IT Security Frameworks for Organizations

By pmgallardo on 23 October 2021 in Cybersecurity, IT, IT Security

This post lists some of the most popular IT frameworks that can be used by an organization to implement their security.

List of cybersecurity frameworks:

NIST Cybersecurity Framework (CSF)
ISO/IEC 27001
CIS Critical Security Controls (CSC)

List of Cybersecurity Frameworks

NIST Cybersecurity Framework (CSF)

Issued by NIST (National Institution of Standards and Technology) of the United States Government.

If your organization is applying IT framework COBIT 5, you can get a certification to implement NIST CSF using COBIT 5. More info on this link.

COBIT 5 framework, issued and maintained by ISACA, is focused on IT governance and management, and it describes the common requirements that organizations should have in place surrounding their information systems. It is not included in this list as I consider it wider than just an IT security framework. More info about COBIT on this link.

ISO/IEC 27001

Issued by ISO and IEC.

ISO/IEC 27001 defines the requirements for an Information Security Management System (ISMS).

Official link to ISO/IEC 27001

Latest version is ISO 27001:2013.

Official link to ISO/IEC 27001:2013

ISO/IEC 27002 adds guidelines to the IT controls in the annex 1 of 27001. It latest version is ISO/IEC 27002:2013, but it will be replaced by ISO/IEC FDIS 27002.

They all belong to the ISO/IEC 27000-series.

CIS Critical Security Controls (CSC)

CIS Critical Security Controls (CSC), or CIS Critical Security Controls for Effective Cyber Defense, is a series of publications with best practices related to cybersecurity. It is sometimes known as CIS 20 because it consists of 20 controls.

It is now issued by CIS (Center for Security). Previously, it was published by SANS.

Official link

SABSA

Specific to security.
Very theorical and not used in real industry.

External references

”What is the difference between NIST, CIS/SANS 20, ISO 27001 Compliance Standards?“; Kedar Ghule; Cloudanix Blog

About pmgallardo

I studied Computer Science at University of Salamanca. Since then, I have been working first as developer and then as SAP consutant. This blog is about problems I dealt when using computers, and more important, the solutions I found. Whenever I am on an issue and suddenlly I have a flash that leads me to a solution, I document my discoveries in a post.

View all posts by pmgallardo →

20, 2013 2701:2013, 27001, cis, cis20, cobit, companies, company, control, controls, critical, cyber, cybersecurity, defense, efective, framework, frameworks, iec, institution, institutions, iso, lists, nist, org, organization, organizations, sans20, security

← Software Virtualization Products

Cómo hacer un paspartú para un marco →