What Is The "Best" Cybersecurity Framework For Your Needs?
The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of four (4) starting points to kick off the discussion about "Which framework is most appropriate for our needs?":
NIST Cybersecurity Framework (NIST CSF);
NIST SP 800-53 (moderate or high baselines); or
Secure Controls Framework (SCF) (or a similar metaframework).
When you graphically depict the various, leading cybersecurity frameworks from "easier to harder" it primarily focuses on the sheer number of unique cybersecurity and privacy controls. The volume of these controls (e.g., requirements) directly impacts the number of domains covered by that cybersecurity framework. The lesser number of controls in a cybersecurity framework might make it appear easier to implement, but it also might not provide the necessary coverage that your organization needs from the perspective of administrative, technical and physical cybersecurity and privacy practices. Defining "just right" for your cybersecurity and privacy controls is primarily a business decision, based on your organization's risk profile, which needs to consider applicable laws, regulations and contractual obligations that are required to support existing or planned business processes.
A very important consideration when selecting a framework is necessary customization. It is unlikely that a single framework will fit your needs perfectly, so you have to expect to tailor a framework for your specific needs (e.g., add to it, remove unnecessary content or merge multiple frameworks). From a customization perspective, think of "bolting on" content to a cybersecurity frameworks similar to the concept of gnawing off the square sides of a peg to make it fit into a round hole - it will eventually fit but it likely will not look very good or fit very well. This is the downside of customizing cybersecurity frameworks to add content that the framework lacks. It is generally less painful/costly to align with a more robust framework and remove content than it is to start with a lesser framework and add content.
Is There A Goldilocks Framework - Not Too Hard, Not Too Soft, But Just Right?
The selection process for cybersecurity frameworks generally leads to adopting a "starting point" framework. These foundational frameworks are the NIST Cybersecurity Framework, ISO 27002, NIST 800-53 or the Secure Controls Framework (SCF). We call it the "cybersecurity Goldilocks dilemma" since it addresses the question: Which cybersecurity framework is "not too hard, not too soft, but just right!" for my organization? It comes down to first defining your "must have" and "nice to have" requirements, since that helps point you to the most appropriate framework to meet your specific needs:
"Must Have" Minimum Compliance Criteria (MCC) (e.g., laws, regulations and contractual obligations); and
"Nice to Have" Discretionary Security Requirements (DSR) (e.g., not legally-required but you feel you need to be secure, such as FIM, DLP, MFA, etc.)
Those two considerations come together to address the "Compliant vs Secure" decision for an organization's cybersecurity and/or privacy program to be both secure and compliant. You can read more about that in the Integrated Controls Management (ICM) model.
"Compliant" vs "Secure" Considerations
The more robust the framework you select to align with, you can expect to have more topics covered by the included controls. This generally means you will have more comprehensive policies and standards to meet the expanded coverage. The dilemma many companies face is they want to be compliant, while minimizing the amount of paperwork (e.g., policies, standards and controls) that they have to maintain. This is where the aspect of your organization's leadership team is important to really define the risk culture of the organization at a fundamental level:
Compliance Focused - this is aiming for mediocrity by focusing on only the bare minimums to comply with a law, regulation or framework. (note - this approach is very common. It is misguided, but common)
Security Focused - this is focused on hard-core secure engineering practices and compliance is not a concern. (note - this approach is rare)
Compliant & Secure Focused - this is a holistic approach that is focused on making sure systems, applications and services are secure by design and default, where compliance is viewed as a natural byproduct by having the proper blend of cybersecurity and privacy practices. (note - this is an optimal approach that organizations should strive for)
Cybersecurity Framework Heatmap
Not all frameworks are created equally and that is ok. It is not uncommon for experienced cybersecurity practitioners to have fundamental misunderstandings of the differences between laws, regulations and frameworks. However, in this context, what is depicted on the heatmap is refered to as a "framework" since by the NIST Glossary definition, a framework is "a layered structure indicating what kind of programs can or should be built and how they would interrelate." Even a law or regulation can serve as a framework for building a cybersecurity program.
