Top Cybersecurity Frameworks and Standards

A framework is a pre-determined structure or set of guidelines that the team can utilise to create something helpful. Similarly, an information security framework is nothing more than a set of written procedures. It’s used to design rules and procedures for installing and administering information security controls in a company.

Many businesses are required to follow a mix of mandated, industry-specific, and worldwide cybersecurity standards. A company that trades nationwide, or perhaps globally, faces significant challenges.

While cybersecurity frameworks provide a set of “best practises” for establishing risk tolerance and implementing controls, determining which one is right for a company can be challenging. Furthermore, many legislation refer to many standards or frameworks. Understanding the similarities and variations across the different security frameworks can aid in the development of a more strong cybersecurity compliance programme.

Center for Internet Security (CIS) Controls

The CIS Controls framework lists twenty mission-critical controls across three categories:

  • Basic
  • Foundational
  • Organizational

After that, the CIS Controls framework defines three implementation groups. Organizations with minimal resources and cybersecurity expertise should join Implementation Group 1. Organizations with intermediate resources and cybersecurity competence should join Implementation Group 2. Organizations in Implementation Group 3 have significant resources and cybersecurity expertise.

The CIS Controls framework includes a list of sub-controls for each of the 20 controls, color-coded to indicate which implementation group should use them. For example, the sub-control “Utilize an Active Discovery Tool” in CIS Control 1 “Inventory and Control of Hardware Assets” is adequate for Implementation Groups 2 and 3 but too much of a burden for Group 1.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Consisting of many control objectives organized into many domains, the CCM focuses solely on cloud computing. The domains include:

  • Audit & Assurance
  • Application & Interface Security
  • Business Continuity Management & Operational Resilience
  • Change Control & Configuration Management
  • Cryptography, Encryption & Key Management
  • Datacenter Security
  • Data Security & Privacy Lifecycle Management
  • Governance, Risk Management & Compliance
  • Human Resources
  • Identity & Access Management
  • Interoperability & Portability
  • Infrastructure & Virtualization Security
  • Logging & Monitoring
  • Security Incident Management, E-Discovery, & Cloud Forensics
  • Supply Chain Management, Transparency & Accountability
  • Threat & Vulnerability Management
  • Universal Endpoint Management

Within each domain, CCM lists controls and specifications to help organizations create a compliant security program.

Control Objectives for Information Technology (COBIT)

COBIT starts with the demands of stakeholders, assigns job-related governance responsibilities to each kind, and then maps the obligation back to technology. COBIT’s ultimate purpose is to ensure that the organization’s security posture is properly monitored.

COBIT’s fundamental model divides governance and management goals into five categories:

  • EDM: Evaluate, Direct, and Monitor
  • APO: Align, Plan, and Organization
  • BAI: Build, Acquire, and Implement
  • DSS: Deliver, Service, and Support
  • MEA: Monitor, Evaluate, and Assess

COBIT’s design principles include:

  • Understanding the enterprise strategy
  • Scoping the governance system
  • Refining the scope
  • Completing the design

Finally, COBIT’s emphasis on governance results in a security framework that simplifies audits and incorporates continuous improvement to better those outcomes.

European Union Agency for Cybersecurity (ENISA) National Capabilities Assessment Framework

The ENISA National Capabilities Assessment Framework allows Member States to conduct self-evaluations in order to determine their maturity level. The framework allows countries to analyse their cybersecurity capabilities, providing them with guidance for developing national cybersecurity strategy.

The Framework outlines the following benefits that come from engaging in a national assessment:

  • Useful information for developing long-term strategies
  • Identifying gaps in cybersecurity programs
  • Opportunities for enhancing cybersecurity capabilities
  • Supporting political accountability
  • Establishing public and international credibility
  • Creating a public image of transparency
  • Heling anticipate future issues
  • Identifying lessons learned and best practices
  • Providing a cybersecurity baseline across the EY
  • Evaluating national cybersecurity capabilities

Information Security Forum (ISF) Standard of Good Practice for Information Security

The ISF is a not-for-profit organisation whose members communicate security challenges, experiences, and practical solutions in order to create a knowledge exchange.

