ST-CSF.001 Converged Security Framework

GENERAL USE

DOCUMENT MANAGEMENT

Issuing department: Enterprise Risk Management & Information Security
Target audience: Chief Information Security Officers (CISOs), Enterprise Risk Management Teams, IT Security Teams, Physical Security Operations, Compliance Officers, Operational Technology Teams, Business Continuity Managers, Board-Level Risk Committee Members
Standard Owner: Dr Vladimir Bunic – Converged Security Institute
Standard Author(s): Dr Vladimir Bunic - Converged Security Institute
Approver: CSI Security Advisory Board
Date of approval: September 2025
Repository: All Enterprise Security Standards and Guidelines can be found in the Corporate Risk Management Portal

Document history:

Version Date of issue Change Modified by
ST-CSF.001-0 08/2025 New Document Dr Vladimir Bunic

STANDARD KEY INFORMATION

1. PURPOSE OF THIS STANDARD

This standard provides BEST practices for implementing unified risk management through converged security frameworks. It defines the requirements for integrating cybersecurity, physical security, and operational technology security into a cohesive organisational approach that addresses hybrid, systemic, and cascading risks.

Through application of this standard, organisations will establish consistent security governance controls aligned with ISO 31000:2018, ISO 27001:2022, and ISO 22301:2019. The correlation between GDPR and ISO 27001:2022 must be specifically addressed, as both frameworks emphasise data protection by design and systematic risk assessment.

The practices defined in this standard document are the minimum requirements for the specified scope. If an organisation is subject to additional regulatory standards (e.g., NIS2 Directive, DORA, PCI DSS, sector-specific regulations), then the most restrictive requirements apply. Critical infrastructure operators must implement additional controls as specified by their sectoral regulations.

2. EXPECTED BENEFITS

Through application of this standard, organisations will achieve:

3. SCOPE

This standard applies to all organisational entities, subsidiaries, and business units under direct managerial control. For joint ventures or partnerships where the organisation does not have majority control, this standard applies when accessing, processing, or managing organisational systems, data, or facilities.

In scope:

4. IMPLEMENTATION TIMELINE OF THE STANDARD

This standard is valid as of its date of issue and adherence is mandatory. Full implementation must be completed within 12 months. Existing systems must be assessed for compliance within 6 months.

5. CONFIDENTIALITY

This document is for General Use within the organisation.

6. TERMINOLOGY

For clarification of terms used in this standard, refer to the associated document ";Converged Security Framework Terminology". Key definitions include:

REQUIREMENTS

1. Governance and Leadership

  1. Organisations must establish board-level oversight for converged security implementation with designated accountability for unified risk management across all security domains.
  2. A Chief Converged Security Officer (CCSO) or equivalent executive role must be appointed with authority over cybersecurity, physical security, and operational technology security functions.
  3. Cross-functional governance committees must be established including representatives from IT security, physical security, OT security, risk management, compliance, and business operations.
  4. Convergence champions must be designated within each business unit to coordinate implementation and ensure alignment with organisational security objectives.
  5. Unified key performance indicators (KPIs) must be established and monitored across all security domains, with regular reporting to executive leadership and board committees.

2. Risk Management and Assessment

  1. Organisations must implement a unified risk register covering cybersecurity, physical security, and operational technology risks, with clear identification of interdependencies and cascade effects.
  2. Risk assessments must be conducted at least annually using methodologies aligned with ISO 31000:2018, specifically addressing hybrid, systemic, and cascading risks.
  3. Threat landscape analysis must be performed quarterly, incorporating intelligence from cybersecurity, physical security, and operational technology domains.
  4. Business impact analyses must consider scenarios affecting multiple security domains simultaneously, with particular attention to IT/OT convergence risks.
  5. Risk treatment plans must be developed with coordinated controls across all affected security domains, following the principle of defence in depth.
  6. Organisations must implement specific procedures for identifying and responding to hybrid threats that exploit both physical and cyber vulnerabilities simultaneously.
  7. Organisations must develop and maintain cascade effect maps documenting dependencies between security domains, with critical interdependencies tested at least annually.
  8. Risk modelling must include scenario-based analysis of cascading failures across multiple security domains with documented containment strategies for each scenario.
  9. IT/OT convergence risk assessments must be conducted to identify vulnerabilities created by the integration of information technology and operational technology systems.
  10. Predictive analytics and threat intelligence platforms must be implemented to enable proactive identification and mitigation of emerging threats across all security domains.

