Essential Guide to Security Frameworks & 14 Examples
While most CEO and compliance experts understand the value of cybersecurity measures, security frameworks can make safeguarding your organization feel daunting. You know you need to put something formal in place but might not know which frameworks and security standards you should consider (or legally need to adhere to).
This guide explores 14 common security frameworks and provides actionable insight so you can confidently choose the right one(s) for your organization.
What is a security framework?
A security framework defines policies and procedures for establishing and maintaining security controls. Frameworks clarify processes used to protect an organization from cybersecurity risks. They help IT security professionals and security teams keep their organizations compliant and insulated from cyber threats.
It’s important to note that once you’ve implemented a security framework, you shouldn’t check “compliance” off your to-do list.
One of the biggest security-related mistakes that companies make is reviewing compliance once then forgetting about it.
As our CEO Shrav Mehta explains, “Compliance requirements, controls, and policies are all things that need to be reviewed and updated on an ongoing basis in order to stay truly secure.”
14 common cybersecurity frameworks
Now that we’ve established why security frameworks are important, let’s take a look at some of the most common frameworks to help you decide which are right for your organization.
Framework | Purpose | Best Suited For | Certification | Certification Method | Audit Duration | Audit Frequency |
---|---|---|---|---|---|---|
SOC 2 | Manage customer data | Companies and their third-party partners | N/A | Authorized CPA firms | 6-month period | Every year |
ISO 27001 | Build and maintain an information security management system (ISMS) | Any company handling sensitive data | Yes | Accredited third-party | 1 week-1 month | Every year |
NIST Cybersecurity Framework | Comprehensive and personalized security weakness identification | Anyone | N/A | Self | N/A | N/A |
HIPAA | Protect patient health information | The healthcare sector | Yes | The Department of Health and Human Services (third-party) | 12 weeks | 6 per year |
PCI DSS | Keep cardholder data safe | Any company handling cardholder information | Yes | PCI Qualified Security Assessor (third-party) | 18 weeks | Every year |
GDPR | Protect the data of people in the EU | All businesses that collect the data of EU citizens | Yes | Third-party | About 30 days | Depends on preference |
HITRUST CSF | Enhance security for healthcare organizations and technology vendors | The healthcare sector / Anyone | Yes | Third-party | 3-4 months | Every year |
COBIT | Alignment of IT with business goals, security, risk management, and information governance | Publicly traded companies | Yes | ISACA (third-party) | N/A | N/A |
NERC-CIP | Keep North America’s bulk electric systems operational | The utility and power sector | Yes | Third-party | Up to 3 years | Every 5 years |
FISMA | Protect the federal government’s assets | The federal government and third parties operating on its behalf | Yes | The FISMA Center | 12 weeks | Every year |
NIST Special Publication 800-53 | Compliance with the Federal Information Processing Standards' (FIPS) 200 requirements and general security advice | Government agencies | N/A | Self | N/A | N/A |
NIST Special Publication 800-171 | Management of controlled unclassified information (CUI) to protect federal information systems | Contractors and subcontractors of federal agencies | N/A | Self | N/A | N/A |
CCPA | Protecting California consumers’ data | For-profit businesses that collect California residents’ personal information | N/A | Self | N/A | N/A |
CIS Controls | General protection against cyber threats | Anyone | Yes | Third-party | N/A | N/A |
1. SOC 2
Systems and Organization Controls (SOC) 2 is a set of compliance criteria developed by the American Institute of Certified Public Accountants (AICPA).
- Who it’s for: Companies and their third-party partners
- Focus: Customer data management and third-party risk management
SOC 2 evaluates a company’s security posture as it relates to five Trust Services Criteria. Following an audit, the auditor gives the company a SOC 2 report with insight into its cybersecurity quality as it relates to the TSC: security, availability, confidentiality, processing integrity, and privacy.
Despite the value it provides an organization, implementing SOC 2 can be challenging and time-consuming. Secureframe streamlines that process, helping companies become SOC 2 compliant in record time.
The Ultimate Guide to SOC 2
Learn everything you need to know about the requirements, process, and costs of getting SOC 2 certified.
2. ISO 27001
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) established the ISO 27000 series to introduce guidelines for implementing information security policies. As the international standard for security program validity, ISO/IEC certification tells partners that you are reliable and trustworthy.
Specifically, ISO 27001 lists requirements for building and maintaining an information security management system (ISMS). An ISMS is a tool used to keep information security risk at a minimum by helping you manage people, processes, and technology.
- Who it’s for: Companies that handle sensitive data
- Focus: Building and maintaining an information security management system (ISMS)
If attaining ISO 27001 compliance will improve the trustworthiness of your brand, consider streamlining your certification process with Secureframe.
The Ultimate Guide to ISO 27001
If you’re looking to build a compliant ISMS and achieve certification, this guide has all the details you need.