We understand that it can be a little confusing when you look at it from a "heat map" perspective, since each cybersecurity framework has its own unique scope of applicability (e.g., specialization) and depth of coverage. However, understanding this can help you make an informed decision on where to start for the most appropriate framework(s) for your needs (often, organizations utilize more than one framework). You may even find you need to leverage a metaframework (e.g., framework of frameworks) to address more complex compliance requirements.
How Do You Pick A Cybersecurity Framework? (Coke vs Pepsi Analogy)
If you look at this from the perspective of a debate over which soft drink tastes best (e.g., Coke vs Pepsi), it generally comes down to personal preferences, since both products are essentially sugary, carbonated drinks and only differ slightly in flavor and packaging. The same arguments can be made for cybersecurity’s two heavy hitters – NIST 800-53 and ISO 27002. Gaining popularity is the NIST Cybersecurity Framework (NIST CSF), but it lacks appropriate coverage out of the box to be considered a comprehensive cybersecurity framework. For more complex compliance requirements, the SCF is a "metaframework" that encompasses over 100 laws, regulations and frameworks in a hybrid framework that can span multiple compliance requirements.
Cybersecurity Framework Comparison: NIST CSF vs ISO 27001/2 vs NIST 800-53 vs SCF
A key consideration for picking a cybersecurity framework involved understanding the level of content each framework offers, since this directly impacts the available cybersecurity and privacy controls that exist "out of the box" without having to bolt-on content to make it work for your specific needs. If you ask a cybersecurity professional to identify their preferred "best practice framework", it generally comes down to NIST or ISO, since those are the most commonly-found frameworks. However, that doesn't mean that is where you should limit your search.
If you are not sure where to start, here are some recommendations:
Have a discussion with your legal and procurement departments to find out what laws, regulations and contractual obligations your organization needs to comply with. If they don't know, then you need to perform that discovery with their involvement to ensure you have the facts. Do not try to work off assumptions!
Talk with peers in your industry to identify what framework(s) their organization chose to align with and what those decisions were that led them to adopting one framework over another. You still have to do your own analysis to determine what is right, but talking with peers can help avoid "re-inventing the wheel" on certain aspects of the analysis process.
Determine what resources you have available to adopt and implement a framework. If it is a flip of the coin decision between two frameworks where you feel both meet your needs, you need to be sure to take into account which framework will be the most efficient to implement and maintain.
Evaluate your organization's business and IT strategies to identify components that may require the adoption of a specific framework. For example:.
Your CEO puts out a roadmap to grow business and next year the company will start going after US Government and Department of Defense (DoD) contracts. This means your organization will have to address DFARS, FAR and CMMC compliance, which is based on NIST SP 800-171. This means alignment with NIST SP 800-53 or SCF might be the best path forward
A business unit is expanding into the European market and will focus on B2C sales. This means your organization will have to address EU GDPR for robust privacy practices, on top of cybersecurity. This means you could select any framework to address underlying cybersecurity practices, but you need a privacy program. The SCF might be the best path forward.
Speak with a reputable consultant. Not all "cybersecurity professionals" have the same backgrounds, experiences and competencies. Speak with a Governance, Risk and Compliance (GRC) professional about compliance-related frameworks and scoping decisions.
ISO 27001/2 is essentially a subset of the content found in NIST 800-53 (ISO 27002 went from fourteen (14) sections in 2013 to three (3) sections in 2022) where ISO 27002's cybersecurity controls fit within the twenty (20) families of NIST 800-53 rev5 security controls.
NIST CSF is a subset of NIST 800-53 and also shares controls found in ISO 27001/2.
NIST CSF incorporates parts of ISO 27001/2 and parts of NIST 800-53, but is not inclusive of both - this is what makes NIST CSF is a common choice for smaller companies that need a set of "industry-recognized secure practices" to align with, where ISO 27001/2 and NIST 800-53 are better for larger companies or those that have unique compliance requirements.
