contain policies, control objectives, standards and guidelines, the DSP in unique in that it contains controls and metrics (including KPIs and KRIs).
- This added content can save a company several months’ work from developing their own control wording and associated metrics!
This allows organizations to rapidly advance their cybersecurity program’s maturity by being able to PROVE that security is in place through metrics reporting!
Graphically, the difference in content can be seen in the comparison below (note – this just shows a fraction of what the DSP is mapped to, due to space limitations).
In terms of functionality, the WISP and DSP both come in Microsoft Word formats, so that it is easy to edit for your needs and gives our clients a wide range of methods to share the content. The difference is in added functionality that can save hundreds of hours in staff and consultant time!
- With the DSP, we did something different where we also put the DSP’s content into a Microsoft Excel format, so that it is importable into other tools or databases.
- Specifically, this Excel formatting makes it a breeze to import it into a Governance, Risk & Compliance (GRC) tool, such as Archer, RSAM, MetricStream, MyVCM, ZenGRC, ServiceNow, etc.
- If you are currently using a GRC tool or are planning one within the next few years, the DSP is the product you will want to buy, since it can save you hundreds of hours in formatting and preparation time.
One of the biggest differences in functionality is in the controls used by the WISP vs the DSP. The WISP does its best to stay true to the aligned framework (e.g., NIST CSF, ISO 27002 or NIST 800-53). However, the DSP leverages the Secure Controls Framework (SCF) to map to over 100 different laws, regulations and industry frameworks. Additionally, one can use the SCF's online tailoring tool to customize the control set to your specific needs. This makes customizing the DSP easy, since you just identified the applicable controls, based on that tool! (please note that you have to create a free account on the SCF website to access that tool).
US GOVERNMENT & DOD CONTRACTORS
On a daily basis, we receive questions from government / DoD contractors about both NISPOM and NIST 800-171 (DFARS). Both the NIST 800-53 version of the WISP and the DSP will allow an organization to comply with both NISPOM and NIST 800-171. Just as explained above, the DSP will just give you far more usefulness if you want to mature your security program beyond policies and standards.