Cybersecurity Frameworks & Standards
Use frameworks to structure security decisions, not to create paperwork for its own sake.
Cybersecurity frameworks help organizations create common language around risk, controls, governance, maturity, and evidence. They are useful when leadership needs to understand current state, define target state, prepare for customers or auditors, prioritize investment, or explain security progress.
We use frameworks as decision-support tools. The goal is to help clients understand what applies, what does not, what is missing, and what should be improved first.
Start with the framework that fits the business question.
The frameworks below are the ones clients are most likely to encounter during security maturity, customer due diligence, audit readiness, AI governance, or regulated-industry conversations.
NIST Cybersecurity Framework 2.0
Best for executive risk management, cybersecurity maturity, roadmap development, and board-level conversations.
NIST describes the Cybersecurity Framework as helping organizations better understand and improve their management of cybersecurity risk. CSF 2.0 is useful because it provides a common language for governance, identifying assets and risk, protecting systems and data, detecting events, responding to incidents, and recovering from disruption.
CIS Controls v8.1 and CIS Benchmarks
Best for practical control baselines, SMB and mid-market prioritization, secure configuration, and quick-win improvement roadmaps.
CIS describes the CIS Controls as a prioritized set of safeguards to defend against prevalent cyber attacks. CIS Benchmarks provide vendor-neutral configuration guidance for many platforms and systems.
ISO/IEC 27001:2022
Best for information security management systems, international customer expectations, vendor due diligence, and certification readiness.
ISO describes ISO/IEC 27001 as the world's best-known standard for information security management systems and states that it defines the requirements an ISMS must meet.
SOC 2 and Trust Services Criteria
Best for SaaS companies, technology vendors, service providers, customer security reviews, and control attestation readiness.
SOC 2 reports are issued by qualified firms.
NIST SP 800-53 Rev. 5
Best for enterprise control catalogs, federal-style control programs, detailed security and privacy control mapping, and architecture reviews.
NIST SP 800-53 provides a catalog of security and privacy controls for information systems and organizations. It is useful when clients need a detailed control model beyond a high-level framework.
MITRE ATT&CK
Best for threat detection, detection coverage, adversary behavior mapping, SOC use case design, and technical validation.
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It is especially useful for detection engineering and security operations conversations.
NIST AI Risk Management Framework
Best for AI governance, AI risk management, trustworthy AI discussions, and executive AI oversight.
NIST AI RMF helps organizations manage risks associated with AI and incorporate trustworthiness considerations into AI design, development, use, and evaluation.
NIST AI 600-1 Generative AI Profile
Best for Generative AI risk management, shadow AI governance, prompt and output risk, and AI control design.
NIST AI 600-1 provides a profile for generative AI risks and suggested risk-management actions across governance, mapping, measurement, and management activities.
OWASP Top 10 for LLM Applications
Best for LLM application security, prompt injection, sensitive information disclosure, supply-chain risks, excessive agency, and RAG system review.
The OWASP Top 10 for LLM Applications focuses on security risks specific to LLM-enabled applications and AI workflows.
ISO/IEC 42001:2023
Best for AI management systems, AI governance maturity, and organizations that may need formal AI management-system structure.
ISO describes ISO/IEC 42001 as a standard for establishing, implementing, maintaining, and continually improving an AI management system.
NIST Privacy Framework
Best for privacy risk, data governance, AI data usage, DLP, insider-risk governance, and privacy-aware control design.
NIST describes the Privacy Framework as a voluntary tool to help organizations identify and manage privacy risk while building innovative products and services.
PCI DSS
Best for organizations that store, process, transmit, or can impact payment card data.
PCI DSS provides baseline technical and operational requirements for protecting payment account data.
HIPAA Security Rule
Best for healthcare, health technology, benefits, insurance, and vendors handling electronic protected health information.
The HIPAA Security Rule establishes national standards to protect certain electronic health information and requires administrative, physical, and technical safeguards.
GLBA Safeguards Rule
Best for financial institutions and businesses subject to the Gramm-Leach-Bliley Act Safeguards Rule.
The Safeguards Rule requires covered companies to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards.
Let’s schedule a quick conversation
Interested in working together? Fill out some info and we will be in touch shortly. We can’t wait to hear from you.