Categories:

The Top 24 Cybersecurity Frameworks

For many organizations, cybersecurity is a top priority. Being able to implement cybersecurity protocols is a rising demand that an organization cannot avoid. As a cybercriminal becomes much more sophisticated, as should the cybersecurity protocol to prevent potential breaches. Due to the demands, cybersecurity frameworks are updated/created to prevent breaches. Essentially, a security framework is a series of well-documented, accepted, and comprehensive policies, procedures, and processes that define how the information would be managed within an organization, in order to minimize risk and vulnerability while boosting confidence in an ever-connected world. The following are the top cybersecurity frameworks utilized by IT professionals and organizations:

  1. NIST Cybersecurity Framework
  2. ISO IEC 27001
  3. HIPAA
  4. IASME Governance
  5. MSP+ Cybersecurity Framework
  6. SOC 2
  7. CIS v7
  8. COBIT
  9. COSO
  10. TC CYBER
  11. HITRUST CSF
  12. NIST 800-53
  13. CISQ
  14. FedRAMP
  15. FISMA
  16. GDPR
  17. 10 Steps to Cybersecurity
  18. NY DFS
  19. NERC CIP
  20. SCAP
  21. ANSI
  22. NIST SP 800-12
  23. NIST SP 800-14
  24. NIST SP 800-26

Which ones should cybersecurity experts pay attention to?

Security frameworks are vital for a business to follow if they want to ensure the safety of data. The following four are the ones that an IT professional or organization should, at the very least, prioritize or invest in:

NIST Cybersecurity Framework

[1] The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber-attacks. The framework has been translated to many languages and is used by the governments of Japan and Israel, among others. It “provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.” Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. It is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management. In 2017, a draft version of the framework, version 1.1, was circulated for public comment. Version 1.1 was announced and made publicly available on April 16, 2018. Version 1.1 is still compatible with version 1.0. The changes include guidance on how to perform self-assessments, additional detail on supply chain risk management, guidance on how to interact with supply chain stakeholders, and encourages a vulnerability disclosure process.

A security framework adoption study reported that 70% of the surveyed organizations see NIST’s framework as a popular best practice for computer security, but many note that it requires significant investment.

It includes guidance on relevant protections for privacy and civil liberties.

Center for Internet Security (CIS)

[2] CIS Controls and CIS Benchmarks provide global standards for internet security and are a recognized global standard and best practices for securing IT systems and data against attacks. CIS maintains “The CIS Controls”, a popular set of 20 security controls “which map to many compliance standards”, and are applicable to the Internet of things. Through an independent consensus process, CIS Benchmarks provide frameworks to help organizations bolster their security. CIS offers a variety of free resources, which include “secure configuration benchmarks, automated configuration assessment tools, and content, security metrics, and security software product certifications”.

ISO/IEC 27000-series

[3] The ISO/IEC 27000-series (also known as the ‘ISMS Family of Standards’ or ‘ISO27K’ for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The series provides best practice recommendations on information security management—the management of information risks through information security controls—within the context of an overall Information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series), environmental protection (the ISO 14000 series) and other management systems.

The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT/technical/cybersecurity issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information risks, then treat them (typically using information security controls) according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information risk and security, the ISMS concept incorporates continuous feedback and improvement activities to respond to changes in the threats, vulnerabilities or impacts of incidents.

The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Subcommittee 27), an international body that meets in person twice a year.

The ISO/IEC standards are sold directly by ISO, mostly in English, French, and Chinese. Sales outlets associated with various national standards bodies also sell directly translated versions in other languages.

MSP+ Cybersecurity Framework

The MSP+ Cybersecurity Framework is an industry-specific guide that defines what good cybersecurity looks like. It’s supported by a maturity model focused on guiding the service provider towards cybersecurity success​. MSP+ Cybersecurity framework was established by ConnectWise and consists of MSP-specific guidance from the following frameworks: CIS, UK Cyber Essentials, Australia’s Essential Eight, and NIST.

References

  • https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework
  • https://en.wikipedia.org/wiki/Center_for_Internet_Security
  • https://en.wikipedia.org/wiki/ISO/IEC_27000-series