When you start taking into account common requirements such as the Payment Card Industry Data Security Standard (PCI DSS), you will see from crosswalk mapping that these common requirements are more comprehensive than what is included natively by NIST CSF, so you would need to use ISO 27002 or NIST 800-53 to meet PCI DSS as a framework (depending on your SAQ level), unless you want to bolt-on additional controls to the NIST CSF to make that work. Is that wrong? No, but it is just messy when you start bolting onto frameworks.
Secure Controls Framework (SCF) Overview
If you are not familiar with the Secure Controls Framework (SCF), it was developed with the ambitious goal of providing a comprehensive catalog of cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. By using the SCF, your IT, cybersecurity, legal and project teams can speak the same language about controls and requirement expectations! The SCF is a "metaframework" which is a framework of frameworks. The SCF is a superset that covers the controls found in NIST CSF, ISO 27002, NIST 800-53 and over 100 other laws, regulations and frameworks. These leading cybersecurity frameworks tend to cover the same fundamental building blocks of a cybersecurity program, but differ in some content and layout. Before picking a framework, it is important to understand that each one has its benefits and drawbacks. Therefore, your choice should be driven by the type of industry your business is in and what laws, regulations and contractual obligations your organization needs to comply with.
The SCF is an open source project that provides free cybersecurity and privacy controls for businesses. The SCF focuses on internal controls, which are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
The Secure Controls Framework (SCF) is a "best in class" approach that covers over 100 cybersecurity and privacy laws, regulations and frameworks, including NIST 800-53, ISO 27001/2 and NIST CSF. Being a hybrid, it allows you to address multiple cybersecurity and privacy frameworks simultaneously. The SCF is a free resource for businesses to use. ComplianceForge's Digital Security Program (DSP) has 1-1 mapping with the SCF, so the DSP provides the most comprehensive coverage of any ComplianceForge product.
The Secure Controls Framework (SCF) is commonly use by medium to large businesses, but can be used by any business with complex cybersecurity and privacy requirements.
The SCF can be used for:
Any sized business
The SCF should not be used for:
Simple compliance needs
NIST SP 800-53 Overview
The National Institute of Standards and Technology (NIST) is on the fifth revision (rev5) of Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. From rev4 to rev5, NIST dropped the "US Government" focus for NIST SP 800-53 and now has it generalized enough for private industry to use. There are still "NISTisms" for wording that are entirely US Government-focused, but it is a significant improvement for private industry adoption. NIST 800-53 "best practices" are the de facto standard for private businesses that do business with the US federal government.
One thing to keep in mind is that NIST 800-53 is a super-set of ISO 27002 - that means you will find all the components of ISO 27002 covered by NIST 800-53. However, ISO 27002 does not cover all of the areas of NIST 800-53.
The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Risk Management Framework (RMF) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs. Additionally, for NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is called out as the best practices for government contractors to secure their systems. That further helps strengthen NIST 800-53 as a best practice within the US, especially for any government contractors. We have a section that describes NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) if you are interested in that subject.
NIST 800-53 includes what both ISO 27002 and NIST CSF addresses, as well as a whole host of other requirements. NIST 800-53 is the basis for the controls found in NIST 800-171 / CMMC. NIST 800-53 is commonly found in the financial, medical and government contracting industries. One great thing about NIST 800-53, and it applies almost universally to all NIST 800-series publications. As with other NIST publications, it is freely available, at no cost to the public - http://csrc.nist.gov/publications/PubsSPs.html.
NIST 800-53 Moderate is commonly use by medium to large businesses and is primarily US-focused.
NIST 800-53 Moderate can be used for:
Defense Contractors (CMMC, RMF, etc.)
Government Contractors (FedRAMP, RMF, etc.)
Technology Businesses (e.g., MSPs, CSPs, etc.)
General Business (large)
NIST 800-53 Moderate should not be used for:
NIST 800-53 High is commonly use by medium to large businesses with an explicit requirement for the high baseline and is primarily US-focused.
NIST 800-171 can be used by any sized organization, since it is the required set of controls necessary to protect CUI where it is stored, processed and/or transmitted.
