Skip to main content

Skillber v1.0 is here!

Learn more

Security Frameworks

Checking access...

Security frameworks provide structured approaches to managing cybersecurity risk. They are not checklists — they are models that help you identify gaps, prioritise investments, and communicate with stakeholders.

Why Frameworks Matter

Without a framework, security decisions are reactive: a breach happens, you fix that thing, repeat. With a framework, you have a systematic understanding of your security posture. You know what controls you have, what controls you are missing, and what to prioritise next.

Without FrameworkWith Framework
”We need a firewall because everyone says so""NIST CSF Protect function — we need network security controls"
"We had a breach, let’s buy this tool""Our gap analysis shows we lack detection capability — let’s deploy EDR"
"Why are we spending so much on security?""Here is our maturity level against ISO 27001 — here are the gaps"
"Are we secure?” (unanswerable)“Our controls map to 85% of the CIS Top 18” (measurable)

NIST Cybersecurity Framework (CSF) 2.0

The CSF is the most widely adopted cybersecurity framework globally. Originally released in 2014, updated to v2.0 in February 2024.

The Six Functions

The 2024 update added a sixth function — Govern — recognising that cybersecurity governance must be elevated above technical implementation:

    graph TD
    GV[Govern — Establish cybersecurity strategy and oversight] --> ID
    ID[Identify — Understand risk to systems, assets, data] --> PR
    PR[Protect — Safeguard against threats] --> DE
    DE[Detect — Find attacks in progress] --> RS
    RS[Respond — Contain and mitigate] --> RC
    RC[Recover — Restore capabilities]
    RC --> GV
  

Detailed Breakdown

1. Govern (GV) — NEW in v2.0

The organisation’s cybersecurity strategy, oversight, and governance:

CategoryExample Outcomes
GV.OC — Organisational ContextCybersecurity mission is integrated with enterprise risk
GV.RM — Risk Management StrategyRisk appetite is defined and approved by board
GV.RR — Roles and ResponsibilitiesCISO reports to board, security roles defined
GV.PO — Policy and OversightSecurity policies are approved, reviewed annually
GV.OV — OversightBoard receives quarterly security updates
GV.SC — Supply ChainVendor security requirements enforced

2. Identify (ID)

Understand the organisation’s current cybersecurity risk:

CategoryExample Outcomes
ID.AM — Asset ManagementComplete inventory of hardware, software, data
ID.RA — Risk AssessmentRisk register updated quarterly
ID.IM — ImprovementLessons learned from incidents are documented
ID.SC — Supply Chain RiskThird-party risk assessed before engagement

3. Protect (PR)

Safeguards to ensure delivery of critical services:

CategoryExample Outcomes
PR.AA — Identity Management and Access ControlMFA enforced, JIT admin access
PR.AT — Awareness and TrainingAnnual security training, phishing simulations
PR.DS — Data SecurityEncryption at rest and in transit, DLP
PR.PS — Platform SecurityPatch management, secure configurations
PR.IR — Technology Infrastructure ResilienceRedundancy, disaster recovery

4. Detect (DE)

Find cybersecurity attacks in progress:

CategoryExample Outcomes
DE.AE — Adverse Event AnalysisSIEM with correlation rules
DE.CM — Continuous Monitoring24/7 security monitoring, EDR on all endpoints
DE.DP — Detection ProcessesDefined alert triage process

5. Respond (RS)

Take action when an incident is detected:

CategoryExample Outcomes
RS.MA — Incident ManagementDocumented IR plan, tested playbooks
RS.CO — CommunicationsInternal and external communication templates
RS.AN — AnalysisForensic investigation capability
RS.MI — MitigationContainment strategies defined and tested
RS.IM — ImprovementsPost-incident lessons learned process

6. Recover (RC)

Restore capabilities after an incident:

CategoryExample Outcomes
RC.RP — Recovery Plan ExecutionBackups restored within SLA
RC.CO — CommunicationsStakeholder updates during recovery
RC.IM — ImprovementsRecovery procedures updated based on tests

Using the CSF

Terminal window
# Step 1: Determine Current and Target Profiles
# Current Profile: Where are we today?
# Govern: 2/5 (initial)
# Identify: 2/5
# Protect: 3/5
# Detect: 2/5
# Respond: 2/5
# Recover: 2/5
# Target Profile: Where do we need to be?
# Govern: 3/5
# Identify: 3/5
# Protect: 4/5
# Detect: 3/5
# Respond: 3/5
# Recover: 3/5
# Step 2: Conduct GAP Analysis
# Gap: Protect is at 3/5 → target 4/5
# Missing control: EDR on all endpoints
# Missing control: Automated patch management
# Priority: High
# Step 3: Create Action Plan
# 1. Deploy EDR (Q1, $50K)
# 2. Implement patch automation (Q2, $30K)
# 3. Build detection rules for common threats (Q3, 2 months engineering)

ISO 27001

ISO 27001 is the international standard for Information Security Management Systems (ISMS). Unlike the CSF (which is guidance), ISO 27001 is a certifiable standard.

