The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organization must comply with will most often point you to one of four (4) starting points to kick off the discussion about "Which framework is most appropriate for our needs?":
When you graphically depict the various, leading cybersecurity frameworks from "easier to harder" it primarily focuses on the sheer number of unique cybersecurity and privacy controls. The volume of these controls (e.g., requirements) directly impacts the number of domains covered by that cybersecurity framework. The lesser number of controls in a cybersecurity framework might make it appear easier to implement, but it also might not provide the necessary coverage that your organization needs from the perspective of administrative, technical and physical cybersecurity and privacy practices. Defining "just right" for your cybersecurity and privacy controls is primarily a business decision, based on your organization's risk profile, which needs to consider applicable laws, regulations and contractual obligations that are required to support existing or planned business processes.
A very important consideration when selecting a framework is necessary customization. It is unlikely that a single framework will fit your needs perfectly, so you have to expect to tailor a framework for your specific needs (e.g., add to it, remove unnecessary content or merge multiple frameworks). From a customization perspective, think of "bolting on" content to a cybersecurity frameworks similar to the concept of gnawing off the square sides of a peg to make it fit into a round hole - it will eventually fit but it likely will not look very good or fit very well. This is the downside of customizing cybersecurity frameworks to add content that the framework lacks. It is generally less painful/costly to align with a more robust framework and remove content than it is to start with a lesser framework and add content.
The selection process for cybersecurity frameworks generally leads to adopting a "starting point" framework. These foundational frameworks are the NIST Cybersecurity Framework, ISO 27002, NIST 800-53 or the Secure Controls Framework (SCF). We call it the "cybersecurity Goldilocks dilemma" since it addresses the question: Which cybersecurity framework is "not too hard, not too soft, but just right!" for my organization? It comes down to first defining your "must have" and "nice to have" requirements, since that helps point you to the most appropriate framework to meet your specific needs:
Those two considerations come together to address the "Compliant vs Secure" decision for an organization's cybersecurity and/or privacy program to be both secure and compliant. You can read more about that in the Integrated Controls Management (ICM) model.
The more robust the framework you select to align with, you can expect to have more topics covered by the included controls. This generally means you will have more comprehensive policies and standards to meet the expanded coverage. The dilemma many companies face is they want to be compliant, while minimizing the amount of paperwork (e.g., policies, standards and controls) that they have to maintain. This is where the aspect of your organization's leadership team is important to really define the risk culture of the organization at a fundamental level:
Not all frameworks are created equally and that is ok. It is not uncommon for experienced cybersecurity practitioners to have fundamental misunderstandings of the differences between laws, regulations and frameworks. However, in this context, what is depicted on the heatmap is refered to as a "framework" since by the NIST Glossary definition, a framework is "a layered structure indicating what kind of programs can or should be built and how they would interrelate." Even a law or regulation can serve as a framework for building a cybersecurity program.
We understand that it can be a little confusing when you look at it from a "heat map" perspective, since each cybersecurity framework has its own unique scope of applicability (e.g., specialization) and depth of coverage. However, understanding this can help you make an informed decision on where to start for the most appropriate framework(s) for your needs (often, organizations utilize more than one framework). You may even find you need to leverage a metaframework (e.g., framework of frameworks) to address more complex compliance requirements.
If you look at this from the perspective of a debate over which soft drink tastes best (e.g., Coke vs Pepsi), it generally comes down to personal preferences, since both products are essentially sugary, carbonated drinks and only differ slightly in flavor and packaging. The same arguments can be made for cybersecurity’s two heavy hitters – NIST 800-53 and ISO 27002. Gaining popularity is the NIST Cybersecurity Framework (NIST CSF), but it lacks appropriate coverage out of the box to be considered a comprehensive cybersecurity framework. For more complex compliance requirements, the SCF is a "metaframework" that encompasses over 100 laws, regulations and frameworks in a hybrid framework that can span multiple compliance requirements.
A key consideration for picking a cybersecurity framework involved understanding the level of content each framework offers, since this directly impacts the available cybersecurity and privacy controls that exist "out of the box" without having to bolt-on content to make it work for your specific needs. If you ask a cybersecurity professional to identify their preferred "best practice framework", it generally comes down to NIST or ISO, since those are the most commonly-found frameworks. However, that doesn't mean that is where you should limit your search.
If you are not sure where to start, here are some recommendations:
NIST CSF < ISO 27001/2 < NIST 800-53 < Secure Controls Framework (SCF)
To help provide further context to the image:
When you start taking into account common requirements such as the Payment Card Industry Data Security Standard (PCI DSS), you will see from crosswalk mapping that these common requirements are more comprehensive than what is included natively by NIST CSF, so you would need to use ISO 27002 or NIST 800-53 to meet PCI DSS as a framework (depending on your SAQ level), unless you want to bolt-on additional controls to the NIST CSF to make that work. Is that wrong? No, but it is just messy when you start bolting onto frameworks.
