top of page

Overview of Cybersecurity Frameworks

Updated: Nov 22, 2022

Cybersecurity Frameworks

Cybersecurity frameworks are created and managed to help organizations across different industries follow best practices to secure their systems and data. There are many different frameworks that exist today. Some frameworks are designed for specific industries, such as HITRUST for the healthcare industry or PCI-DSS to protect credit card companies and card holders. Most recent frameworks contain recommendations that can be applied universally however, and overlap with other frameworks. And many frameworks are voluntary recommendations, such as the CIS Controls, but some frameworks are overseen and required by regulatory bodies, such as NIST, which applies to government agencies. We have created a list of the most common Cybersecurity frameworks below, including the industries they apply to, a description of the framework and a link to access the framework. We will continue to update this list over time.


Overview of Cybersecurity Frameworks

There are three key categories of Frameworks to keep in mind when reviewing, evaluating, and determining if/how to apply them.

Control Frameworks (e.g., CIS Controls)
  • Creates a basic strategy for the organization’s cybersecurity best practices

  • Provides the baseline group of technical security controls

  • Helps assess the current state of the infrastructure and environment

  • Helps prioritize the implementation of security controls

Program Frameworks (e.g., NIST 800-53)
  • Helps assess and develop the organization’s cybersecurity program

  • Measures the program’s maturity and effectiveness

  • Develops communications between the cybersecurity team and senior management

Risk Frameworks (e.g., NIST RMF)
  • Defines the necessary processes for risk assessment and management

  • Structures a cybersecurity program for risk management

  • Identifies, measures, and quantifies the organization’s security risks

  • Prioritizes appropriate security measures and activities based on risk

Here is our list of the Cybersecurity Frameworks:

CIS Critical Controls

(All industries)

The Center for Internet Security (CIS) Critical Security Controls, Version 8, formerly the SANS Top 20, lists technical security and operational controls that can be applied to any environment. It does not address risk analysis or risk management like NIST CSF; rather, it is solely focused on reducing risk and increasing resilience for technical infrastructures.

CISA Cybersecurity Performance Goals (CPG)

(All industries, government)

The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people.

Cloud Security Alliance (CSA) CCM

(All industries)

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. CCM version 4 was developed by the Cloud Security Alliance (CSA).


(All industries)

Control Objectives for Information and Related Technologies (COBIT) was developed in the mid-1990s by ISACA, an independent organization of IT governance professionals. ISACA offers the well-known Certified Information Systems Auditor and Certified Information Security Manager certifications.

COBIT originally focused on reducing IT risks. COBIT 5, released in 2012, included new technology and business trends to help organizations balance IT and business goals. The current version is COBIT 2019. It's the most used framework to achieve Sarbanes-Oxley compliance. Numerous publications and professional certifications address COBIT requirements.


(All industries)

Committee of Sponsoring Organizations (COSO) is a joint initiative of five professional organizations. Its 2013 framework covers internal controls, and its 2017 framework covers risk management.

A guidance paper, "Managing Cyber Risk in a Digital Age", offers advice on how to prepare and respond to enterprise cyber threats. It aligns with the COSO Enterprise Risk Management Framework.

CSA Section 405(d)


Managed by the HHS, technical controls vol 1 and 2 established, for small businesses, and medium/large businesses respectively.

Cybersecurity Maturity Model (CMMC)

(Department of Defense, government)

To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. With its streamlined requirements, CMMC 2.0:

Simplifies compliance by allowing self-assessment for some requirements

Applies priorities for protecting DoD information

Reinforces cooperation between the DoD and industry in addressing evolving cyber threats


(Financial, Banking)

The Federal Financial Institutions Examination Council (FFIEC) members are taking a number of initiatives to raise the awareness of financial institutions and their critical third-party service providers with respect to cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats. This body provides a Cybersecurity Assessment tool used during their audits.



HITRUST Common Security Framework includes risk analysis and risk management frameworks, along with operational requirements. The framework has 14 different control categories and can be applied to almost any organization, including healthcare.

ISO 27001

(All industries)

The ISO 27000 Series was developed by the International Organization for Standardization. It is a flexible information security framework that can be applied to all types and sizes of organizations. ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements. Additional best practice in data protection and cyber resilience are covered by more than a dozen standards in the ISO/IEC 27000 family. Together, they enable organizations of all sectors and sizes to manage the security of assets such as financial information, intellectual property, employee data and information entrusted by third parties.


(All industries)

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.


(All industries, government)

NIST has developed an extensive library of IT standards, many of which focus on information security. First published in 1990, the NIST SP 800 Series addresses virtually every aspect of information security, with an increasing focus on cloud security.


(All industries, government)

The NIST Framework for Improving Critical Infrastructure Cybersecurity, or NIST CSF, was developed under Executive Order 13636, released in February 2013. Unlike other NIST frameworks, NIST CSF focuses on risk analysis and risk management. Security controls in the framework are based on the five phases of risk management: identify, protect, detect, respond and recover.


(All industries, government)

The NIST Risk Management Framework (RMF) is a comprehensive, flexible, risk-based approach. The framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.

NIST SP 800-53

(All industries, government)

This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines.


(All industries)

Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.


(Payment card industry)

A global organization, it maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe.

There are two key priorities for this standard: Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. And helping vendors understand and implement standards for creating secure payment solutions.

Secure Controls Framework (SCF)

(All industries)

A non-profit organization developing a meta-framework, based on all other frameworks with mappings across all frameworks and major regulations.

SCF Domains: Security & Privacy by Design (S|P) Principles is a set of 32 security and privacy principles that leverage the SCF's extensive cybersecurity and privacy control set.



blockchain concept illustration in 3d, connected blocks in blockchain_edited.jpg

Check out our Twitter feed!

  • Discord
  • Twitter
  • LinkedIn
bottom of page