3. NIST Cybersecurity Framework
The U.S. National Institute of Standards and Technology (NIST) developed the NIST Cybersecurity Framework (also known as the NIST Risk Management Framework) in response to a 2013 initiative from former President Obama. The initiative called for the government and the private sector to collaborate in the fight against cyber risk.
- Who it’s for: Anyone
- Focus: Comprehensive and personalized security weakness identification
The framework is separated into three components: the Core, the Implementation Tiers, and Profiles.
- The Core: Defines cybersecurity goals and organizes them into five phases: identify, protect, detect, respond, and recover. For example, addressing supply chain risk management is a part of the “identify” phase.
- The Implementation Tiers: Determine how effectively an organization’s cybersecurity efforts target the framework’s goals. They range from partial (Tier 1) to adaptive (Tier 4). An organization aiming for Tier 4 would want to make sure their cybersecurity efforts are top-notch according to the framework’s standards.
- Profiles: Help organizations compare their existing objectives to the framework’s core and identify opportunities for improvement. They guide how NIST can best serve the organization’s specific needs.
Compliance with the framework is voluntary. That said, NIST is widely respected for locating security weaknesses. It can help organizations adhere to regulations, and even offer personalized security suggestions.
The Ultimate Guide to Federal Frameworks
Get an overview of the most common federal frameworks, who they apply to, and what their requirements are.
4. HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 federal statute that created standards for protecting patient health information. All healthcare organizations must follow cybersecurity practices and run risk assessments to comply with HIPAA.
- Who it’s for: The healthcare sector
- Focus: Protection of patient health information
The healthcare sector is the seventh most frequent target of cyberattacks, so organizations within the sector need to be vigilant.
The Ultimate Guide to HIPAA
Learn everything you need to know about the requirements, process, and costs of becoming HIPAA compliant.
5. PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) was created in 2006 to ensure that all companies that accept, process, store, transmit, or impact the security of cardholder data maintain a secure environment. All companies handling this information must comply with PCI DSS, regardless of size.
- Who it’s for: Any company handling cardholder data
- Focus: Card payment information security
Unlike government-mandated frameworks, payment brands (MasterCard, Visa, etc.) enforce PCI DSS compliance.
The Ultimate Guide to PCI DSS
This guide will help you understand the requirements, process, and costs of getting certified.
6. GDPR
The European Union passed the General Data Protection Regulation (GDPR) to protect the data of EU citizens. It applies to all businesses that collect and process EU citizens’ data, whether those businesses are based in the EU or internationally. The framework lists regulations related to consumer data access rights, data protection rights, consent, and more. It is enforced by the Information Commissioner's Office (ICO).
- Who it’s for: All businesses that collect EU citizens’ data
- Focus: Privacy and data protection for citizens of the EU
The regulation is extensive — 88 pages, to be exact — and ICO is notorious for heavily fining companies that fail to comply. For example, in 2018 (the same year that GDPR was established), the ICO fined Google €50 million.
7. HITRUST CSF
Despite HIPAA being a helpful framework to mitigate cyber threats, data breaches in healthcare are still far too common. 42% of healthcare organizations lack an incident response plan, and HIPAA compliance is not always sufficient.
- Who it’s for: Anyone (especially the healthcare sector)
- Focus: Enhance security for healthcare organizations and technology vendors
HITRUST CSF enhances security for healthcare organizations and technology vendors by combining elements of other security frameworks. Specifically, the framework utilizes risk analysis and risk management to ensure organizational security.
While HITRUST CSF was developed to supplement HIPAA, it has been globally adopted by organizations in nearly every industry.
Recommended reading
HITRUST vs HIPAA: The Similarities and Differences Healthcare Organizations Need to Know
8. COBIT
In the mid-’90s, the Information Systems Audit and Control Association (ISACA) developed Control Objectives for Information and Related Technology (COBIT). The framework reduces organizational technical risk by helping companies develop and implement information management strategies.
COBIT has been updated several times since the ’90s to keep up with security threats. The most updated versions focus on aligning IT with business goals, security, risk management, and information governance. COBIT is often used to comply with Sarbanes-Oxley (SOX) rules, which were enacted in the early 2000s to protect investors.
- Who it’s for: Publicly traded companies
- Focus: Align IT with business goals, security, risk management, and information governance
9. NERC-CIP
The North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC-CIP) was created in 2008 in response to attacks on U.S. infrastructure. It applies to businesses operating in the utility and power sector. The framework’s goal is to minimize risk in this sector and keep North America’s bulk electric systems operational.
- Who it’s for: The utility and power sector
- Focus: Protect North America’s bulk electric systems
The framework lays out specific requirements for service providers in this sector. These include taking inventory of all protected assets, outlining existing security measures, properly training employees, developing an incident response plan, and more.
10. FISMA
The Federal Information Security Management Act (FISMA) insulates the U.S. government’s assets from cyber threats. It applies to the federal government and third parties operating on its behalf. The Department of Homeland Security is responsible for overseeing its implementation.
