Because you’re a clever old thing, you know that adopting a cybersecurity framework is one of the most effective ways of boldly giving hackers a virtual judo chop. But when you’re faced with a cartful of cybersecurity frameworks to choose from, where do you even start?
Start by letting your peepers run amok on this web page because we’ve thrown together a semi-comprehensive-yet-non-yawny guide to the most common cybersecurity frameworks right now. Which of these contestants could be the right one for your business?
Let’s find out.
Whoa There, What’s A Cybersecurity Framework?
So glad you asked. A cybersecurity framework is a structured set of guidelines and/or requirements that helps you create and maintain an organized approach to managing the risks to your network, data, and systems. This promotes a change in mindset to thinking of data security as a process instead of a static goal.
“Cybersecurity is a process, not a goal.”
There are lots of different cybersecurity frameworks out there, just grazing along the open ranges of the interwebs. We’ll get to that in a minute, but more broadly speaking, the policies, practices, and procedures of most frameworks knit together in a way that allows you to create a process in the form of your very own Information Security Management System (ISMS).
Your ISMS will help you establish, implement, operate, monitor, review, maintain, and improve information security, including:
- Identifying risks and vulnerabilities, e.g., a poor offboarding procedure, misconfigured email authentication protocols, or a lack of central control for mobile devices.
- Assessing and prioritizing those risks.
- Deploying a range of remediation controls to reduce those risks.
Note that cybersecurity frameworks aren’t law: but in some sectors, like education, defense, and healthcare, it’s mandatory for organizations to have some kind of data security protection in place. Cybersecurity frameworks can provide this protection.
Seems like hard work, you say? Yep, it is. But it’s worth it.
9 Common Cybersecurity Frameworks
There’s a dazzling array of sleek cybersecurity frameworks winking at you from the cybersecurity framework store window. Some of them are generalist (like ISO27001 and NIST), while others are more specialist (like HIPAA and CMMC). You’ll find a lot of crossover between them, and some have actively stolen borrowed from others. For some, like SOC 2 and HIPAA, you’ll need to undergo an external audit and assessment to get that shiny accreditation certificate. Others are just happy you use them as guidance.
Common cybersecurity frameworks:
| Name | Created by | Designed for | Why? |
| CIS Controls | Center for Internet Security (CIS) | Any organization | Not compulsory – identifies a minimum level of information security for any organization that stores personal data. |
| CMMC 2 | Department of Defense (DoD) | Supply chain contractors for the DoD | Mandatory for DoD contracts. |
| COBIT | Information Systems Audit and Control Association (ISACA) | Any organization | Not compulsory – helps to apply, monitor, and improve best practices that ensure quality, control, and reliability. Required for Sarbanes-Oxley Act (SOX) compliance (protects investors from fraudulent reporting). |
| HIPAA | Congress | Health sector organizations that handle electronic protected health information (ePHI) | Federal requirement for organizations that store or transmit PHI. |
| HITRUST CSF | Health Information Trust Alliance Common Security Framework | Health sector organizations | Not required for healthcare businesses, but a HITRUST certification assures customers and vendors of your data privacy policy, as well as your integrity, validity, and transparency. |
| ISO 27001/ ISO27002 | International Organization for Standardization (ISO) | Any organization | Global standard defining the essentials of an information security management system (ISMS) – updated regularly. Certified by third parties accredited by the American National Standards Institute (ANSI) National Accreditation Board (ANAB). |
| NIST CSF | National Institute of Science and Technology (NIST) – created by Executive Order 13636 | Any organization | Not compulsory for public businesses. NIST compliance is mandatory for all US federal agencies, contractors, or subcontractors that handle government data. |
| PCI-DSS | Payment Card Industry (PCI) | Organizations that process, use, or store credit card information | Required by payment card companies for any firm that takes credit card information. |
| SOC 2 | American Institute of Certified Public Accountants (AICPA) | Organizations that process, store, or transmit sensitive customer data, e.g., SaaS companies, cloud providers | Compliance requires an audit by a licensed CPA agency accredited by the AICPA. |
Let’s dive in so you can get a handle on these bad boys:
CIS Controls
Created by the non-profit Center for Internet Security (CIS), the CIS Controls are a simplified framework of safeguards, and a robust entry point to certification with other, more complex frameworks.
