As a cybersecurity architect, customers often ask me which security framework they should use. It’s a fair question. After all, there are a lot of frameworks out there. Choosing one can feel overwhelming.

My answer almost always involves a question. For example, I might say, “Even the most respected brands are not immune to breaches. We read about these incidents happening nearly every week. Do you know what many of these organizations have in common? Many of them were compliant with their chosen security frameworks when they suffered the breach.”

I say this to illustrate a point: Your organization can be compliant with a framework and still be at risk, because security frameworks are not security programs. Compliance with a framework does not necessarily lower your organizational risk posture.

Frameworks vs. Programs

A security framework is a broad set of guidelines and standards. Frameworks contain a comprehensive set of processes and procedures for each function in cybersecurity, which includes identifying, protecting, responding to, and recovering from security threats and vulnerabilities. Security frameworks fall into two general categories: best practice and prescriptive.

Best practice frameworks are self-explanatory—they offer general guidance and direction in accordance with what is commonly accepted as best practices in the cybersecurity industry. The most common frameworks of this type are:

1. NIST Cybersecurity FrameworkCreated by the U.S. National Institute of Standards and Technology, part of the U.S. Department of Commerce, this framework offers guidance and a taxonomy of security outcomes to help organizations manage cybersecurity risks and communicate effectively among stakeholders regarding cybersecurity efforts.
2. ISO/IEC 27001Developed by the International Standards Organization, ISO/IEC 27001 is an internationally-accepted standard. It was first published in 2005 and has since been revised twice, in 2013 and 2022. The framework provides guidance that security professionals can use for establishing, implementing, maintaining, and improving an information security management system.
3. CIS ControlsThe Center for Internet Security is a nonprofit organization, which is recognized around the world for its best practices for securing IT systems and data. CIS Controls is a set of 18 safeguards that help organizations simplify their approach to threat protection, comply with industry regulations, and improve security posture.
4. COBITThis framework was developed by ISACA, a membership organization of IS/IT professionals headquartered in the U.S. but globally recognized. The COBIT framework provides concepts, principles, and methodologies for best practices in governance and management of information technology.Prescriptive frameworks spell out requirements that must be met in order to comply with legal, regulatory, or governmental mandates. Examples of these frameworks include:
5. PCI DSSThe Payment Card Industry Data Security Standard (PCI DSS) was developed to help organizations that handle debit and credit card transactions to securely manage payment account information. The standard was developed by the Payment Card Industry Security Standards Council, a group consisting of representatives from American Express, Discover Financial Services, JCB International, MasterCard and Visa. Compliance is required for any organization wishing to work with the major card brands.
6. HIPAAEnacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law governing the handling of patient health information. Every organization that deals with patient data must comply with HIPAA regulations or it will be subject to fines and penalties.
7. FISMAThe Federal Information Security Management Act of 2002 (since amended by the Federal Information Security Modernization Act of 2014) is a federal law that dictates information security policies and data security standards for federal government agencies in the legislative and executive branches of government. FISMA provides a framework for managing information security for all systems used, whether operated by government personnel, contractors, or third-party organizations on behalf of the federal government.
8. CMMC
   Developed by the U.S. Department of Defense, the Cybersecurity Maturity Model Certification (CMMC) provides a set of requirements designed to protect sensitive unclassified information being shared between the DoD and its contractors and subcontractors. For any organization wishing to do business with the DoD, CMMC compliance is required.

In contrast to a framework, a security program is both a comprehensive, tailored plan and a business enabler. It contains the policies, procedures, and technologies an organization will use to comply with legal mandates and protect its vital assets against security threats and vulnerabilities, along with roles and responsibilities for carrying out and continuously improving the program. A well-designed security program allows an organization to operate in a dangerous world and typically includes sections about:

• Leadership
• Governance
• Policies and Procedures
• Risk Management
• Security Controls
• Incident Response and Recovery
• Compliance and Legal Requirements
• Training
• Monitoring and Reporting
• Continuous Improvement

Security frameworks are overlays to a security program. Organizations are different; therefore, security policies, critical controls, and risk tolerance are likely not the same between them. Frameworks do not account for organizational differences or overlapping procedures. Nor do they specify how to operationalize the guidelines. A security program, however, does both.

Take a Practical Approach

Which framework (or more likely, frameworks) should you choose? Here are six steps that will help you create a security program with the proper framework overlays for your organization:

1. Define environmental variablesWhat factors influence your security? What legal or industry regulations—HIPAA, PCI DSS, etc.—are relevant to your organization? What security technology do you currently use and what emerging threats do you need to guard against? What are your unique organizational attributes and attitudes regarding security and risk? These questions (and more) will help you define the environmental variables you need to consider as you move forward.
2. Derive requirementsCreate consolidated security requirements based on your organizational and environmental variables for all program domains—governance, assurance, and operations—and establish a common language using program nomenclature.
3. Establish security targetWith the information you now have, create a target document for information security. This will describe your desired security state and cover all elements of your program, including business context, organizational objectives, requirements, and business drivers.
4. Measure varianceConduct an assessment to determine where you are compared to your desired security state.
5. Close gapsBased on the results of your variance audit, create a plan—or strategic roadmap—to close any gaps uncovered.
6. Communication and training
   Once gaps are closed and the program is finalized, the last step before implementation is communication and training. Make sure all stakeholders are onboard and people are trained on your new policies and procedures.

Choosing a Framework is Only One Step

Don’t get me wrong, I’m a big fan of security frameworks. Frameworks provide standards, guidance, and a consistent structure for information security. But as I mentioned, frameworks are not programs. It’s easy to get lured into a false sense of security by picking a framework, doing an audit, and closing the gaps. Frameworks are only one tool in your security tool bag.

For help in determining which frameworks make sense for your organization or guidance in developing an information security program, check out our services at ePlus Security.

Related articles