23 Top Cybersecurity Frameworks

Many organizations consider cybersecurity to be a priority. The need to implement

effective cybersecurity frameworks grows every day. Cybercriminals continuously derive more
sophisticated techniques for executing attacks.

This has led to the development of various cybersecurity frameworks meant to assist organizations in
achieving robust cybersecurity programs. Therefore, businesses should understand the
top cybersecurity frameworks for enhancing their security postures.

Cybersecurity frameworks refer to defined structures containing processes, practices, and

technologies which companies can use to secure network and computer systems from security
threats. Businesses should understand cybersecurity frameworks for enhancing organizational
security. The top cybersecurity frameworks are as discussed below:

1. ISO IEC 27001/ISO 27002

The ISO 27001 cybersecurity framework consists of international standards which

recommend the requirements for managing information security management
systems (ISMS). ISO 27001 observes a risk-based process that requires businesses to
put in place measures for detecting security threats that impact their information
systems.

To address the identified threats, ISO 27001 standards recommend various controls. An organization
should select proper controls that can mitigate security risks to ensure it remains protected from
attacks. In total, ISO 27001 advocates 114 controls, which are categorized into 14 different
categories. Some of the categories include information security policies containing two controls;
information security organization with seven controls that detail the responsibilities for various tasks;
human resource security category with six controls for enabling employees to understand their
responsibility in maintaining information security.

On the other hand, the ISO 27002 framework comprises international standards that detail the
controls that an organization should use to manage information systems’ security. The ISO 27002 is
designed for use alongside ISO 27001, and most organizations use both to demonstrate their
commitment to complying with various requirements required by different regulations. Some of the
information security controls recommended in the ISO 27002 standard include policies for enhancing
information security, controls such as asset inventory for managing IT assets, access controls for
various business requirements, managing user access, and operations security controls.

2. NIST Cybersecurity Framework

The NIST Cybersecurity Framework was developed to respond to the presidential

Executive Order 13636. The executive order purpose to enhance the security of the
country’s critical infrastructure, thus protecting them from internal and external
attacks.

Although the framework’s design aims to secure critical infrastructures, private organizations
implement it to strengthen their cyber defenses. In particular, NIST CSF describes five functions that
manage the risks to data and information security. The functions are identify, protect, detect,
respond, and recover.
The identify function guides organizations in detecting security risks to asset management, business
environment, and IT governance through comprehensive risk assessment and management
processes. The detect function defines security controls for protecting data and information systems.
These include access control, training and awareness, data security, information protection
procedures, and maintaining protective technologies. Detect provides guidelines for detecting
anomalies in security, monitoring systems, and networks to uncover security incidences, among
others. The response function includes recommendations for planning responses to security events,
mitigation procedures, communication processes during a response, and activities for improving
security resiliency. Lastly, the recovery function provides guidelines that a company can use to
recover from attacks.

3. IASME Governance

IASME governance refers to cybersecurity standards designed to enable small and

medium-sized enterprises to realize adequate information assurance. The IASME
governance outlines a criterion in which a business can be certified as having
implemented the relevant cybersecurity measures.

The standard enables companies to demonstrate to new or existing customers their readiness to
protect business or personal data. In short, it is used to accredit a business’s cybersecurity posture.

The IASME governance accreditation is similar to that of an ISO 27001 certification. However,
implementing and maintaining the standard comes with reduced costs, administrative overheads,
and complexities. IASME standards certification includes free cybersecurity insurance for businesses
operating within the UK.

4. SOC 2

The American Institute of Certified Public Accountants (AICPA) developed the SOC 2
framework. The framework’s purpose to enable organizations that collect and store
personal customer information in cloud services to maintain proper security.

The framework also provides SaaS companies with guidelines and requirements for mitigating data
breach risks and strengthening their cybersecurity postures. Also, the SOC 2 framework details the
security requirements to which vendors and third parties must conform. The requirements guide
them in conducting both external and internal threat analyses to identify
potential cybersecurity threats.

SOC 2 contains 61 compliance requirements, which makes it among the most challenging
frameworks to implement. The requirements include guidelines for destroying confidential
information, monitoring systems for security anomalies, procedures for responding to security
events, internal communication guidelines, among others.

5. CIS v7

The body responsible for developing and maintaining the CIS v7 framework is the
Center for Information Security (CIS). CIS v7 lists 20 actionable cybersecurity
requirements meant for enhancing the security standards of all organizations.

