Section 11

Security Frameworks

Security frameworks provide structured approaches to managing cybersecurity risk. Choosing the right framework — and mapping controls across them — is a core skill for security architects.

Frameworks vs Standards

A framework provides a flexible structure for organizing security activities (NIST CSF, SABSA). A standard defines specific requirements that can be audited (ISO 27001, PCI DSS). Most organizations use a framework to organize their program and map standards for compliance.

NIST Cybersecurity Framework (CSF) 2.0

The gold standard for cybersecurity programs. NIST CSF 2.0 (released Feb 2024) added a sixth function — Govern — placing governance at the center of the framework. Free to use, voluntary, and widely adopted across industries.

GOVERN

Establish and monitor risk management strategy, expectations, and policy

GV.OC, GV.RM, GV.RR, GV.PO, GV.SC

IDENTIFY

Understand assets, risks, and improvement opportunities

ID.AM, ID.RA, ID.IM

PROTECT

Implement safeguards for critical services

PR.AA, PR.AT, PR.DS, PR.PS, PR.IR

DETECT

Identify occurrence of cybersecurity events

DE.CM, DE.AE

RESPOND

Take action against detected incidents

RS.MA, RS.AN, RS.CO, RS.MI

RECOVER

Restore services after an incident

RC.RP, RC.CO

NIST CSF Implementation Tiers

Tier Name Characteristics Typical Organization
Tier 1 Partial Ad hoc, reactive, limited awareness Startups, early-stage companies
Tier 2 Risk Informed Approved but not org-wide, some processes Growing companies, some compliance
Tier 3 Repeatable Formally approved, regularly updated, org-wide Mature enterprises
Tier 4 Adaptive Continuous improvement, threat-informed, agile Security leaders, critical infrastructure

ISO 27001 / 27002:2022

The international standard for Information Security Management Systems (ISMS). ISO 27001 is the certifiable requirements standard; ISO 27002 provides the control guidance. The 2022 revision reorganized 114 controls into 93 controls across 4 themes.

Organizational Controls (37)

  • • A.5.1 – Policies for information security
  • • A.5.7 – Threat intelligence
  • • A.5.23 – Information security for cloud services
  • • A.5.30 – ICT readiness for business continuity

People Controls (8)

  • • A.6.1 – Screening
  • • A.6.3 – Information security awareness & training
  • • A.6.5 – Responsibilities after termination
  • • A.6.7 – Remote working

Physical Controls (14)

  • • A.7.1 – Physical security perimeters
  • • A.7.4 – Physical security monitoring
  • • A.7.10 – Storage media
  • • A.7.14 – Secure disposal or re-use

Technological Controls (34)

  • • A.8.5 – Secure authentication
  • • A.8.9 – Configuration management
  • • A.8.16 – Monitoring activities
  • • A.8.25 – Secure development lifecycle
  • • A.8.28 – Secure coding

ISO 27001 Certification Process

1. Gap Analysis 2. ISMS Design 3. Implement Controls 4. Internal Audit 5. Stage 1 Audit 6. Stage 2 Audit 7. Surveillance

CIS Controls v8.1

The Center for Internet Security (CIS) Controls are a prioritized set of 18 safeguards organized into 3 Implementation Groups (IGs). The most prescriptive and actionable framework — start here if you need a practical starting point.

# Control IG1 IG2 IG3
1 Inventory & Control of Enterprise Assets
2 Inventory & Control of Software Assets
3 Data Protection
4 Secure Configuration of Assets & Software
5 Account Management
6 Access Control Management
7 Continuous Vulnerability Management
8 Audit Log Management
9 Email & Web Browser Protections
10 Malware Defenses
11 Data Recovery
12 Network Infrastructure Management
13 Network Monitoring & Defense
14 Security Awareness & Skills Training
15 Service Provider Management
16 Application Software Security
17 Incident Response Management
18 Penetration Testing

Implementation Groups Explained

IG1 — Essential Cyber Hygiene

56 safeguards. For small organizations with limited IT resources. Minimum viable security.

IG2 — Mid-size Enterprise

74 additional safeguards. Organizations handling sensitive data with dedicated IT staff.

IG3 — Mature Organization

23 additional safeguards. Full coverage including advanced techniques like pen testing.

NIST SP 800-53 Rev 5

The most comprehensive security control catalog — 1,000+ controls across 20 families. Required for US federal agencies (FISMA) and commonly referenced by anyone building systems for the government.

