In this video, Mandy Huth outlines the top four security frameworks.
- In a 2017 survey of over 300 security decision makers, there were four clear leaders in terms of the most highly adopted security frameworks, PCI, ISO 27001, the CIS Critical Security Controls, and the NIST 800-53 framework. Some frameworks are more comprehensive. Others are industry-specific. PCI is an industry-specific framework required for anyone accepting payment cards.
You got it folks. All that plastic in your wallet, it's covered by this framework. ISO 27001 on the other hand is a globally recognized organization with a comprehensive framework that covers all of the security controls. The CIS Critical Security Controls are more of a high-level discussion. It covers the same security controls by grouping them into 20 critical factors to consider. Finally, there's the NIST 800-53 framework, a comprehensive set of controls as you can see.
US Federal Agencies are required to follow this framework and any companies that do business with them are encouraged to do as well. Determining the best framework to adopt relies on many factors. Choosing the right one means selecting the framework that fits your organization's unique security needs. As you consider, think about your organization's internal business objectives. Perhaps it's a compliance requirement to a certain regulation or if you've done a risk analysis, maybe it's around the results of that.
Determine if you require more policy-based controls or more technical controls for your organization. Finally, looking at industry best practices and how to apply them can work for you as well. Each framework has pros and cons. They vary in their objectives and approaches, but rely on the same foundational principles. Organizations vary in size, complexity, and maturity. Choosing the framework that matches your requirements is paramount to achieving a security posture your organization can support and thrive under.
A hybrid framework is okay too. It adds flexibility. Combining best practice for multiple frameworks can help meet specific functional requirements. Don't forget to think about stakeholders and other departments as well. Determining the needs of your organization is a precursor to aligning to one or several frameworks.
- Picking the right security framework
- Why are security frameworks important?
- Global, federal, and state cybersecurity regulations
- PCI and credit card payments
- CIS critical security controls
- Comparing the top four security frameworks
- Mapping process and technical controls
- Augmenting frameworks with GRCs
- Developing a security mindset