Most companies perceive the security requirements as best practices since the CIS has
a credible reputation for developing baseline security programs.
The framework categorizes the information security controls into three implementation groups.
Implementation group 1 is for businesses that have limited cybersecurity expertise and resources.
Implementation group 2 is for all organizations with moderate technical experience and resources in
implementing the sub controls, whereas implementation group 3 targets companies with
vast cybersecurity expertise and resources.

CIS v7 stands out from the rest since it enables organizations to create budget-
friendly cybersecurity programs. It also allows them to prioritize cybersecurity efforts.

6. NIST 800-53 Cybersecurity Framework

The National Institute of Standards and Technology created the NIST 800-53 publication
for enabling federal agencies to realize effective cybersecurity practices.

The framework focuses on information security requirements designed to enable federal agencies to
secure information and information systems. Besides, NIST 800-53 provides governmental
organizations with the requirements to comply with FISMA (Federal Information Security
Management Act) requirements. NIST 800-53 is unique as it contains more than 900 security
requirements, making it among the most complicated frameworks for organizations to implement.

The requirements recommended in the framework include controls for enhancing physical security,
penetration testing, guidelines for implementing security assessments, and authorization policies or
procedures, among others. NIST 800-53 is a useful framework for organizations maintaining federal
information systems, companies with systems that interact with federal information systems, or
institutions seeking FISMA compliance.

7. COBIT

COBIT (Control Objectives for Information and Related Technologies) is

a cybersecurity framework that integrates a business’s best aspects to its IT security,
governance, and management. ISACA (Information Systems Audit and Control
Association) developed and maintains the framework.

The COBIT cybersecurity framework is useful for companies aiming at improving production quality
and, at the same time, adhere to enhanced security practices.

The factors that led to creating the framework are the necessity to meet all
stakeholder cybersecurity expectations, end-to-end procedure controls for enterprises, and the need
to develop a single but integrated security framework.

8. COSO

COSO (Committee of Sponsoring Organizations) is a framework that allows

organizations to identify and manage cybersecurity risks.

The core points behind the framework’s development include monitoring, auditing,
reporting, controlling, among others. Also, the framework consists of 17 requirements, which are
categorized into five different categories. The categories are control environment, risk assessments,
control activities, information and communication, and monitoring and controlling.
All of the framework’s components collaborate to establish sound processes for identifying and
managing risks. Using the framework routinely identifies and assesses security risks at all
organizational levels, thus improving its cybersecurity strategies.

Also, the framework recommends communication processes for communicating information risks
and security objectives up or down in an organization. The framework further allows for continuous
monitoring of security events to permit prompt responses.

9. TC CYBER

The TC CYBER (Technical Committee on Cyber Security) framework was developed to

improve the telecommunication standards across countries located within the
European zones.

The framework recommends a set of requirements for improving privacy awareness for
individuals or organizations.

It focuses on ensuring that organizations and individuals can enjoy high privacy levels when using
various telecommunication channels. Moreover, the framework recommends measures for
enhancing communication security.

Although the framework specifically addresses telecommunication privacy and security in European
zones, other countries worldwide also use it.

10. HITRUST CSF

HITRUST (Health Information Trust Alliance) cybersecurity framework addresses the

various measures for enhancing security.

The framework was developed to cater to the security issues organizations within the
health industry face when managing IT security. This is through providing such institutions with
efficient, comprehensive, and flexible approaches to managing risks and meeting various compliance
regulations.

In particular, the framework integrates various compliance regulations for securing personal
information. Such include Singapore’s Personal Data Protection Act and interprets relevant
requirement recites from the General Data Protection Regulation.

The HITRUST cybersecurity framework is regularly revised to ensure it includes data protection
requirements specific to the HIPPA regulation.

11. CISQ

CISQ (Consortium for IT Software Quality) provides security standards that developers
should maintain when developing software applications.

Additionally, developers use the CISQ standards to measure the size and quality of a
software program. CISQ standards enable software developers to assess the risks and
vulnerabilities present in a completed application or one under development. As a result, they can
efficiently address all threats to ensure users access and use secure software applications.
The vulnerabilities and exploits which the Open Web Application Security Project (OWASP), SANS
Institute, and CWE (Common Weaknesses Enumeration) identify form the basis upon which the CISQ
standards are developed and maintained.