AC

Access Control

AU

Audit & Accountability

CA

Assessment & Authorization

CM

Config Management

IA

Identification & Auth

IR

Incident Response

RA

Risk Assessment

SC

System & Comms Protection

SA

System & Services Acquisition

SI

System & Info Integrity

PE

Physical & Environmental

SR

Supply Chain Risk Mgmt

OWASP SAMM 2.0

The Software Assurance Maturity Model (SAMM) is the leading framework for measuring and improving software security practices. Five business functions, each with three security practices rated across maturity levels 0-3.

Governance

Strategy & Metrics | Policy & Compliance | Education & Guidance

Level 0: Implicit Level 1: Ad-hoc Level 2: Structured Level 3: Measured

Design

Threat Assessment | Security Requirements | Security Architecture

Implementation

Secure Build | Secure Deployment | Defect Management

Verification

Architecture Assessment | Requirements Testing | Security Testing

Operations

Incident Management | Environment Management | Operational Management

SABSA (Enterprise Security Architecture)

Sherwood Applied Business Security Architecture — a layered framework for developing security architectures that are driven by business requirements. Widely used in enterprise consulting alongside TOGAF.

Layer View What (Assets) Why (Motivation)
Contextual Business Business assets Business risk
Conceptual Architect Information assets Control objectives
Logical Designer Information domains Security policies
Physical Builder Security mechanisms Security rules
Component Tradesman Products & tools Security standards

Framework Selection Decision Matrix

Choose the right framework based on your organization's drivers. Most mature organizations use multiple frameworks together.

Framework Best For Certifiable? Cost Complexity
NIST CSF 2.0 Overall program structure, risk management No (self-assessment) Free Medium
ISO 27001 International compliance, customer trust Yes (3rd party) $$$ High
CIS Controls Prescriptive implementation, quick wins No (benchmark) Free Low-Medium
NIST 800-53 US Federal / FedRAMP, comprehensive controls Yes (ATO) Free Very High
OWASP SAMM Software development maturity, AppSec No (self-assessment) Free Medium
SABSA Enterprise security architecture design Yes (certification) $$ High

Cross-Framework Control Mapping

Use this mapping to satisfy multiple frameworks with a single set of controls. When you implement a control for one framework, check which others it also satisfies.

Security Domain NIST CSF ISO 27002 CIS Control NIST 800-53
Asset Inventory ID.AM A.5.9 CIS 1, 2 CM-8
Access Control PR.AA A.8.2-A.8.5 CIS 5, 6 AC-1 to AC-25
Data Protection PR.DS A.8.10-A.8.12 CIS 3 SC-8, SC-28
Vulnerability Mgmt ID.RA A.8.8 CIS 7 RA-5, SI-2
Logging & Monitoring DE.CM A.8.15-A.8.16 CIS 8 AU-1 to AU-16
Incident Response RS.MA A.5.24-A.5.28 CIS 17 IR-1 to IR-10
Secure Development PR.DS A.8.25-A.8.31 CIS 16 SA-11, SA-15
Network Security PR.IR A.8.20-A.8.23 CIS 12, 13 SC-7, SC-8

Practical Implementation Guide

Start Small, Map Outward

Start with CIS Controls IG1 for immediate security wins. Map those controls to your target framework (NIST CSF or ISO 27001) to get dual compliance value. Add complexity incrementally.

Phase 1: Foundation (Months 1-3)

  • • Select primary framework based on business drivers
  • • Conduct gap assessment against chosen framework
  • • Implement CIS IG1 safeguards for immediate protection
  • • Establish asset inventory (CIS 1 & 2)

Phase 2: Build Out (Months 3-9)

  • • Document policies and procedures (ISO 27001 clauses 4-10)
  • • Implement technical controls per gap assessment
  • • Deploy monitoring and logging (NIST CSF Detect)
  • • Develop incident response plan (NIST CSF Respond)

Phase 3: Mature (Months 9-18)

  • • Conduct internal audits and management review
  • • Measure effectiveness with metrics and KPIs
  • • Pursue certification if needed (ISO 27001, SOC 2)
  • • Integrate OWASP SAMM for software assurance

Industry-Specific Overlays

Healthcare

  • • HIPAA Security Rule
  • • HITRUST CSF
  • • NIST SP 800-66 (HIPAA mapping)

Financial Services

  • • PCI DSS 4.0
  • • SOX (Sarbanes-Oxley)
  • • FFIEC IT Examination Handbook

Cloud / SaaS

  • • SOC 2 Type II
  • • CSA STAR
  • • FedRAMP (NIST 800-53)

Critical Infrastructure

  • • NERC CIP (Energy)
  • • TSA Security Directives (Pipeline)
  • • IEC 62443 (Industrial)
← Previous: Case Studies Next: Reference Architectures →