3. Standards Integration and Compliance

  1. Organisations must implement an integrated management system aligned with ISO 31000:2018 (Risk Management), ISO 27001:2022 (Information Security Management), and ISO 22301:2019 (Business Continuity Management).
  2. Compliance frameworks must be mapped to organisational needs, with particular attention to sector-specific requirements (NIS2 Directive, DORA, PCI DSS, GDPR) and their convergence implications.
  3. Internal audit programmes must be established to verify compliance with converged security requirements, with external certification pursued where required by regulation or business necessity.

4. Technology Integration and Architecture

  1. Organisations must deploy unified Security Information and Event Management (SIEM) and Physical Security Information Management (PSIM) platforms with integrated monitoring capabilities across all security domains.
  2. Zero-trust architecture principles must be applied across IT and OT environments, with continuous verification of all users, devices, and network connections.
  3. Artificial intelligence and machine learning capabilities must be deployed for predictive threat analysis and automated response coordination across security domains.

5. Identity and Access Management Integration

  1. Organisations must implement unified identity and access management (IAM) systems covering physical access control, IT system access, and OT system access through a single identity provider.
  2. Multi-factor authentication (MFA) must be enforced for all privileged access across physical, IT, and OT environments, with biometric authentication implemented where technically feasible.
  3. Role-based access control (RBAC) must be implemented with segregation of duties enforced across all security domains, preventing privilege escalation and unauthorised access.
  4. Identity lifecycle management must be integrated with human resources systems, ensuring immediate access revocation upon employment termination or role changes.
  5. Privileged access management systems must integrate across all security domains, with unified credential vaulting and session recording capabilities.
  6. Access control systems must support dynamic risk-based authentication that considers threat intelligence from all security domains.

6. Incident Response and Business Continuity

  1. Unified incident response protocols must be established covering cyber incidents, physical security breaches, and operational technology disruptions with coordinated response teams.
  2. Incident escalation procedures must be defined with automatic notification mechanisms and decision-making authorities clearly established for cross-domain security events.
  3. Business continuity plans must address scenarios affecting multiple security domains simultaneously, with recovery time objectives (RTO) and recovery point objectives (RPO) defined for each critical business process.

7. Training and Awareness

  1. Cross-functional security training programmes must be implemented for all personnel, covering cybersecurity, physical security, and operational technology security awareness.
  2. Specialised training must be provided to security personnel on converged threat scenarios, hybrid attack vectors, and integrated response procedures.
  3. Regular tabletop exercises and simulation drills must be conducted, testing response to multi-domain security incidents, with lessons learned documented and incorporated into procedures.
  4. Competency requirements must be defined for all security-related roles, with certification and continuous education requirements specified and monitored.
  5. Security awareness programs must include specific training modules on recognising and reporting hybrid threats that span multiple security domains.

8. Organisational Structure and Governance

  1. Organisations must establish a converged security governance structure that integrates cybersecurity, physical security, and operational technology security under unified management authority.
  2. Chief Security Officers must have cross-domain authority and accountability for all security functions, with direct reporting lines to executive management and board oversight.
  3. Security governance committees must meet monthly with mandatory participation from IT security, physical security, OT security, risk management, legal, and business operations representatives.
  4. All security policies must be aligned across domains, with no conflicting requirements between cybersecurity, physical security, and operational technology security policies.
  5. Organisations must implement standardised security communication protocols across all security domains, with centralised incident reporting and response coordination.
  6. Security budget allocation must be managed centrally to prevent resource conflicts between security domains and ensure optimal allocation for converged security initiatives.
  7. Security governance frameworks must include specific provisions for managing security convergence initiatives, with dedicated project management and change control processes.

9. Vendor and Third-Party Management

  1. All vendors providing security services must demonstrate the capability to support converged security requirements across multiple domains.
  2. Third-party risk assessments must evaluate vendor security practices for cybersecurity, physical security, and operational technology security simultaneously.
  3. Vendor contracts must include specific requirements for converged security support, incident response coordination, and compliance with this standard.
  4. Supply chain risk assessments must be conducted annually for all critical security vendors, incorporating both cyber and physical security considerations.
  5. Vendor agreements must include specific right-to-audit provisions enabling verification of security controls across all relevant security domains.

10. Data Protection and Privacy Requirements

  1. Data classification systems must be unified across all security domains, with consistent protection requirements applied regardless of the domain processing the data.
  2. Privacy impact assessments must consider data flows across physical, cyber, and operational technology systems with particular attention to cross-domain privacy risks.
  3. Data retention policies must be consistent across all security domains, with secure deletion procedures that account for data copies across multiple security systems.
  4. Encryption standards must be applied uniformly across all security domains, with centralised key management systems supporting cross-domain security operations.
  5. Data loss prevention systems must operate across all security domains, with unified monitoring and policy enforcement for data in transit, at rest, and in use.
  6. Cross-domain data governance frameworks must ensure consistent data handling requirements regardless of the security domain processing the information.