NIST 800-171 can be used for:
Technology Businesses (MSPs, MSSPs, etc.)
NIST 800-171 should not be used for:
FedRAMP or RMF compliance
ISO 27001 / 27002 Overview
The International Organization for Standardization (ISO) is a non-governmental organization that is headquartered in Switzerland. ISO can be a little more confusing for newcomers to IT security or compliance, since a rebranding occurred in 2007 to keep ISO’s IT security documents in the 27000 series of their documentation catalog - ISO 17799 was renamed and became ISO 27002. To add to any possible confusion, ISO 27002 is a supporting document that aides in the implementation of ISO 27001. Adding a little more confusion to the mix, it is important to note that companies cannot certify against ISO 27002, just ISO 27001.
ISO 27001 Appendix A contains the basic overview of the security controls needed to build an Information Security Management System (ISMS), but ISO 27002 provides those specific controls that are necessary to actually implement ISO 27001. Essentially, you can't meet ISO 27001 without implementing ISO 27002:
ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements
ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection — Information security controls
To keep things simple, just remember that ISO 27001 lays out the framework to create an “Information Security Management System (ISMS)” (e.g., a comprehensive IT security program), whereas ISO 27002 contains the actual “best practices” details of what goes into building a comprehensive IT security program. Since ISO’s information security framework has been around since the mid-1990s, it was in “right time at the right place” to evolve into the de facto IT security framework outside of the United States. You will find ISO 27002 extensively used by multinational corporations and for companies that do not have to specifically comply with US federal regulations. ISO 27002 is also “less paranoid” than NIST 800-53, which has an advantage of being less complex and therefore easier implement.
ISO 27001 / 27002 is commonly use by medium to large businesses and is internationally-recognized (e.g., ISO 27001 certification).
ISO 27001 / 27002 can be used for:
ISO 27001 / 27002 should not be used for:
NIST Cybersecurity Framework (NIST CSF) Overview
NIST Cybersecurity Framework (NIST CSF) has the least coverage of the major cybersecurity frameworks. NIST CSF works great for smaller and unregulated businesses that just want to align with a recongized cybersecurity framework. The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, GDPR, CPRA/CCPA and PCI DSS (depending on SAQ level). For those, more comprehensive frameworks, such as NIST 800-53 or ISO 27002 are recommended.
In reality, NIST CSF is a "dumbed down" and civilianized version of NIST 800-53. It came out nearly a decade ago when NIST 800-53 was entirely focused on the US Government, so there was a need for a subset of the controls that NIST 800-53 provided but for the non-enterprise space in private industry (e.g., tailored for small to medium businesses). Over the past decade, different US Federal agencies have published documents describing how NIST CSF v1.1 controls can be leveraged to comply with HIPAA, FINRA, etc.
Overall, NIST CSF does not introduce new standards or concepts, but leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and ISO. NIST CSF if organized into five categories of controls:
The NIST CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues. The NIST CSF is designed to evolve with changes in cybersecurity threats, processes, and technologies. Essentially, the NIST CSF envisions effective cybersecurity as a dynamic, continuous loop of response to both threats and solutions. However, the "framework implementation tiers" should be avoided, since it is bad guidance. For example, you have to get to Tier 3 before you document policies, standards or procedures. That means a business at Tier 1 and Tier 2 would be considered negligent for failing to meet "reasonable expectations" for a security program. This is an example of "the path to hell is paved with good intentions" so that component of NIST CSF should be avoided.
NIST CSF is commonly use by smaller businesses and unregulated industries.
NIST CSF can be used for:
NIST CSF should not be used for:
Cybersecurity Policies, Standards & Procedures Are Meant To Address Your Compliance Needs
It is important to keep in mind that picking a cybersecurity framework is more of a business decision and less of a technical decision since cybersecurity and privacy controls identified in external laws, regulations or frameworks directly influence your organization's internal policies, standards and procedures.