The SOGP 2020 provides a set of best practices intended to:

  • Improve resilience
  • Provide a foundation for information risk assessments
  • Validate information security across the supply chain
  • Support compliance with major industry standards
  • Form a basis for policies, standards, and procedures

Internet of Things (IoT) Cybersecurity Alliance (IOTCA)

The IoTCA’s mission is to forge a community that brings together cybersecurity and IoT experts so that they can address real-world IoT security issues and work to establish a security-first IoT posture.

Their framework takes a multi-layered approach to create end-to-end security, taking into account all connected devices and their associated applications. The framework includes:

  • Endpoint layer: devices/connected objects, short-range networks
  • Network layer: communications network
  • Data/App layer: applications

Their goal is to mitigate risks such as:

  • Resource limitations
  • Malware
  • Device cloning
  • Lak of monitoring
  • Protocol tampering
  • Man-in-the-middle attack
  • Denial of Service
  • Unauthorized software
  • Unauthorized access

Internet of Things (IoT) Security Foundation (IoTSF) Security Compliance Framework

The IoTSF is a worldwide non-profit organisation that brings together IoT security experts, IoT hardware and software product vendors, network providers, system specifiers, integrators, distributors, merchants, insurers, local governments, and government agencies.

To mitigate financial and brand reputation risk, they focus on securing IoT during the design process. The IoTSF Security Compliance Framework, focuses on six critical challenges, adopts a risk-based approach to compliance.

  • Management governance
  • Engineered for security
  • Fit for purpose cryptography
  • Secure network framework and applications
  • Secure production processes and supply chains
  • Safe and secure for the customer

International Office of Standardization (ISO) 27001

One of the earliest standards groups is ISO. This non-governmental organisation has members from 165 nations. ISO develops technology standards, including several security standards. Over a dozen standards make up the ISO/IEC 27000 “family,” but ISO 27001 is the cornerstone for constructing an information security management system (ISMS).

ISO 27001 specifies the procedures for building, implementing, maintaining, and continuously improving an ISMS, which are influenced by the organization’s goals, objectives, security requirements, processes, size, and structure. Its best practises involve establishing controls and processes based on the following criteria:

  • Organization context
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

As part of establishing an ISMS, organizations need to consider additional ISO 27000 family standards such as:

  • ISO/IEC 27002:2013 – Code of practice for information security controls
  • ISO/IEC 27003 – Information security management system implementation guidance
  • ISO/IEC 27004 – Information security management – Measurement
  • ISO 31000:2009 – Risk Management – Principles and guidelines


MITRE is a federally financed, non-profit cybersecurity research and development institution. ATT&CK became the standard for offensive and defensive researchers when MITRE began cataloguing common cyberattack tactics, methods, and procedures (TTPs) employed against Windows enterprise networks. The Common Vulnerabilities and Exposures (CVE) list was developed and trademarked by MITRE.

When malicious actors set up advanced persistent threats (APTs) within a corporate environment, MITRE Enterprise has 14 strategies. The 14 techniques that follow are then split down into specific activities:

  • Reconnaissance
  • Resource development
  • Initial access
  • Execution
  • Persistence
  • Privilege escalation
  • Defense evasion
  • Credential access
  • Discovery
  • Lateral movement
  • Collection
  • Command and control
  • Exfiltration
  • Impact

In response to the increasing use of mobile devices, MITRE created the Mobile matrix to help security staff better track emerging threats. The 14 MITRE mobile tactics, again divided into sub-categories, are:

  • Initial access
  • Execution
  • Persistent
  • Privilege escalation
  • Defense evasion
  • Credential access
  • Discovery
  • Lateral movement
  • Collection
  • Command and control
  • Exfiltration
  • Impact

National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF)

The National Cyber Security Centre (NCSC) of the United Kingdom was established in 2016 to bring together SMEs, enterprise companies, government agencies, the general public, and ministries to solve cybersecurity threats.

Its Cyber Advisory Framework (CAF) provides recommendations to UK Critical National Infrastructure (CNI), enterprises subject to the NIS Directive cyber regulation, and organisations managing cyber-related public safety concerns. CAF assists firms in developing a cyber resiliency programme by emphasising outcomes rather than checklists.