- Who it’s for: The federal government and third parties operating on its behalf
- Focus: Government asset protection
Much like NIST, FISMA mandates documentation of digital assets and network integrations. Organizations must also monitor their IT infrastructure and regularly evaluate risks and vulnerabilities.
11. NIST Special Publication 800-53
NIST published NIST Special Publication 800-53 in 1990, but the framework has developed over time. It now advises agencies and other organizations on nearly every area of information security. It lists security and privacy controls for all U.S. federal information systems (excluding national security).
Government agencies follow NIST SP 800-53 to follow the Federal Information Processing Standards (FIPS) 200 requirements. However, companies in nearly every industry can implement it. In fact, many existing security frameworks were built using NIST SP 800-53 as a starting point.
- Who it’s for: Anyone (especially government agencies)
- Focus: Compliance with FIPS’s 200 requirements and general security advice
12. NIST Special Publication 800-171
NIST SP 800-171 is a companion document to NIST SP 800-53 intended to protect federal information systems. It explains how contractors and subcontractors of federal agencies (often within the manufacturing sector) must manage controlled unclassified information (CUI). Contractors must comply with NIST 800-171 to pursue new business opportunities.
- Who it’s for: Contractors and subcontractors of federal agencies
- Focus: Defense of federal information systems
While many frameworks require third-party certification, contractors can self-certify with NIST SP 800-171 by following NIST’s documentation.
13. CCPA
If you live in the state of California and have ever seen a link saying “Do Not Sell My Personal Information” on a website, you’ve encountered the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). This framework provides California consumers with more control over their personal data. It requires compliance from for-profit organizations that collect the personal information of California residents and meet certain thresholds.
- Who it’s for: Businesses that collect, process, or share California residents’ personal data
- Focus: Protecting California consumers’ data
CCPA requires companies to implement a range of privacy initiatives, including establishing a legitimate business or commercial purpose for collecting personal information from consumers, allowing consumers to opt-out of data collection, and more.
14. CIS Controls
Most cybersecurity frameworks focus on risk identification and management. In contrast, CIS Controls are simply a list of actions that any organization can take to protect itself from cyber threats. Some examples of controls include data protection measures, audit log management, malware defenses, penetration testing, and more.
- Who it’s for: Anyone
- Focus: General protection against cyber threats
Essentially, other frameworks are great for locating where the security “pipe” is leaking. CIS Controls provide guidance on how to seal the leak.
Which IT security framework is right for me?
Now that we’ve explored some of the most common security frameworks, you’re probably wondering which apply to your business.
Your decision depends on a variety of factors, such as your industry’s standards, any compliance requirements enforced by the government or your sector, and your susceptibility to cyber threats.
To help you get started, ask yourself the following questions:
- Are you or your clients in the retail or healthcare industry? You'll likely need to be compliant with PCI DSS or HIPAA.
- Do you collect, process, or store user data for EU citizens or California residents? GDPR or CCPA may be legally required.
- Do you process or store customer data in the cloud? SOC 2 and ISO 27001 compliance can strengthen your security posture and build trust with customers.
- Are you a publicly traded company? COBIT will help you become SOX-compliant.
- Are you a U.S. federal agency or a contractor employed by one? You’re probably required to comply with NIST SP 800-53 or NIST SP 800-171.
Thankfully, many frameworks share a similar foundation. If you later learn that your organization should comply with another framework, there may be an easy path from your current framework.
Questions to help you select a security framework
We've created a decision tree to help you select frameworks that align with the unique requirements and regulatory obligations of your organization, using a series of high-level business and geographical questions. We’ve limited our focus to the 14 security frameworks and standards discussed above.
Security frameworks decision tree
Use this series of questions to help select the best cybersecurity framework(s) based on your or your clients' industry, data, and needs.
How Secureframe can get you on track
While security frameworks can help clarify which critical security controls organizations should implement to safeguard their data, compliance can still be complex.
Secureframe streamlines the process by providing thorough compliance checks against the most in-demand frameworks, including SOC 2, ISO 27001, HIPAA, PCI DSS, and more.
What used to take months of manual work now takes just weeks.
To learn more about how Secureframe can save you time implementing security frameworks, request a demo of our platform today.
FAQs
What is a security framework?
A security framework defines policies and procedures for establishing and maintaining controls that help protect an organization from cybersecurity risks and maintain compliance with relevant laws, regulations, and standards.
What are some common security frameworks?
Common security frameworks include SOC 2, ISO 27001, NIST CSF, HIPAA, PCI DSS, HITRUST, COBIT, NIST 800-53, and NIST 800-171.
Is NIST a security framework?
NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. This agency was established by Congress to advance measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Towards this goal it has created several security frameworks, including NIST 800-53, NIST 800-171, and NIST CSF.