AspectDetail
TypeManagement system standard (certifiable)
Latest versionISO 27001:2022
Controls93 controls across 4 domains (updated from 114 in 2013 version)
DomainsOrganisational (37), People (8), Physical (14), Technological (34)
CertificationIssued by accredited body, valid 3 years, surveillance audits annually
Adoption70,000+ certified organisations globally

ISO 27001 Certification Process

1. Gap Analysis (2-4 weeks)
→ Compare current state against 93 controls
→ Identify missing policies, procedures, controls
2. ISMS Implementation (3-6 months)
→ Write missing policies
→ Implement missing controls
→ Train staff
→ Conduct internal audit
3. Stage 1 Audit (2-3 days)
→ External auditor reviews documentation
→ Verifies ISMS is designed correctly
→ Identifies major gaps before Stage 2
4. Stage 2 Audit (3-5 days)
→ External auditor tests controls in practice
→ Interviews staff, reviews evidence
→ If no critical findings → certification issued
5. Surveillance Audits (annually)
→ Maintain certification
→ Address changes in environment
6. Recertification (every 3 years)
→ Full reassessment

ISO 27001 Annex A Control Categories (2022)

DomainControl CountExamples
Organisational (Clause 5-7)37Information security policy, roles and responsibilities, risk assessment, supplier relationships, incident management
People (Clause 8)8Screening, training, disciplinary process, remote working
Physical (Clause 9)14Physical entry controls, secure areas, equipment security, clear desk policy
Technological (Clause 10)34Access control, cryptography, malware protection, backups, logging, network security

CIS Controls

The CIS Critical Security Controls are a prioritised set of actions that form the foundation of an effective security program. They are maintained by the Center for Internet Security.

CIS Top 18 Controls (v8)

The 18 controls are grouped into three Implementation Groups (IGs):

IGDescriptionControlsTypical Organisation
IG1Basic cyber hygiene1-6Small business, limited resources
IG2Intermediate7-12Mid-size organisation
IG3Advanced13-18Large enterprise, high maturity

IG1 — Basic Hygiene (Essential for Every Organisation)

#ControlDescriptionExample Implementation
1Inventory and Control of Enterprise AssetsKnow every device connected to your networkAsset management tool (ServiceNow, Snipe-IT)
2Inventory and Control of Software AssetsKnow every application installedAppLocker, software inventory
3Data ProtectionEncrypt sensitive data at rest and in transitBitLocker, TLS, DLP
4Secure ConfigurationHarden all systems to a baselineCIS Benchmarks, Group Policy
5Account ManagementUnique IDs, MFA, least privilegeAzure AD, Okta, PAM
6Access Control ManagementGrant/revoke access based on roleRBAC, access reviews

IG2 — Additional Controls

#ControlDescription
7Continuous Vulnerability ManagementWeekly authenticated scanning, risk-based patching
8Audit Log ManagementCentralised logging (SIEM), 12-month retention
9Email and Web Browser ProtectionsDMARC, URL filtering, browser isolation
10Malware DefencesEDR with behavioural detection
11Data Recovery3-2-1 backup rule, quarterly restoration tests
12Network Infrastructure ManagementNetwork segmentation, firewall management

IG3 — Advanced Controls

#ControlDescription
13Network Monitoring and DefenceIDS/IPS, network traffic analysis
14Security Awareness and Skills TrainingRole-based training, phishing simulations
15Service Provider ManagementTPRM program, SOC 2 reviews
16Application SecuritySAST, DAST, secure SDLC
17Incident Response ManagementDocumented plan, tested playbooks
18Penetration TestingAnnual external + internal pen test

Framework Comparison

FeatureNIST CSF 2.0ISO 27001CIS ControlsCOBIT
TypeGuidance frameworkCertifiable standardPrioritised controlsGovernance framework
FocusRisk managementISMSTechnical controlsIT governance
CertifiableNoYesNoNo
Size6 functions, 106 subcategories93 controls18 controls40 governance objectives
Best forAny organisationOrganisations needing certificationTechnical teamsIT management, board reporting
Maturity modelTiers (1-4)Not built-in (can be added)IGs 1-3Maturity levels (0-5)
Common useCommunicate security postureProve security program existsPrioritise improvementsAlign IT with business goals

Control Mapping Across Frameworks

Frameworks overlap significantly. Most organisations map their controls to multiple frameworks:

Control: "Multi-factor authentication on all external-facing applications"
NIST CSF: PR.AA (Identity Management)
ISO 27001: A.8.5 (Secure authentication)
CIS: 5.2 (MFA)
PCI DSS: 8.3 (MFA for remote access)
Control: "Weekly vulnerability scanning of all internet-facing systems"
NIST CSF: ID.RA (Risk Assessment)
ISO 27001: A.8.8 (Technical vulnerability management)
CIS: 7.1 (Vulnerability scanning)
PCI DSS: 11.2 (Quarterly external scans, weekly internal scans)

Key Takeaways

  • NIST CSF 2.0 adds a sixth function (Govern) and is the most widely adopted framework globally — best for communicating security posture to leadership
  • ISO 27001 is the only certifiable standard among the major frameworks — certification demonstrates a formal security management system to customers and partners
  • CIS Controls provide a prioritised, actionable list of technical controls — start with IG1 (mandatory for every organisation) and progress to IG3
  • Frameworks overlap significantly — map your controls to multiple frameworks to satisfy different requirements (e.g., sell to customers with SOC 2, comply with regulations, guide your own program)
  • Choose your framework based on your goal: NIST CSF for strategy, ISO 27001 for certification, CIS for technical implementation, COBIT for IT governance
  • No framework is a substitute for risk management — frameworks provide structure, but you must still assess your specific risks and prioritise accordingly