- Your applicable laws, regulations, and contractual obligations will most often point you to one of 5 starting frameworks.
- Frameworks range from ~100 controls (NIST CSF) to 1,400+ controls (SCF) - more controls = broader coverage but more implementation effort.
- It's generally less costly to start with a robust framework and remove unneeded content than to start small and "bolt on" additional requirements later.
- If you have multiple compliance obligations (common for most organizations today), a metaframework like the SCF provides the broadest coverage.
- Selecting a framework is a business decision based on your risk profile, not a purely technical one.
What Is The Best Cybersecurity Framework?
That is a loaded question, since the concept of a "best" cybersecurity framework is misguided - the most appropriate framework to align with is entirely dependent upon your business model and specific needs.
The applicable laws, regulations and contractual obligations that your organization must comply with will most often point you to one of five (5) starting points to kick off the discussion about "Which framework is most appropriate for our needs?":
- NIST Cybersecurity Framework (NIST CSF)
- ISO 27001/27002
- NIST SP 800-171 (e.g., CMMC compliance)
- NIST SP 800-53 (moderate or high baselines); or
- Secure Controls Framework (SCF) (or a similar metaframework)
What Framework Is Right For My Organization?
Defining "just right" for your cybersecurity and privacy controls is primarily a business decision, based on your organization's risk profile, which needs to consider applicable laws, regulations and contractual obligations that are required to support existing or planned business processes.
The 5 Major Frameworks
Each framework serves different organizational needs. Your compliance obligations will typically point you to one of these starting points:
NIST Cybersecurity Framework (NIST CSF 2.0)
A voluntary, risk-based framework organized around 6 core functions (Govern, Identify, Protect, Detect, Respond, Recover). Best for organizations needing a lightweight starting point without specific federal compliance requirements. However, NIST CSF may need supplementation if you face statutory or regulatory obligations that exceed its scope.
ISO 27001 / 27002
The international information security management standard. Popular globally, especially for organizations seeking formal certification. ISO 27001 defines the management system requirements while 27002 provides the control guidance. Best for internationally focused organizations or those required to demonstrate ISO certification.
NIST SP 800-171 Rev 3
Specifically designed for protecting Controlled Unclassified Information (CUI) in non-federal systems. Required by DFARS 252.204-7012 and the basis for CMMC 2.0 Level 2 assessments. Controls are derived from the NIST 800-53 moderate baseline. Best for defense contractors and the federal supply chain.
NIST SP 800-53 Rev 5
The most comprehensive single-framework US standard with 1,189 controls across 20 control families. Used by federal agencies and required for FedRAMP, RMF, and FISMA compliance. Available in low, moderate, and high baselines. Best for organizations with federal agency contracts or the highest security requirements.
Secure Controls Framework (SCF)
A free, open-source metaframework that maps controls across 200+ laws, regulations, and frameworks simultaneously. The SCF is not a replacement for individual frameworks but a "Rosetta Stone" that enables organizations to implement a single control set and demonstrate compliance across many requirements. Best for organizations juggling multiple compliance obligations.
Side-by-Side Framework Comparison
This comparison highlights key differences across the five major frameworks to help guide your selection:
Cybersecurity Framework Heatmap
Not all frameworks are created equally and that is ok. It is not uncommon for experienced cybersecurity practitioners to have fundamental misunderstandings of the differences between laws, regulations and frameworks. However, in this context, what is depicted on the heatmap is refered to as a "framework" since by the NIST Glossary definition, a framework is "a layered structure indicating what kind of programs can or should be built and how they would interrelate." Even a law or regulation can serve as a framework for building a cybersecurity program.
We understand that it can be a little confusing when you look at it from a "heat map" perspective, since each cybersecurity framework has its own unique scope of applicability (e.g., specialization) and depth of coverage. However, understanding this can help you make an informed decision on where to start for the most appropriate framework(s) for your needs (often, organizations utilize more than one framework). You may even find you need to leverage a metaframework (e.g., framework of frameworks) to address more complex compliance requirements.
