Frameworks and standards
NIST CSF 2.0, ISO/IEC 27001 and the reference frameworks that structure how organisations do security.
~4 min read
Why frameworks exist
Left to themselves, organisations secure things inconsistently and miss whole categories. Frameworks and standards provide a structured, agreed checklist of what good security looks like, so you can be systematic, benchmark against peers, satisfy customers and regulators, and avoid reinventing the wheel. Know the major ones by name and purpose; you're rarely asked for fine detail, but you must not mix them up.
NIST Cybersecurity Framework (CSF) 2.0
The NIST CSF is a voluntary, widely adopted framework for managing cybersecurity risk. Version 2.0, published in February 2024, is the current edition. Its biggest changes from 1.1 were broadening its scope from critical-infrastructure to organisations of all sizes and sectors, and adding a sixth Function, Govern, to put cybersecurity firmly inside enterprise risk management.
The framework's Core organises outcomes under six Functions (the most testable fact here):
| Function | Purpose |
|---|---|
| Govern (GV) | Establish and monitor the cybersecurity risk management strategy, expectations and policy (new in 2.0; wraps around the others) |
| Identify (ID) | Understand assets, risks and the business context |
| Protect (PR) | Implement safeguards to manage risk (access control, training, data security) |
| Detect (DE) | Find and analyse possible attacks and compromises |
| Respond (RS) | Take action on a detected incident |
| Recover (RC) | Restore assets and operations affected by an incident |
A memory hook for the order: Govern sits at the centre, and the operational five run Identify → Protect → Detect → Respond → Recover, which is also, neatly, the arc of an incident (know it, guard it, spot it, handle it, restore it). Beneath Functions sit Categories and Subcategories (specific outcomes), and Tiers describe how mature an organisation's practices are.
ISO/IEC 27001
ISO/IEC 27001 is the leading international standard for an ISMS (Information Security Management System): a systematic, risk-based framework of policies, processes and controls for managing information security, which organisations can be formally certified against by an external auditor. Certification is a strong trust signal to customers, which is why it's commercially significant.
The current version is ISO/IEC 27001:2022. Key points:
- It's built around a risk-based ISMS with a strong emphasis on continual improvement (the Plan-Do-Check-Act cycle).
- Annex A lists the security controls. The 2022 revision reorganised these into 93 controls under four themes: Organisational (37), People (8), Physical (14) and Technological (34), down from 114 controls in 14 domains in the 2013 version. The companion ISO/IEC 27002 gives implementation guidance for those controls.
- A Statement of Applicability (SoA) documents which Annex A controls apply and why any are excluded.
CSF vs ISO 27001 (a common confusion): the NIST CSF is a flexible framework of outcomes you self-assess against (no certificate); ISO 27001 is a certifiable management-system standard with formal external audit. CSF answers "are we covering the right things?"; ISO 27001 answers "can we prove, to an auditor, that we manage information security systematically?" They're complementary and often used together.
Other names worth recognising
- NIST SP 800-53: an exhaustive catalogue of security and privacy controls for US federal systems; far more granular than CSF, which often maps to it.
- CIS Controls: a prioritised, practical set of 18 safeguards; an excellent, actionable starting point for smaller organisations ("do these first").
- PCI DSS: the Payment Card Industry Data Security Standard, mandatory (by contract, not law) for any organisation that handles cardholder data. Prescriptive and strict.
- SOC 2: an attestation report (common in the US/SaaS world) on a service provider's controls against five "trust services criteria" (security, availability, processing integrity, confidentiality, privacy).
- Cyber Essentials: a UK government-backed scheme covering five basic technical controls (firewalls, secure configuration, access control, malware protection, patch management); a baseline, often required to bid for UK public-sector contracts.
- COBIT and ITIL: broader IT governance and IT service management frameworks respectively, within which security sits.
How they fit together
These aren't competitors so much as layers. An organisation might govern with the NIST CSF, certify its ISMS to ISO 27001, implement specific controls drawn from CIS Controls or SP 800-53, and comply with PCI DSS because it takes card payments and the UK GDPR because it holds personal data (next chapter). The exam-relevant skill is matching the right framework to the right need:
- "Voluntary, outcome-based, ties security to overall risk management" → NIST CSF 2.0
- "Certifiable international standard for an ISMS" → ISO/IEC 27001
- "We process credit cards" → PCI DSS
- "Quick, prioritised baseline for a smaller org" → CIS Controls / Cyber Essentials
Quick recall
- NIST CSF 2.0 (Feb 2024): voluntary, all sectors, six Functions: Govern (new, central) plus Identify, Protect, Detect, Respond, Recover. Self-assessed; not certifiable.
- ISO/IEC 27001:2022: certifiable international ISMS standard; Annex A has 93 controls in 4 themes (Organisational, People, Physical, Technological); ISO 27002 gives guidance; SoA records applicability.
- CSF = flexible outcomes framework (no cert); ISO 27001 = audited, certifiable management system. Complementary.
- Recognise SP 800-53 (federal control catalogue), CIS Controls (18 prioritised safeguards), PCI DSS (card data), SOC 2 (provider attestation), Cyber Essentials (UK baseline).