CMMC 2.0
The DoD dreamed this one up to protect its supply chain from malicious attacks – and a good thing, too, frankly. The Cybersecurity Maturity Model Certification (CMMC 2.0) is mandatory if you want a contract with the DoD as a prime contractor or a subcontractor – it goes all the way down and across the supply chain. It’s aligned to chunks of the National Institute of Science and Technology (NIST), and there are 14 domains to jump over. On the bright side, that’s three fewer than CMMC 1.0.
COBIT
Control Objectives for Information and Related Technologies (COBIT) was originally created by the Information Systems Audit and Control Association (ISACA) to help accountants safely navigate the vulnerabilities of growing IT environments, but it’s expanded to support governance and management of enterprise IT. It’s often used by public organizations looking to comply with the 2002 Sarbanes-Oxley Act (SOX), born as a result of fraud scandals like Enron.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that stipulates how electronic protected health information (ePHI) should be handled under four rules: Security, Privacy, Enforcement, and Breach Notification. If you handle ePHI, you’ll need this.
HITRUST CSF
The Health Information Trust Alliance (HITRUST) Common Security Framework, like HIPAA, is aimed at healthcare organizations and is a mashup of HIPAA, NIST, and the International Organization for Standardization (ISO) 27001. It’s not a compulsory accreditation for healthcare businesses, but it lets your constituents know you’re on top of information security tasks.
ISO 27001
The mother of all cybersecurity frameworks, this is *the* internationally recognized risk management standard. It outlines in detail how organizations can build a robust ISMS and identify the scope of risk management through two components:
- Ten clauses – Seven of these are mandatory for ISO 27001 wannabees.
- 14 control categories – These contain a total of 114 controls. Ouch! (But doable).
NIST
The NIST Cybersecurity Framework was created to help any organization in any sector improve their cybersecurity risk management. It’s built around five key areas:
- Identify
- Protect
- Detect
- Respond, and
- Recover
PCI DSS
The Payment Card Industry Data Security Standard is an international forum that helps organizations keep credit card information secure at a global level. To achieve compliance with PCI DSS, you’ll need to satisfy 12 requirements.
SOC 2
Service Organization Control 2 (SOC 2) was designed by accountants, bless them, to help service organizations that work with sensitive customer data keep that data protected. It’s designed around five areas:
- Data security
- Availability
- Processing integrity
- Confidentiality, and
- Privacy
Which Cybersecurity Framework Is Right For You?
So, you’ve made the decision that, yep, having some kind of process for achieving and maintaining data security is a pretty good idea. All cybersecurity frameworks have you covered in terms of managing risk, but cybersecurity frameworks differ in breadth, depth, and the resources and support you’ll need to get compliant. So how do you make that choice? Here’s what to consider:
Your Business Setup And Goals
What are your business ambitions, and how will you get there? How do you work at the moment, and what changes and challenges are you taking on? Expanding? Hiring abroad? Handling all the customer data, and then some? Do you outsource much of your IT infrastructure or handle it in-house? Your goals and setup will influence the kind of cybersecurity framework that’s right for you.
What’s Expected For Your Industry
The compliance requirements of your industry are a big clue. If you’re handling ePHI in the healthcare industry, you’ll need HIPAA. Simple as that. If you want a big bite of those juicy defense contracts, you’ll need CMMC 2.0. If you’re a service organization handling data in the cloud or similar, SOC 2 is what you should aim for. Handling credit card payments? Gonna need PCI DSS.
Your Resources
Not gonna lie; implementing any kind of cybersecurity framework takes time, people, and dollars. Be realistic with your costs. We’re not saying you should cut corners, but perhaps you don’t need all the whistles and bells of an ISO27001 when a SOC 2 will do just fine. Or, if you’ve had a few incident scares, perhaps it’s time to divert some $ from the CEO’s cappuccino budget straight into risk management.
Where You’re At
How about you and Bud, your IT department, take a day out to assess how well your current security processes already hit some cybersecurity targets. For instance, if you use (our) brand of Mobile Device Management (MDM), you’re already a quarter of the way to HIPAA and have checked off 26 SOC 2 controls. Maybe it’s not a stretch to complete one of the more simple frameworks. Go, You!
Choosing A Cybersecurity Framework Ain’t Easy
But we can make it easier. Not to brag, but gettin’ y’all up to compliance level with pretty much any cybersecurity framework is what we do brilliantly, and we’ve got a ton of happy, compliant clients to prove it. Oh, look, we bragged. We can also give you a pretty darn good estimate of how near you are to achieving compliance. For more bragging and some sound advice about choosing a cybersecurity framework, give us a call.
Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us now – chatting about IT support and cybersecurity is our favorite thing to do!