12. Ten Steps to Cybersecurity

The Ten Steps to Cybersecurity is an initiative by the UK’s Department for Business. It
provides business executives with a cybersecurity overview. The framework recognizes
the importance of providing executives with knowledge of cybersecurity issues that
impact business development or growth and the various measures to mitigate such
problems.

This is to enable them to make better-informed management decisions about

organizational cybersecurity. The framework uses broad descriptions but with lesser technicalities to
explain the various cyber risks, defenses, mitigation measures, and solutions, thus enabling a
business to employ a company-wide approach for enhancing cybersecurity.

13. FedRAMP

FedRAMP (Federal Risk and Authorization Management Program) is a framework

designed for government agencies. The framework provides standardized guidelines
that can enable federal agencies to evaluate cyber threats and risks to the different
infrastructure platforms and cloud-based services and software solutions.

Furthermore, the framework permits the reuse of existing security packages and assessments across
various governmental agencies.

The framework is also based on the continuous monitoring of IT infrastructure and cloud products to
facilitate a real-time cybersecurity program. More importantly, FedRAMP focuses on shifting from
tedious, tethered, and insecure IT to more secure mobile and quick IT. The aim is to ensure federal
agencies have access to modern and reliable technologies without compromising their security.

To achieve the desired security levels, FedRAMP collaborates with cloud and cybersecurity experts to
maintain other security frameworks. These include NSA, DoD, NIST, GSA, OMB, and other private
sector groups.

The main goals of FedRAMP are to accelerate cloud migrations by reusing authorizations and
assessments, enhance confidence in cloud security, ensure that federal agencies consistently apply
recommended security practices, and increase automation for continuous monitoring.

14. HIPAA

HIPAA (Health Insurance Portability and Accountability Act) contains various guidelines
for enabling organizations to implement sufficient controls for securing employee or
customer health information.

HIPAA standards also require healthcare organizations to comply since they collect and store health
information for all patients. The standards comprise different security requirements that need
organizations to demonstrate a clear understanding of how to implement and use them.
Such requirements include training employees at all levels on the best practices for collecting and
storing health data. Besides, HIPAA requires companies to create and maintain appropriate
procedures for conducting risk assessments. The process should also include methods for managing
identified risks.

15. GDPR

GDPR (General Data Protection Regulation) is one of the latest frameworks enacted to
secure personally identifiable information belonging to European citizens.

The regulation framework provides a set of mandatory security requirements that organizations in
different parts of the world must implement. As such, it is a global framework that protects the data
of all EU citizens. Non-compliance leads to huge penalties, and this has caused most companies to
comply with the requirements.

GDPR requirements include implementing suitable controls for restricting unauthorized access to
stored data. These are access control measures such as least privilege and role-based access controls
and multi-factor authentication schemes. Organizations or websites must also acquire a data owner’s
consent before using data for reasons such as marketing or advertising. Data breaches that result
from a company’s inability to implement security controls amount to non-compliance.

16. FISMA

FISMA (Federal Information Systems Management Act) is a cybersecurity framework

designed for federal agencies. The compliance standard outlines a set of security
requirements that government agencies can use to enhance
their cybersecurity posture.

The security standards aim to ascertain that federal agencies implement adequate measures to
protect critical information systems from different types of attacks. Moreover, the framework
requires vendors or third-parties interacting with a government agency to conform to the stipulated
security recommendations.

The security standard’s main aim is to enable federal agencies to develop and maintain highly
effective cybersecurity programs. To achieve this, the standard consists of a
comprehensive cybersecurity framework with nine steps for securing government operations and IT
assets. These are:

1. Categorizing information to security levels

2. Identify minimum security controls for protecting information
3. Refine the controls by using risk assessments
4. Document the controls and develop a security plan
5. Implement required controls
6. Evaluate the effectiveness of implemented controls
7. Determine security risks to federal systems or data
8. Authorize the use of secure information systems
9. Continuous monitoring of implemented controls.

17. NY DFS
 NY DFS (New York Department of Financial Services) is a cybersecurity framework
covering all institutions operating under DFS registrations, charters, or licenses.

The framework consists of several cybersecurity requirements that can enhance financial
organizations’ security postures and the third parties they interact with for different businesses.

Among others, NY DFS requires organizations to identify security threats that can affect their
networks or information systems. Also, the framework necessitates companies to adopt sufficient
security infrastructure for protecting all IT assets from the identified risks. Notwithstanding,
organizations covered by the NY DFS must implement systems for detecting cybersecurity events.