Developed by the United States National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework (NIST CSF) has the least coverage of the major cybersecurity frameworks. NIST CSF works great for smaller and unregulated businesses that just want to align with a recognized cybersecurity framework. The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, GDPR, CPRA/CCPA and PCI DSS (depending on SAQ level). For those, more comprehensive frameworks, such as NIST 800-53 or ISO 27002 are recommended.
The NIST CSF :
In reality, NIST CSF is a "dumbed down" and civilianized version of NIST 800-53. It came out nearly a decade ago when NIST 800-53 was entirely focused on the US Government, so there was a need for a subset of the controls that NIST 800-53 provided but for the non-enterprise space in private industry (e.g., tailored for small to medium businesses). Over the past decade, different US Federal agencies have published documents describing how NIST CSF v1.1 controls can be leveraged to comply with HIPAA, FINRA, etc.
Overall, NIST CSF does not introduce new standards or concepts, but leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and ISO. NIST CSF version 1.1 is organized into five categories of controls:
NIST CSF version 2.0 adds a sixth categories of controls:
The NIST CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues. The NIST CSF is designed to evolve with changes in cybersecurity threats, processes, and technologies. Essentially, the NIST CSF envisions effective cybersecurity as a dynamic, continuous loop of response to both threats and solutions. However, the "framework implementation tiers" should be avoided, since it is bad guidance. For example, you have to get to Tier 3 before you document policies, standards or procedures. That means a business at Tier 1 and Tier 2 would be considered negligent for failing to meet "reasonable expectations" for a security program. This is an example of "the path to hell is paved with good intentions" so that component of NIST CSF should be avoided.
NIST CSF is commonly use by smaller businesses and unregulated industries.
NIST CSF can be used for:
NIST CSF should not be used for:
The International Organization for Standardization (ISO) is a non-governmental organization that is headquartered in Switzerland. ISO can be a little more confusing for newcomers to IT security or compliance, since a rebranding occurred in 2007 to keep ISO’s IT security documents in the 27000 series of their documentation catalog - ISO 17799 was renamed and became ISO 27002. To add to any possible confusion, ISO 27002 is a supporting document that aides in the implementation of ISO 27001. Adding a little more confusion to the mix, it is important to note that companies cannot certify against ISO 27002, just ISO 27001.
ISO 27001 Appendix A contains the basic overview of the security controls needed to build an Information Security Management System (ISMS), but ISO 27002 provides those specific controls that are necessary to actually implement ISO 27001. Essentially, you can't meet ISO 27001 without implementing ISO 27002:
To keep things simple, just remember that ISO 27001 lays out the framework to create an “Information Security Management System (ISMS)” (e.g., a comprehensive IT security program), whereas ISO 27002 contains the actual “best practices” details of what goes into building a comprehensive IT security program. Since ISO’s information security framework has been around since the mid-1990s, it was in “right time at the right place” to evolve into the de facto IT security framework outside of the United States. You will find ISO 27002 extensively used by multinational corporations and for companies that do not have to specifically comply with US federal regulations. ISO 27002 is also “less paranoid” than NIST 800-53, which has an advantage of being less complex and therefore easier implement.
ISO/IEC 27001 is:
One unfortunate thing about ISO 27001/2, and it applies to all ISO publications, is that ISO charges for its publications - https://www.iso.org/standard/27001
ISO 27001 / 27002 is commonly use by medium to large businesses and is internationally-recognized (e.g., ISO 27001 certification).
ISO 27001 / 27002 can be used for:
ISO 27001 / 27002 should not be used for:
The National Institute of Standards and Technology (NIST) is on the second revision (rev2) of Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The US National Archives (NARA) runs the Controlled Unclassified Information (CUI) Program for the US Government and NARA specifies NIST SP 800-171 and 800-171A as the minimum requirements to protect CUI. NIST SP 800-171 is the basis for the controls used by the US Department of Defense's Cybersecurity Maturity Model Certification (CMMC). As with other NIST publications, it is freely available, at no cost to the public - http://csrc.nist.gov/publications/PubsSPs.html.
NIST 800-171 can be used by any sized organization, since it is the required set of controls necessary to protect CUI where it is stored, processed and/or transmitted.
NIST 800-171 can be used for:
NIST 800-171 should not be used for:
The US National Institute of Standards and Technology (NIST) is on the fifth revision (rev5) of Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. From rev4 to rev5, NIST dropped the "US Government" focus for NIST SP 800-53 and now has it generalized enough for private industry to use. There are still "NISTisms" for wording that are entirely US Government-focused, but it is a significant improvement for private industry adoption. NIST 800-53 "best practices" are the de facto standard for private businesses that do business with the US federal government.