When you account for common compliance requirements like PCI DSS, crosswalk mapping shows these are more comprehensive than what NIST CSF includes natively. You would need ISO 27002 or NIST 800-53 to meet PCI DSS as a framework (depending on your SAQ level), unless you bolt on additional controls to the NIST CSF, which works but gets messy.
Understanding Compliance vs Security Considerations
The more robust the framework you select, the more topics are covered by its included controls. But the dilemma many companies face is wanting compliance while minimizing paperwork.
This is where your organization's leadership team must define the risk culture at a fundamental level. There are three general approaches that organizations tend to follow:
Compliance Focused
This approach aims for the bare minimums to comply with a law, regulation, or framework. While very common, this is essentially aiming for mediocrity and can leave significant security gaps.
Security Focused
This approach is centered on hard-core secure engineering practices where compliance is not a primary concern. While thorough from a technical standpoint, this approach is rare in practice.
Compliance & Security Focused
This holistic approach ensures systems, applications, and services are secure by design and default, where compliance becomes a natural byproduct of proper cybersecurity and privacy practices. This is the optimal approach that organizations should strive for.
Defining "just right" for your cybersecurity and privacy controls is primarily a business decision based on your organization's risk profile. You need to consider applicable laws, regulations, and contractual obligations required to support existing or planned business processes. The concept of "Must Have" Minimum Compliance Requirements (MCR) and "Nice to Have" Discretionary Security Requirements (DSR) can help frame this decision.
Finding Your "Goldilocks" Framework
Defining "just right" for your cybersecurity controls is primarily a business decision based on your organization's risk profile.
A critical consideration when selecting a framework is the inevitable need for customization. It's unlikely that any single framework will fit your needs perfectly, so expect to tailor it by adding, removing, or merging content from multiple sources.
Think of customizing a framework like gnawing off the square sides of a peg to make it fit a round hole. It will eventually fit but won't look great or fit well. This is the downside of adding content to a framework that lacks what you need. It is generally less painful and less costly to align with a more robust framework and remove content than to start with a lesser framework and add content.
If you only need CMMC, go with NCP. If you need ISO certification, go with CDPP (ISO). If you need FedRAMP, go with CDPP (800-53). If you have multiple compliance obligations, go with SCRP (SCF-based). Not sure? Start with the Compliance Decision Making Process free guide.
How Do You Pick A Cybersecurity Framework?
Choosing between cybersecurity frameworks is similar to the classic "Coke vs Pepsi" debate. Both are solid options that differ slightly in flavor and packaging.
The same arguments apply to cybersecurity's two heavy hitters, NIST 800-53 and ISO 27002. NIST CSF is gaining popularity but lacks adequate coverage out of the box for many compliance requirements. For more complex needs, the SCF is a metaframework encompassing over 200 laws, regulations, and frameworks.
If you are not sure where to start, consider the following recommendations:
1. Consult Legal and Procurement
Identify what laws, regulations, and contractual obligations your organization must comply with. Do not work off assumptions. Get the facts.
2. Talk With Industry Peers
Learn what frameworks others in your industry chose and the reasoning behind those decisions. You still need your own analysis, but peer input helps avoid reinventing the wheel.
3. Assess Available Resources
If it's a coin-flip between two frameworks, consider which will be most efficient to implement and maintain over time.
4. Evaluate Business and IT Strategy
For example, if your CEO's roadmap includes pursuing DoD contracts, you'll need to address DFARS, FAR, and CMMC compliance based on NIST SP 800-171, making alignment with NIST 800-53 or SCF the best path forward. If a business unit is expanding into Europe with B2C sales, EU GDPR requires robust privacy practices, making the SCF a strong candidate.
5. Speak With A Reputable Consultant
Not all "cybersecurity professionals" have the same backgrounds and competencies. Seek out a Governance, Risk, and Compliance (GRC) professional for framework and scoping decisions.
What Is NIST CSF?
Developed by the National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework (NIST CSF) has the least coverage of the major frameworks, but it works great as a starting point.