Policies are established by an organization’s corporate leadership establishes “management’s intent” for cybersecurity and data protection requirements that are necessary to support the organization’s overall strategy and mission.
Control Objectives identify the technical, administrative and physical protections that are generally tied to a law, regulation, industry framework or contractual obligation.
Standards provide organization-specific, quantifiable requirements for cybersecurity and data protection.
Guidelines are additional guidance that is recommended, but not mandatory.
Procedures (also known as Control Activities) establish the defined practices or steps that are performed to meet to implement standards and satisfy controls / control objectives.
Build With A Hierarchical Approach To Cybersecurity & Privacy Documentation
The Hierarchical Cybersecurity Governance Framework (HCGF) is the "ComplianceForge Reference Model" of cybersecurity and privacy documentation. This free guide is a documentation model that leverages industry-recognized terminology to logically arrange these documentation components into their rightful order. This model creates an approach to architecting documentation that is concise, scalable and comprehensive. When that is all laid out properly, an organization's cybersecurity and data protection documentation should be hierarchical and linked from policies all the way through metrics. The swimlane diagram shown below (click for a larger PDF) defines the terminology and demonstrates the linkages between these various documentation components.
It all starts with influencers – these external and internal influencers set the tone to establish what is considered due diligence for cybersecurity & data protection operations.
For external influencers, this includes statutory requirements (laws), regulatory requirements (government regulations) and contractual requirements (legally-binding agreements) that companies must address.
For internal influencers, these are business-driven and the focus is more on management’s desire for consistent, efficient and effective operations:
Alignment with business strategy; and
Meeting business goals & objectives.
Fundamentally, the process of selecting a cybersecurity framework must be driven by what your organization is obligated to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
Avoid being considered negligent by being able to demonstrate evidence of due diligence and due care pertaining to "reasonably-expected" security & privacy practices;
Properly address risk management expectations by having the proper controls to secure your organization's systems, applications and processes from reasonable threats.
Once you know the minimum requirements you need to meet, it can help narrow down the most appropriate framework. As shown in the "framework spectrum" diagram (shown below) that helps depict how not all frameworks are the same, you need to focus on selecting the most appropriate set of cybersecurity controls (e.g., controls framework) for your organization to align with.
What Documentation Do I Need To Comply With NIST CSF, ISO 27002 or NIST 800-53?
To do NIST CSF, ISO 27002 or NIST 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to be in compliance with NIST CSF vs ISO 27002 vs NIST 800-53, since there are significantly different levels of expectation.
When you start looking at "What should I buy to comply or align with X framework?" it is important to understand what the expectations of the various frameworks entail. When you look at these frameworks from the perspective of a spectrum that spans from weaker to more robust controls coverage, the basic expectation is that there are more requirements as you advance along this spectrum. The chart below helps identify the various ComplianceForge products where they intersect with NIST CSF, ISO 27002, NIST 800-53 and NIST 800-171/CMMC requirements. As depicted in the spectrum graphic at the top of this page, there are less requirements to comply with the NIST Cybersecurity Framework, while ISO 27002 has more requirements. However, ISO 27002 has less requirements than NIST 800-53.
NIST 800-53 r4
NIST 800-171 r1
Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP)
ID.GV-1 [multiple sections]
5.1.1 [multiple sections]
PM-1 [multiple sections]
252.204-7008 252.204-7012 NIST 800-171 (multiple CUI & NFO controls)
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with the NIST Cybersecurity Framework (NIST CSF). The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST CSF.
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with ISO 27001 / 27002. The product names you see in the various packages below map into the matrix shown above to show you how that maps into ISO 27002.
Good (ISO 27002)
Better (ISO 27002)
Great (ISO 27002)
Awesome (ISO 27002)
CDPP - ISO 27002 Policies & Standards
CDPP + CSOP - ISO 27002 Policies, Standards & Procedures
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with NIST 800-53. The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST 800-53.
Digital Security Program (DSP) - Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy
The DSP is an enterprise-class solution for cybersecurity & privacy documentation consisting of thirty-three (33) domains that defines a modern,...