Carnegie Mellon University

ISO 2.0

The ISO 2.0 initiative is a "‘One Team’ Approach to Information Security @ CMU”. Recognizing that information security relies on an inter-dependent set of services provided by many different units, ISO 2.0 will engage service providers to inventory and document their specific contributions to CMU’s information security program.

Expected Outcomes

  • Demonstrate the full complement of people, process, technology, and facility-based controls that produce operational resilience, reduce risk, enable opportunity, and achieve compliance
  • Enhance transparency, understanding, and confidence in the controls structure and institutional services
  • Ensure continuous improvement and timely response to emerging threats, new opportunities, and evolving compliance obligations

Timeline and Milestones

Phase 1: Assessment of Information Security Program Components


  • Adopt an assessment framework (selected NIST Cybersecurity Framework (CSF))
  • ISO baseline assessment against the NIST CSF


  • Pilot assessment framework approach with partner organization (ERM)
  • Tweak the approach

Phase 2: Inclusive Information Security Program

FY23 — FY24

  • Document and track improvement roadmaps
  • Define and manage program metrics
  • Inventory and/or document contributing partner organization components
  • Reassess NIST CSF with partner organizations
  • Weave all contributing campus services and operations into a written information security program