The ISO/IEC 27001 is already a universal information security standard in the financial industry. In addition to continuing to maintain the validity of ISO/IEC 27001 certification, we began to think about how to continue to "consciously" strengthen the company's information security. Therefore, at the end of 2024, we overcame many difficulties and obtained the first NIST CSF certification in Taiwan's financial industry.

Through the Cybersecurity Framework proposed by the National Institute of Standards and Technology (NIST), we use the core framework and five implementation levels of the NIST CSF to examine the maturity of the company's information security governance, find our shortcomings in information security management, and then strengthen it in stages according to the risk level and company resources to build a more complete information security management structure.

The bitter blood and tears of introducing the NIST CSF certification process will be shared through this speech. I hope it will bring you inspiration and gain.