Become a security expert.
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
While most CEO and compliance experts understand the value of cybersecurity measures, security frameworks can make safeguarding your organization feel daunting. You know you need to put something formal in place but might not know which frameworks you should consider (or legally need to adhere to).
This guide explores 14 common security frameworks and provides actionable insight so you can confidently choose the right one(s) for your organization.
A security framework defines policies and procedures for establishing and maintaining security controls. Frameworks clarify processes used to protect an organization from cybersecurity risks. They help IT security professionals keep their organization compliant and insulated from cyber threats.
It’s important to note that once you’ve implemented a security framework, you shouldn’t check “compliance” off your to-do list.
One of the biggest security-related mistakes that companies make is reviewing compliance once then forgetting about it.
As our CEO Shrav Mehta explains, “Compliance requirements, controls, and policies are all things that need to be reviewed and updated on an ongoing basis in order to stay truly secure.”
Now that we’ve established why security frameworks are important, let’s take a look at some of the most common frameworks to help you decide which are right for your organization.
14 Security Frameworks You Should Know
|Framework||Purpose||Best Suited For||Certification||Certification Method||Audit Duration||Audit Frequency|
|SOC 2||Manage customer data||Companies and their third-party partners||N/A||Authorized CPA firms||6-month period||Every year|
|ISO 27001||Build and maintain an information security management system (ISMS)||Any company handling sensitive data||Yes||Accredited third-party||1 week-1 month||Every year|
|NIST Cybersecurity Framework||Comprehensive and personalized security weakness identification||Anyone||N/A||Self||N/A||N/A|
|HIPAA||Protect patient health information||The healthcare sector||Yes||The Department of Health and Human Services (third-party)||12 weeks||6 per year|
|PCI DSS||Keep card owner information safe||Any company handling credit card information||Yes||PCI Qualified Security Assessor (third-party)||18 weeks||Every year|
|GDPR||Protect the data of people in the EU||All businesses that collect the data of EU citizens||Yes||Third-party||About 30 days||Depends on preference|
|HITRUST CSF||Enhance security for healthcare organizations and technology vendors||The healthcare sector / Anyone||Yes||Third-party||3-4 months||Every year|
|COBIT||Alignment of IT with business goals, security, risk management, and information governance||Publicly traded companies||Yes||ISACA (third-party)||N/A||N/A|
|NERC-CIP||Keep North America’s bulk electric systems operational||The utility and power sector||Yes||Third-party||Up to 3 years||Every 5 years|
|FISMA||Protect the federal government’s assets||The federal government and third parties operating on its behalf||Yes||The FISMA Center||12 weeks||Every year|
|NIST Special Publication 800-53||Compliance with the Federal Information Processing Standards' (FIPS) 200 requirements and general security advice||Government agencies||N/A||Self||N/A||N/A|
|NIST Special Publication 800-171||Management of controlled unclassified information (CUI) to protect federal information systems||Contractors and subcontractors of federal agencies||N/A||Self||N/A||N/A|
|IAB CCPA||Protecting California consumers’ data||California businesses and advertising tech companies||N/A||Self||N/A||N/A|
|CIS Controls||General protection against cyber threats||Anyone||Yes||Third-party||N/A||N/A|
Systems and Organization Controls (SOC) 2 is a set of compliance criteria developed by the American Institute of Certified Public Accountants (AICPA).
SOC 2 evaluates a company’s security posture as it relates to five Trust Services Criteria. Following an audit, the auditor gives the company a SOC 2 report with insight into its cybersecurity quality as it relates to the TSC: security, availability, confidentiality, processing integrity, and privacy.
Despite the value it provides an organization, implementing SOC 2 can be challenging and time-consuming. Secureframe streamlines that process, helping companies become SOC 2 compliant in record time.
The International Organization for Standardization (ISO) established the ISO 27000 series to introduce guidelines for implementing information security policies. As the international standard for security program validity, ISO certification tells partners that you are reliable and trustworthy.
Specifically, ISO 27001 lists requirements for building and maintaining an information security management system (ISMS). An ISMS is a tool used to keep information security risk at a minimum by helping you manage people, processes, and technology.
If attaining ISO 27001 compliance will improve the trustworthiness of your brand, consider streamlining your certification process with Secureframe.
The U.S. National Institute of Standards and Technology (NIST) developed the NIST Cybersecurity Framework (also known as the NIST Risk Management Framework) in response to a 2013 initiative from former President Obama. The initiative called for the government and the private sector to collaborate in the fight against cyber risk.
The framework is separated into three components: the Core, the Implementation Tiers, and Profiles.
Compliance with the framework is voluntary. That said, NIST is widely respected for locating security weaknesses. It can help organizations adhere to regulations, and even offer personalized security suggestions.
The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 federal statute that created standards for protecting patient health information. All healthcare organizations must follow cybersecurity practices and run risk assessments to comply with HIPAA.