11. Compliance Reporting and Documentation

  1. Comprehensive documentation must be maintained for all converged security implementations, including system architectures, process flows, and control mappings.
  2. Regular compliance reports must be generated demonstrating adherence to this standard, with quarterly submissions to the Enterprise Risk Management Committee.
  3. Audit trails must be maintained for all security-related activities across domains, with centralised logging and monitoring capabilities providing comprehensive visibility into converged security operations.
  4. Organisations must establish and monitor quantifiable resilience metrics that measure the effectiveness of the converged security program, with quarterly reporting to executive management.
  5. Resilience assessments must include recovery time testing for scenarios involving simultaneous compromise of multiple security domains.
  6. Resilience benchmarking must be conducted annually against industry standards and frameworks specific to the organisation's sector.
  7. Gap analysis reports comparing converged security capabilities against threat intelligence must be produced semi-annually, with remediation actions tracked to completion.
  8. Continuous monitoring systems must be implemented to track security convergence effectiveness and identify opportunities for improvement.
  9. Adaptive security frameworks must be established to enable rapid adjustment of security controls based on changing threat landscapes and business requirements.
  10. Business value assessments must be conducted annually to demonstrate the competitive advantages gained through converged security implementation.
  11. Sector-specific compliance reporting must be conducted according to relevant industry regulations, including NIS2 Directive for critical infrastructure and DORA for financial services.
  12. KPI dashboards must provide real-time visibility into converged security performance, with automated alerting for performance degradation across any security domain.

12. Exception Management and Deviations

  1. Any deviations from this standard must be formally documented with business justification and approved by the Chief Converged Security Officer.
  2. Temporary exceptions must include specific timelines for remediation and must not exceed 12 months unless approved by the Enterprise Risk Management Committee.
  3. All exceptions must be reviewed quarterly with progress reports on remediation activities submitted to executive management.

ANNEXE A - ASSOCIATED DOCUMENTS

Organisations must refer to the following associated documents for detailed implementation guidance:

AD-CSF.001 - Converged Security Framework Terminology

PURPOSE: This document provides mandatory definitions and terminology for implementing ST-CSF.001 Converged Security Framework.

MANDATORY DEFINITIONS:

Converged Security Framework:
A unified approach integrating cybersecurity, physical security, and operational technology security into a cohesive risk management strategy that addresses hybrid, systemic, and cascading risks across all organisational domains.
Hybrid Risks:
Threats that exploit vulnerabilities across both physical and digital domains simultaneously, requiring coordinated response across multiple security disciplines.
Systemic Risks:
Interconnected system failures that can cascade across multiple operational areas, potentially causing organisation-wide disruption through network effects and dependencies.
Cascading Risks:
Sequential failures triggered by initial incidents that propagate through organisational dependencies, creating amplified impact beyond the original threat scope.
Chief Converged Security Officer (CCSO):
Executive role with authority over cybersecurity, physical security, and operational technology security functions, accountable for unified risk management across all security domains.
Cross-Domain Integration:
The technical and procedural unification of security controls, processes, and governance across cybersecurity, physical security, and operational technology domains.
IT/OT Convergence:
The integration of information technology and operational technology systems, creating new risk vectors that require specialised security controls and governance approaches.
Zero Trust Architecture:
Security model requiring continuous verification of all users, devices, and network connections regardless of location or previous authentication status.

AD-CSF.002 – Converged Security Implementation Guide

PURPOSE: This document provides mandatory implementation procedures for ST-CSF.001 Converged Security Framework.

IMPLEMENTATION PHASES:

Phase 1: Assessment and Planning (Months 1-3)

  • Conduct a baseline security maturity assessment across all domains
  • Identify current security silos and integration gaps
  • Develop a converged security roadmap with milestones
  • Establish a governance structure and appoint CCSO
  • Define cross-domain KPIs and success metrics

Phase 2: Technology Integration (Months 4-8)

  • Deploy unified SIEM/PSIM platforms
  • Implement zero-trust architecture foundations
  • Integrate identity and access management systems
  • Establish API security frameworks
  • Deploy AI/ML threat detection capabilities

Phase 3: Process Integration (Months 6-10)

  • Unify incident response procedures
  • Implement cross-domain risk assessment methodologies
  • Establish unified vendor management processes
  • Deploy integrated training programmes
  • Implement change management initiatives

Phase 4: Operational Excellence (Months 9-12)

  • Conduct cross-domain security exercises
  • Implement continuous monitoring systems
  • Establish resilience metrics and benchmarking
  • Deploy adaptive security frameworks
  • Complete compliance validation and certification

AD-CSF.003 - Cross-Domain Risk Assessment Methodology

PURPOSE: This document defines mandatory risk assessment procedures for identifying and evaluating hybrid, systemic, and cascading risks.

