Security Framework

Why It Matters

Frameworks turn the chaos of cybersecurity into a manageable structure. Without them, organizations reinvent the wheel, miss obvious controls, and struggle to communicate risk to stakeholders. With them, security programs gain shared vocabulary, prioritized roadmaps, and credibility with regulators, insurers, and customers.

The 2014 NIST CSF emerged from a US Executive Order to help critical infrastructure operators manage cyber risk. Its success drove adoption far beyond original scope. ISO 27001 enables global recognition through certification. MITRE ATT&CK has become the operational standard for adversary emulation and detection coverage. Effective security programs strategically combine multiple frameworks rather than picking only one.

Major Frameworks

NIST CSF 2.0

The NIST Cybersecurity Framework provides a flexible, outcome-based structure organized around six functions:

Implementation Tiers (1–4) indicate maturity; Profiles align the framework to organizational priorities.

ISO/IEC 27001:2022

International standard for Information Security Management Systems (ISMS), with 93 controls organized into 4 themes (Organizational, People, Physical, Technological). Achieving certification requires:

• Documented ISMS scope
• Risk assessment and treatment
• Statement of Applicability
• Management commitment and continual improvement
• External audit by accredited certification body

CIS Controls v8

Eighteen prioritized controls grouped into Implementation Groups (IG1–IG3) for organizations with different resource levels. CIS provides specific, actionable guidance:

IG1 (Essential cyber hygiene - 56 safeguards):
Inventory & Control of Assets, Data Protection,
Account Management, Continuous Vulnerability Management,
Audit Log Management, Email/Web Browser Protection,
Malware Defenses, Backup & Recovery

IG2 adds 74 safeguards (medium risk profile)
IG3 adds 23 safeguards (high risk, sophisticated threats)

MITRE ATT&CK

A knowledge base of adversary tactics (the why) and techniques (the how) observed in real-world intrusions. Used for:

• Detection engineering and SIEM rule mapping
• Red team operations and adversary emulation
• Threat intelligence and campaign tracking
• Coverage assessment with tools like ATT&CK Navigator

COBIT

ISACA's framework for IT governance and management, often used by enterprise GRC programs and frequently combined with ISO 27001 and NIST CSF.

Sector-Specific Frameworks

• HITRUST CSF: healthcare-focused harmonized framework
• PCI DSS v4.0: payment card data
• NERC CIP: North American electric grid
• TISAX: automotive sector
• FedRAMP: US federal cloud services

Choosing the Right Framework

Selection criteria:

• Geography and regulation: ISO 27001 globally, NIST CSF in US federal/critical infrastructure
• Customer requirements: SOC 2 for SaaS vendors, FedRAMP for US gov customers
• Industry: PCI DSS for payments, HIPAA/HITRUST for healthcare
• Maturity goals: certification (ISO) vs flexibility (NIST CSF)
• Resources: CIS IG1 for small organizations, full ISO 27001 for enterprises

Implementation Approach

1. Inventory current state, what controls exist and operate effectively?
2. Select framework(s) based on the criteria above.
3. Map current controls to the framework's catalog.
4. Identify gaps and prioritize by risk.
5. Build a roadmap with owners, milestones, and budget.
6. Operate and measure, controls are not "done" once implemented.
7. Audit and improve, internal first, then external if certifying.

Crosswalks Reduce Effort

Many frameworks share common controls. Crosswalk tools and matrices map:

• NIST CSF ↔ ISO 27001 ↔ NIST 800-53
• CIS Controls ↔ NIST CSF
• SOC 2 Trust Services Criteria ↔ NIST CSF/ISO 27001

This dramatically reduces duplicate work for organizations subject to multiple frameworks.

Related Concepts

• Compliance
• Risk Management
• Zero Trust
• Threat Modeling