18. NERC CIP

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure

Protection) is a cybersecurity framework that contains standards for protecting critical
infrastructures and assets.

In total, the framework has nine standards comprising of 45 requirements. For example, the
sabotage reporting standard requires an electric organization to report unusual occurrences and
security disturbances to relevant bodies.

The critical cyber asset identification standard makes it mandatory for an entity to document all
cyber assets considered critical. Also, personnel and training standard requires employees with
access to critical cyber assets to complete security and awareness training. Other standards included
in the NERC CIP framework are electronic security perimeter, incident response, managing systems
security, and maintaining recovery plans.

19. SCAP

SCAP, or Security Content Automation Protocol, is a regulation standard containing

security specifications for standardizing the communication of security products and
tools.

The specification aims to standardize the processes through which security software programs
communicate security issues, configuration information, and vulnerabilities. Through the
standardized specifications, SCAP intends to enable a company to measure, express, and organize
security data using universal criteria and formats.

The security software can allow a business to maintain enterprise security by utilizing processes such
as verifying and installing security patches automatically. Others are testing and verifying the security
configurations of implemented systems and investigating incidences that can compromise the system
or network security.

20. ANSI

The ANSI (American National Standards Institute) framework contains standards,

information, and technical reports which outline procedures for implementing and
maintaining Industrial Automation and Control Systems (IACS).

The framework applies to all organizations that implement or manage IACS systems. The framework
consists of four categories as defined by ANSI.
The first category contains foundational information like security models, terminologies, and
concepts. The second category addresses the aspects involved in creating and maintaining
IACS cybersecurity programs. The third and fourth categories outline requirements for secure system
integration and security requirements for product development.

21. NIST SP 800-12

The framework provides an overview of control and computer security within an

organization.

Also, NIST SP 800-12 focuses on the different security controls an organization can implement to
strengthen cybersecurity defense. Although most of the control and security requirements were
designed for federal and governmental agencies, they are highly applicable to private organizations
seeking to enhance their cybersecurity programs.

NIST SP 800-12 enables companies to maintain policies and programs for securing sensitive IT
infrastructure and data.

22. NIST SP 800-14

NIST SP 800-14 is a unique publication that provides detailed descriptions of

commonly used security principles. The publication enables organizations to
understand all that needs to be included in cybersecurity policies.

As a result, businesses ensure to develop holistic cybersecurity programs and policies covering
essential data and systems. Besides, the publications outline specific measures that companies
should use to strengthen already implemented security policies. In total, the NIST SP 800-14
framework describes eight security principles with a total of 14 cybersecurity practices.

23. NIST SP 800-26

Whereas the NIST SP 800-14 framework discusses the various security principles used
to secure information and IT assets, NIST SP 800-26 provides guidelines for managing
IT security.

Implementing security policies alone cannot enable a company to realize

optimum cybersecurity since they require frequent assessments and evaluations. For example, the
publication contains descriptions for conducting risk assessments and practices for managing
identified risks.

It is an instrumental framework that ensures organizations maintain effective cybersecurity policies.

A combination of different NIST publications can ensure businesses maintain
adequate cybersecurity programs.

1https://www.iso.org/isoiec-27001-information-security.html

2https://www.iso27001security.com/html/27002.html

3https://www.nist.gov/cyberframework

4https://www.iasme.co.uk/audited-iasme-governance/
5https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html

6https://www.cisecurity.org/controls/

7https://nvd.nist.gov/800-53

8http://www.isaca.org/cobit/pages/default.aspx

9https://www.coso.org/Pages/default.aspx

10https://www.etsi.org/cyber-security/tc-cyber-roadmap

11https://hitrustalliance.net/hitrust-csf/

12https://www.it-cisq.org/

13https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

14https://www.fedramp.gov/

15https://www.hhs.gov/hipaa/index.html

16https://gdpr-info.eu/

17https://www.dhs.gov/cisa/federal-information-security-modernization-act

18https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf

19https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf

20https://www.open-scap.org/features/standards/

21https://www.ansi.org/

22https://csrc.nist.gov/CSRC/media/Publications/sp/800-12/rev-
1/draft/documents/sp800_12_r1_draft.pdf

23https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=890092

24https://csrc.nist.gov/publications/detail/sp/800-26/archive/2001-11-01