It has four primary objectives:

  • A: Managing security risk
  • B: Protecting against cyber attacks
  • C: Detecting cybersecurity events
  • D: Minimising the impact of cybersecurity incidents

It embeds 14 subparts within these four primary objectives, many aligned with other international standards. These subparts are:

  • A.1: Governance
  • A.2 Risk management
  • A.3: Asset management
  • A.4: Supply chain risk management
  • B.1: Service protection policies and processes
  • B.2: Identity and access control
  • B.3: Data security
  • B.4 System security
  • B.5: Resilient networks and systems
  • B.6: Staff awareness and training
  • C.1: Security monitoring
  • C.2: Practice security event discovery
  • D.1: Response and recovery planning
  • D.2: Lesson learned

National Institute of Technologies (NIST) Cybersecurity Framework (CSF)

NIST is a non-regulatory government agency in the United States that establishes standards in the physical sciences. NIST CSF was created with critical infrastructure owners and operators in mind, but it may now be utilised by any company. Many firms outside of the critical infrastructure industry employ the CSF, especially if they need to comply with other federal data protection regulations in the United States.

The CSF consists of three sections:

  • Framework Core
  • Implementation Tiers
  • Framework Profiles

The Framework Core consists of five functions with categories and subcategories embedded within them. The Framework Core Functions are:

  • Identify (ID): develop a cybersecurity risk management approach that identifies all systems, people, assets, data, and capabilities.
  • Protect (PR): Develop and implement safeguards to ensure critical services delivery
  • Detect (DE): Develop and implement activities that identity a cybersecurity event occurrence
  • Respond (RS):
  • Recover (RC)

The four Implementation Tiers are:

  • Tier 1: Partial
    • Ad hoc risk management practices
    • Organizational-level cybersecurity risk awareness
    • No sense role within the larger ecosystem
  • Tier 2: Risk-Informed
    • Management approved risk management processes but not set as organizational policy
    • Organizational-level cybersecurity risk awareness but no organization-wide risk management approach
    • Understands role either of its own dependencies or dependents within the ecosystem
  • Tier 3: Repeatable
    • Formally approved risk management practices expressed as policy
    • Organization-wide risk management policies, processes, and procedures
    • Understands role, dependencies, and dependents in the larger ecosystem and collaborates with other entities
  • Tier 4: Adaptive
    • Adapts cybersecurity practices based on cybersecurity activities including lessons learned and predictive indicators
    • Organization-wide risk management policies, processes, and procedures that address potential cybersecurity events
    • Understands role, dependencies, and dependent within the larger ecosystem and contributes to broader community understanding of risks

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Security Standards Council (PCI SSC) was formed in 2006 in response to an upsurge in credit card theft. It is made up of the five largest credit card companies: American Express, Discover, JCB International, Mastercard, and Visa, Inc. PCI DSS is a prescriptive security compliance requirement for merchants and financial services providers.

PCI DSS contains 5 categories of controls:

  • Build and maintain a secure network and systems
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Within those 5 categories, PCI DSS then sets out 12 detailed requirements:

  • Install and main a firewall configuration
  • Do not use vendor-supplied defaults
  • Protect stored cardholder data
  • Encrypt cardholder data transmissions across open, public networks
  • Protect all systems again malware
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain an information security policy

HITRUST Cybersecurity Framework (CSF)

HITRUST delivers an integrated risk and compliance solution to enable healthcare organisations and their business associates find a more flexible way to satisfy Health Insurance Portability and Accountability Act (HIPAA) compliance.

Leaders in the fields of privacy, information security, and risk management from both the public and private sectors collaborated to develop a set of protections for the security and privacy of protected health information (PHI) and electronic PHI (ePHI). The HITRUST CSF has many control objectives and many control requirements, all of which fit into one of the control categories listed below:

  • Information security management program
  • Access control
  • Human resources security
  • Risk management
  • Security policy
  • Organization of information security
  • Compliance
  • Asset management
  • Physical and environmental security
  • Communications and operations management
  • Information systems acquisition, development, and maintenance
  • Information security incident management
  • Business continuity management
  • Privacy practices

How Can ITM Help You?

IT Minister covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage Threat Intelligence, Forensic Investigations, Mobile Device Management, Cloud security best practice & architecture and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.

Leave a Reply

Your email address will not be published.