Popular Security Frameworks

NIST Cybersecurity Framework (CSF)

Publisher: National Institute of Standards and Technology (NIST)

Purpose: A broad standard designed to improve cybersecurity instruction across organizations of all sizes

Details: The NIST CSF was initially developed to improve the security of critical infrastructure sectors, however is has now become a general-purpose model that is used across multiple different industries. The NIST CSF is organized around five core functions which are Identify, Protect, Detect, Respond and Recover. The functions help to guide an organization in identifying and rating their assets and risks, setting up preventative and detective controls and how to respond to and recover from attacks. The NIST CSF is very adaptable which is what makes it a popular choice for so many different organizations ranging from small business all the way to large enterprises.

COBIT (Control Objective for Information Related Technologies)

Publisher: ISACA

Purpose: Governance and management of enterprise IT

Details: COBIT is a framework designed by ISACA to help organizations manage and govern enterprise IT. COBIT includes aspects of cybersecurity, however it is broader in scope and focuses more on governance and aligning IT strategies with an organizations business goals. COBIT is popular and relevant in regulated industries such as finance, healthcare and government and is frequently uses in preparation for audits of other standards.

CIS Controls (Center for Internet Security)

Publisher: Center for Internet Security (CIS)

Purpose: A list of prioritized, actionable security practices

Details: The CIS controls are a list of the top 18 critical security controls. These controls are further grouped into three levels of implementation groups (IG1, IG2, IG3) which are based on an organizations security maturity and size. Examples include, Inventory of control and assets, incident response plans, email and web browser protections and proper secure configurations. The CIS controls are designed to be a practical solution for small to medium sized organizations and security teams that are looking for something which prioritizes the most important controls in a manageable tiered approach. One way to think of it is as a top-20(ish) checklist for security controls.

PreviousRisks and ControlNextImportant Security Standards

Last updated