RISK ASSESSMENT FRAMEWORK:

  1. Hybrid Risk Assessment
    • Identify vulnerabilities spanning physical and cyber domains
    • Assess attack vectors exploiting cross-domain weaknesses
    • Evaluate impact scenarios for simultaneous domain compromise
    • Develop coordinated mitigation strategies
  2. Systemic Risk Assessment
    • Map interdependencies between security domains
    • Identify single points of failure affecting multiple domains
    • Assess network effects and amplification factors
    • Model organisation-wide impact scenarios
  3. Cascading Risk Assessment
    • Document dependency chains across security domains
    • Identify cascade triggers and propagation pathways
    • Assess containment capabilities and circuit breakers
    • Develop cascade prevention and mitigation strategies
  4. IT/OT Convergence Risk Assessment
    • Evaluate integration vulnerabilities in converged environments
    • Assess industrial control system security implications
    • Identify business continuity risks from IT/OT failures
    • Develop specialised protection strategies

AD-CSF.004 - Unified Incident Response Procedures

PURPOSE: This document defines mandatory incident response procedures for cross-domain security incidents.

INCIDENT CLASSIFICATION:

Class 1: Hybrid Incidents

  • Simultaneous physical and cyber security breaches
  • Coordinated attacks exploiting multiple domain vulnerabilities
  • Incidents requiring cross-domain response coordination

Class 2: Systemic Incidents

  • Failures affecting multiple security domains simultaneously
  • Network effect incidents with organisation-wide implications
  • Incidents threatening critical business functions

Class 3: Cascading Incidents

  • Sequential failures propagating across domain boundaries
  • Incidents with amplifying effects through dependency chains
  • Incidents requiring cascade containment procedures

RESPONSE PROCEDURES:

  1. Detection and Alerting
    • Unified alerting across SIEM/PSIM platforms
    • Automated correlation of cross-domain indicators
    • Immediate escalation for hybrid/systemic incidents
  2. Response Team Activation
    • Cross-domain response team mobilisation
    • Unified command and control structure
    • Clear communication protocols and authority
  3. Containment and Mitigation
    • Coordinated containment across affected domains
    • Cascade interruption procedures
    • Business continuity activation

AD-CSF.005 - Technology Integration Standards

PURPOSE: This document defines mandatory technical standards for converged security technology integration.

INTEGRATION STANDARDS:

  1. Platform Integration
    • SIEM/PSIM unified deployment requirements
    • API security standards (mutual TLS, rate limiting)
    • Interoperability protocols (ONVIF, STIX/TAXII)
    • Zero-trust architecture implementation
  2. Identity and Access Management
    • Unified IAM system requirements
    • Multi-factor authentication standards
    • Privileged access management integration
    • Dynamic risk-based authentication
  3. Network Security
    • Network segmentation for IT/OT/IoT environments
    • Controlled interface specifications
    • Encryption standards across all domains
    • Traffic monitoring and analysis requirements
  4. AI/ML Integration
    • Automated threat detection requirements
    • Predictive analytics implementation
    • Cross-domain correlation capabilities
    • Machine learning model validation

AD-CSF.006 – Training and Certification Requirements

PURPOSE: This document defines mandatory training and certification requirements for converged security implementation.

TRAINING PROGRAMMES:

  1. Executive Leadership Programme
    • Converged security strategy and governance
    • Business value and competitive advantage
    • Risk management across multiple domains
    • Change leadership and cultural transformation
  2. Security Professional Programme
    • Cross-domain security integration
    • Hybrid threat identification and response
    • Technology integration and management
    • Incident response coordination
  3. Operational Personnel Programme
    • Converged security awareness
    • Hybrid threat recognition and reporting
    • Cross-domain security procedures
    • Emergency response protocols

CERTIFICATION REQUIREMENTS:

Level 1: Awareness Certification

  • All personnel must complete within 6 months
  • Annual recertification required
  • Covers basic converged security concepts

Level 2: Professional Certification

  • Security personnel must complete within 12 months
  • Bi-annual recertification required
  • Covers technical implementation and procedures

Level 3: Leadership Certification

  • Management personnel must complete within 18 months
  • Tri-annual recertification required
  • Covers strategy, governance, and business value

Reference

[1]
Converged Security Framework- Strategic Standard
https://static-us-img.skywork.ai/prod/converter/2025-10-01/1973258476299669504_1759296456776561366.pdf