One thing to keep in mind is that NIST 800-53 is a super-set of ISO 27002 - that means you will find all the components of ISO 27002 covered by NIST 800-53. However, ISO 27002 does not cover all of the areas of NIST 800-53.
The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Risk Management Framework (RMF) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs. Additionally, for NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is called out as the best practices for government contractors to secure their systems. That further helps strengthen NIST 800-53 as a best practice within the US, especially for any government contractors. We have a section that describes NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) if you are interested in that subject.
NIST 800-53 includes what both ISO 27002 and NIST CSF addresses, as well as a whole host of other requirements. NIST 800-53 is the basis for the controls found in NIST 800-171 / CMMC. NIST 800-53 is commonly found in the financial, medical and government contracting industries. One great thing about NIST 800-53, and it applies almost universally to all NIST 800-series publications. As with other NIST publications, it is freely available, at no cost to the public - http://csrc.nist.gov/publications/PubsSPs.html.
NIST SP 800-53 is:
NIST 800-53 Moderate is commonly use by medium to large businesses and is primarily US-focused.
NIST 800-53 Moderate can be used for:
NIST 800-53 Moderate should not be used for:
NIST 800-53 High is commonly use by medium to large businesses with an explicit requirement for the high baseline and is primarily US-focused.
NIST 800-53 High can be used for:
NIST 800-53 High should not be used for:
If you are not familiar with the Secure Controls Framework (SCF), it was developed with the ambitious goal of providing a comprehensive catalog of cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. By using the SCF, your IT, cybersecurity, legal and project teams can speak the same language about controls and requirement expectations! The SCF is a "metaframework" which is a framework of frameworks. The SCF is a superset that covers the controls found in NIST CSF, ISO 27002, NIST 800-53 and over 100 other laws, regulations and frameworks. These leading cybersecurity frameworks tend to cover the same fundamental building blocks of a cybersecurity program, but differ in some content and layout. Before picking a framework, it is important to understand that each one has its benefits and drawbacks. Therefore, your choice should be driven by the type of industry your business is in and what laws, regulations and contractual obligations your organization needs to comply with.
The SCF is an open source project that provides free cybersecurity and privacy controls for businesses. The SCF focuses on internal controls, which are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
The Secure Controls Framework (SCF) is a "best in class" approach that covers over 100 cybersecurity and privacy laws, regulations and frameworks, including NIST 800-53, ISO 27001/2 and NIST CSF. Being a hybrid, it allows you to address multiple cybersecurity and privacy frameworks simultaneously. The SCF is a free resource for businesses to use. ComplianceForge's Digital Security Program (DSP) has 1-1 mapping with the SCF, so the DSP provides the most comprehensive coverage of any ComplianceForge product.
The Secure Controls Framework (SCF) is commonly use by medium to large businesses, but can be used by any business with complex cybersecurity and privacy requirements.
The SCF can be used for:
The SCF should not be used for:
It is important to keep in mind that picking a cybersecurity framework is more of a business decision and less of a technical decision since cybersecurity and privacy controls identified in external laws, regulations or frameworks directly influence your organization's internal policies, standards and procedures.
The Hierarchical Cybersecurity Governance Framework (HCGF) is the "ComplianceForge Reference Model" of cybersecurity and privacy documentation. This free guide is a documentation model that leverages industry-recognized terminology to logically arrange these documentation components into their rightful order. This model creates an approach to architecting documentation that is concise, scalable and comprehensive. When that is all laid out properly, an organization's cybersecurity and data protection documentation should be hierarchical and linked from policies all the way through metrics. The swimlane diagram shown below (click for a larger PDF) defines the terminology and demonstrates the linkages between these various documentation components.
It all starts with influencers – these external and internal influencers set the tone to establish what is considered due diligence for cybersecurity & data protection operations.
Fundamentally, the process of selecting a cybersecurity framework must be driven by what your organization is obligated to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
Once you know the minimum requirements you need to meet, it can help narrow down the most appropriate framework. As shown in the "framework spectrum" diagram (shown below) that helps depict how not all frameworks are the same, you need to focus on selecting the most appropriate set of cybersecurity controls (e.g., controls framework) for your organization to align with.
To do NIST CSF, ISO 27002 or NIST 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to be in compliance with NIST CSF vs ISO 27002 vs NIST 800-53, since there are significantly different levels of expectation.