NIST CSF is a voluntary framework providing guidelines and best practices for organizations to manage and improve cybersecurity risk management processes. It is a high-level framework applicable to any organization regardless of size or industry, focused on identifying, protecting, detecting, responding to, and recovering from cybersecurity risks. NIST CSF is known for its flexibility, as organizations can adapt it to their specific needs and risk profiles.
In reality, NIST CSF is a simplified, civilianized version of NIST 800-53. It emerged when NIST 800-53 was entirely focused on the US Government, filling the need for a subset of controls tailored for non-enterprise, private industry use (small to medium businesses). Over the past decade, various US Federal agencies have published documents describing how NIST CSF controls can be leveraged for HIPAA, FINRA, and other compliance needs.
NIST CSF v1.1 is organized into five categories: Identify, Protect, Detect, Respond, and Recover. NIST CSF v2.0 adds a sixth category: Governance.
The downside is that NIST CSF's brevity makes it incompatible with many common compliance requirements such as NIST 800-171, GDPR, CPRA/CCPA, and PCI DSS (depending on SAQ level). For those, more comprehensive frameworks like NIST 800-53 or ISO 27002 are recommended.
The NIST CSF "framework implementation tiers" should be avoided, because you must reach Tier 3 before documenting policies, standards, or procedures. A business at Tier 1 or Tier 2 would be considered negligent for failing to meet reasonable expectations for a security program. This is a case of "the path to hell is paved with good intentions."
Best For
General business, retail, healthcare (small), insurance.
Not Recommended For
Defense contractors.
Common Users
Smaller businesses and unregulated industries.
What Is ISO 27001 & ISO 27002?
The International Organization for Standardization (ISO) is a non-governmental organization headquartered in Switzerland that publishes the world's most widely adopted information security standard.
ISO can be confusing for newcomers. A rebranding in 2007 kept ISO's IT security documents in the 27000 series, and ISO 17799 was renamed to ISO 27002. ISO 27002 supports the implementation of ISO 27001, and companies can only certify against ISO 27001 (not ISO 27002 directly).
ISO 27001 Appendix A contains the basic overview of security controls needed to build an Information Security Management System (ISMS), while ISO 27002 provides the specific controls necessary to actually implement ISO 27001. Essentially, you can't meet ISO 27001 without implementing ISO 27002.
Since ISO's information security framework has existed since the mid-1990s, it was in the "right time at the right place" to become the de facto IT security framework outside the United States. ISO 27002 is extensively used by multinational corporations and by companies that do not need to comply specifically with US federal regulations. ISO 27002 is also less complex than NIST 800-53, giving it an advantage of being easier to implement.
One unfortunate aspect of ISO 27001/2, which applies to all ISO publications, is that ISO charges for its publications, unlike NIST which publishes freely.
Best For
General business, retail, healthcare, insurance. Internationally focused organizations.
Not Recommended For
Defense contractors.
Common Users
Medium to large businesses seeking international certification.
What Is NIST SP 800-171?
NIST SP 800-171 specifically protects Controlled Unclassified Information (CUI) in nonfederal systems and organizations, serving as the basis for CMMC.
The US National Archives (NARA) runs the CUI Program for the US Government and specifies NIST SP 800-171 and 800-171A as the minimum requirements to protect CUI. NIST SP 800-171 is the basis for the controls used by the US Department of Defense's Cybersecurity Maturity Model Certification (CMMC). As with other NIST publications, it is freely available at no cost.
NIST SP 800-171 is a subset of NIST 800-53, designed to protect the confidentiality and integrity of CUI in contractor and subcontractor systems. It applies to defense contractors, research institutions, and other entities that receive or process CUI from federal agencies. It is often referenced in federal contracts and regulations like DFARS clause 252.204-7012.
Important detail about R2: There are far more than just the 110 controls identified in Appendix D. Appendix E lists an additional 61 Non-Federal Organization (NFO) controls that are expected to exist for any organization handling CUI. These NFO controls are "expected to be routinely satisfied by non-federal organizations without specification."
NIST SP 800-171 R3 removes NFO controls due to confusion where contractors believed only CUI controls were required. Most NFO controls from R2 are incorporated into new controls within R3.