The healthcare sector is the seventh most frequent target of cyberattacks, so organizations within the sector need to be vigilant.
The Payment Card Industry Data Security Standard (PCI DSS) was created in 2006 to ensure that all companies that accept, process, store, or transmit credit card information operate securely. The framework is primarily intended to keep cardholder information safe. All companies handling this information must comply with PCI DSS, regardless of size.
Unlike government-mandated frameworks, payment brands (MasterCard, Visa, etc.) enforce PCI DSS compliance.
The European Union passed the General Data Protection Regulation (GDPR) to protect the data of EU citizens. It applies to all businesses that collect and process EU citizens’ data, whether those businesses are based in the EU or internationally. The framework lists regulations related to consumer data access rights, data protection rights, consent, and more. It is enforced by the Information Commissioner's Office (ICO).
The regulation is extensive — 88 pages, to be exact — and ICO is notorious for heavily fining companies that fail to comply. For example, in 2018 (the same year that GDPR was established), the ICO fined Google €50 million.
Despite HIPAA being a helpful framework to mitigate cyber threats, breaches in healthcare are still far too common. 42% of healthcare organizations lack an incident response plan, and HIPAA compliance is not always sufficient.
HITRUST CSF enhances security for healthcare organizations and technology vendors by combining elements of other security frameworks. Specifically, the framework utilizes risk analysis and risk management to ensure organizational security.
While HITRUST CSF was developed to supplement HIPAA, it has been globally adopted by organizations in nearly every industry.
In the mid-’90s, the Information Systems Audit and Control Association (ISACA) developed Control Objectives for Information and Related Technology (COBIT). The framework reduces organizational technical risk by helping companies develop and implement information management strategies.
COBIT has been updated several times since the ’90s to keep up with security threats. The most updated versions focus on aligning IT with business goals, security, risk management, and information governance. COBIT is often used to comply with Sarbanes-Oxley (SOX) rules, which were enacted in the early 2000s to protect investors.
The North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC-CIP) was created in 2008 in response to attacks on U.S. infrastructure. It applies to businesses operating in the utility and power sector. The framework’s goal is to minimize risk in this sector and keep North America’s bulk electric systems operational.
The framework lays out specific requirements for organizations in this sector. These include taking inventory of all protected assets, outlining existing security measures, properly training employees, developing an incident response plan, and more.
The Federal Information Security Management Act (FISMA) insulates the U.S. government’s assets from cyber threats. It applies to the federal government and third parties operating on its behalf. The Department of Homeland Security is responsible for overseeing its implementation.
Much like NIST, FISMA mandates documentation of digital assets and network integrations. Organizations must also monitor their IT infrastructure and regularly evaluate risks.
NIST published NIST Special Publication 800-53 in 1990, but the framework has developed over time. It now advises agencies and other organizations on nearly every area of information security. It lists security and privacy controls for all U.S. federal information systems (excluding national security).
Government agencies follow NIST SP 800-53 to follow the Federal Information Processing Standards (FIPS) 200 requirements. However, companies in nearly every industry can implement it. In fact, many existing security frameworks were built using NIST SP 800-53 as a starting point.
NIST SP 800-171 is a companion document to NIST SP 800-53 intended to protect federal information systems. It explains how contractors and subcontractors of federal agencies (often within the manufacturing sector) must manage controlled unclassified information (CUI). Contractors must comply with NIST 800-171 to pursue new business opportunities.
While many frameworks require third-party certification, contractors can self-certify with NIST SP 800-171 by following NIST’s documentation.
If you live in the state of California and have ever seen a link saying “Do Not Sell My Personal Information” on a website, you’ve encountered the IAB CCPA Compliance Framework (the Interactive Advertising Bureau California Consumer Privacy Act). This framework provides California consumers with more control over their personal data. It requires compliance from businesses that collect user information and the ad tech companies that purchase it.
When users decide that they don’t want their data sold, businesses must communicate this to ad tech companies and the user’s data cannot be sold.
Most cybersecurity frameworks focus on risk identification and management. In contrast, CIS Controls are simply a list of actions that any organization can take to protect itself from cyber threats. Some examples of controls include data protection measures, audit log management, malware defenses, penetration testing, and more.
Essentially, other frameworks are great for locating where the security “pipe” is leaking. CIS Controls provide guidance on how to seal the leak.
Now that we’ve explored some of the most common security frameworks, you’re probably wondering which apply to your business.
Your decision depends on a variety of factors, such as your industry’s standards, any compliance requirements enforced by the government or your sector, and your susceptibility to cyber threats.
To help you get started, ask yourself the following questions:
Thankfully, many frameworks share a similar foundation. If you later learn that your organization should comply with another framework, there may be an easy path from your current framework.
While security frameworks can help clarify what organizations should do to safeguard their data, compliance can still be complex.
What used to take months of manual work now takes just weeks.
To learn more about how Secureframe can save you time implementing security frameworks, request a demo of our platform today.