When you start looking at "What should I buy to comply or align with X framework?" it is important to understand what the expectations of the various frameworks entail. When you look at these frameworks from the perspective of a spectrum that spans from weaker to more robust controls coverage, the basic expectation is that there are more requirements as you advance along this spectrum. The chart below helps identify the various ComplianceForge products where they intersect with NIST CSF, ISO 27002, NIST 800-53 and NIST 800-171/CMMC requirements. As depicted in the spectrum graphic at the top of this page, there are less requirements to comply with the NIST Cybersecurity Framework, while ISO 27002 has more requirements. However, ISO 27002 has less requirements than NIST 800-53.
| ComplianceForge Products | NIST CSF | ISO 27002 | NIST 800-53 r4 | NIST 800-171 r1 |
| Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) |
ID.GV-1 [multiple sections] |
5.1.1 [multiple sections] |
PM-1 [multiple sections] |
252.204-7008 252.204-7012 NIST 800-171 (multiple CUI & NFO controls) |
| Supply Chain Risk Management (SCRM) | ID.SC-1 | 15.1.1 | PS-7 SA-4 |
252.204-7008 252.204-7012 NIST 800-171 NFO PS-7 |
| Cybersecurity Risk Management Program (RMP) | ID.GV-4 ID.RA-5 ID.RM-1 ID.RM-2 ID.RM-3 |
11.1.4 | PM-9 RA-1 RA-3 |
252.204-7008 252.204-7012 NIST 800-171 3.11.1 & NFO RA-1 |
| Cybersecurity Risk Assessment Template (CRA) | ||||
| Vulnerability & Patch Management Program (VPMP) | ID.RA-1 PR.IP-12 |
12.6.1 | SI-2 SI-3(2) |
252.204-7008 252.204-7012 NIST 800-171 3.11.2 |
| Integrated Incident Response Program (IIRP) | PR.IP-9 | 16.1.1 | IR-1 | 252.204-7008 252.204-7009 252.204-7010 252.204-7012 NIST 800-171 3.6.1 |
| Secure Engineering & Data Protection (SEDP) | N/A | N/A | Privacy Section SA-3 |
252.204-7008 252.204-7012 NIST 800-171 NFO SA-3 |
| System Security Plan (SSP) & POA&M | N/A | N/A | PL-2 | 252.204-7008 252.204-7012 NIST 800-171 3.12.4 |
| Cybersecurity Standardized Operating Procedures (CSOP) | PR.IP-5 [multiple sections] |
12.1.1 [multiple sections] |
PL-7 [multiple sections] |
252.204-7008 252.204-7012 NIST 800-171 (multiple CUI & NFO controls) |
| Continuity of Operations Plan (COOP) | RC.RP-1 | 17.1.2 | CP-1 CP-2 IR-4(3) PM-8 |
252.204-7008 252.204-7012 NIST 800-171 3.6.1 |
| Secure Baseline Configurations (SBC) | PR.IP-1 PR.IP-3 |
14.1.1 | CM-2 CM-6 SA-8 |
252.204-7008 252.204-7012 NIST 800-171 3.4.1 |
| Information Assurance Program (IAP) | N/A | 14.2.8 | CA-1 PM-10 |
252.204-7008 252.204-7012 NIST 800-171 NFO CA-1 |
| Cybersecurity Business Plan (CBP) | N/A | N/A | N/A | CMMC Level 4 CMMC Level 5 |
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with the NIST Cybersecurity Framework (NIST CSF). The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST CSF.
| Good (NIST CSF) | Better (NIST CSF) | Great (NIST CSF) | Awesome (NIST CSF) |
 |
 |
 |
 |
| CDPP - NIST CSF Policies & Standards | CDPP + CSOP - NIST CSF Policies, Standards & Procedures | CDPP Bundle 2: CDPP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC | DSP Bundle 3: DSP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD |
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with ISO 27001 / 27002. The product names you see in the various packages below map into the matrix shown above to show you how that maps into ISO 27002.
| Good (ISO 27002) | Better (ISO 27002) | Great (ISO 27002) | Awesome (ISO 27002) |
|
 |
 |
|
| CDPP - ISO 27002 Policies & Standards | CDPP + CSOP - ISO 27002 Policies, Standards & Procedures | CDPP Bundle 3: CDPP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP | DSP Bundle 3: DSP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD |
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with NIST 800-53. The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST 800-53.
| Good (NIST 800-53) | Better (NIST 800-53) | Great (NIST 800-53) | Awesome (NIST 800-53) |
|
 |
 |
|
| CDPP - NIST 800-53 Policies & Standards | CDPP + CSOP - NIST 800-53 Policies, Standards & Procedures | CDPP Bundle 4: CDPP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD-SSP | DSP Bundle 3: DSP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD |
If you have any questions, please contact us and we'd be happy to explain the difference between the products and packages.
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...
The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...
Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored,...