Best For
Defense contractors, government contractors, technology businesses (MSPs, MSSPs).
Not Recommended For
FedRAMP or RMF compliance.
Common Users
Any organization that stores, processes, or transmits CUI.
What Is NIST SP 800-53?
NIST SP 800-53 R5 is the most comprehensive single-framework US standard, with 1,189 controls divided into 20 control families.
From R4 to R5, NIST dropped the "US Government" focus for NIST SP 800-53 and generalized it for private industry use. There are still US Government-focused wording patterns ("NISTisms"), but it is a significant improvement for private industry adoption. NIST 800-53 best practices are the de facto standard for private businesses doing business with the US federal government.
NIST 800-53 is a super-set of ISO 27002, meaning all the components of ISO 27002 are covered by NIST 800-53. However, ISO 27002 does not cover all areas of NIST 800-53. FISMA and the DoD Information Assurance Risk Management Framework (RMF) both rely on NIST 800-53.
The 20 control families include: Access Control, Awareness & Training, Audit & Accountability, Assessment/Authorization & Monitoring, Configuration Management, Contingency Planning, Identification & Authentication, Incident Response, Maintenance, Media Protection, Physical & Environmental Protection, Planning, Program Management, Personnel Security, PII Processing & Transparency, Risk Assessment, System & Services Acquisition, System & Communications Protection, System & Information Integrity, and Supply Chain Risk Management.
NIST SP 800-53B breaks most controls into low, moderate, high, and privacy baselines. Many R5 controls are not otherwise categorized and therefore fall outside any standard baseline.
Moderate Baseline
Best For: Defense/gov contractors, technology businesses (MSPs, CSPs), large general business, retail, healthcare, insurance. Not Recommended For: Smaller businesses.
High Baseline
Best For: Large defense contractors, large government contractors, large technology businesses. Not Recommended For: Smaller businesses.
What Is The Secure Controls Framework (SCF)?
The SCF is a comprehensive cybersecurity and data privacy metaframework. It is a catalog of controls made up of over 200 laws, regulations, and frameworks.
The SCF control catalog contains over 1,400 controls logically organized into 34 domains. The structure normalizes disparate control language into something usable across technology, cybersecurity, privacy, and other departments, enabling both intra-organization and inter-organization standardization.
The SCF is a more efficient way to operationalize cybersecurity and data privacy operations. It provides a straightforward and scalable method to define "must have" and "nice to have" requirements into a holistic control set. There is no cost to use the SCF, and quite a few GRC platforms natively support it as a built-in control set.
The SCF is much more than just a cybersecurity control set. It includes:
- Control weighting to help understand risk, since not all controls are the same
- A built-in risk catalog and threat catalog mapped to SCF controls
- A capability maturity model to help define what "right" looks like for your organization
- A risk management model to enable holistic risk management at the control level
- An Evidence Request List (ERL) defining expected assessment artifacts
- Assessment Objectives (AOs) providing objective criteria for control assessment
The "sweet spot" for the SCF is medium to large organizations, but it has been successfully used by small organizations. Any organization with complex compliance requirements can benefit from using the SCF.
Best For
Any sized business, any industry. Especially organizations with complex compliance needs.
Not Recommended For
Organizations with only simple compliance needs.
Common Users
Medium to large businesses with multiple compliance obligations.
What Documentation Is Needed To Comply?
To properly implement NIST CSF, ISO 27002, or NIST 800-53, it takes more than just policies and standards. You need program-specific guidance that operationalizes those foundational documents.
When you start looking at "What should I buy to comply or align with X framework?" it is important to understand what the expectations entail. As you advance along the spectrum from weaker to more robust controls coverage, there are more requirements at each step. There are fewer requirements for NIST CSF compliance, while ISO 27002 has more. However, ISO 27002 has fewer requirements than NIST 800-53.
As you move along the framework spectrum toward more robust coverage, the documentation requirements grow. Starting with a comprehensive framework and removing what you don't need is generally more efficient than starting small and bolting on additional requirements later.