The way companies adopt cybersecurity frameworks based on their industry, data type, and industry has always caught my attention. Knowing these regulatory frameworks and understanding what controls and procedures we can adapt to our functions is invaluable. Whether you’re a CISO or Security Engineer, your organization probably already implements these frameworks, is in the process of adopting them, or you may have the opportunity to guide them towards their implementation.

Today’s organizations require robust structures to protect their digital assets. Cybersecurity frameworks offer just that: a structured methodology for implementing, assessing, and strengthening digital defenses.

This quick reference guide that I have developed will explore the most relevant cybersecurity specific frameworks globally, analyzing their implementation and why they are essential for any effective security strategy. 

Date Created: February 2014 Major Updates:

• Version 1.1: April 2018 (added sections on authentication, risk assessment, vulnerability management, and cyber threat disclosure)
• Version 2.0: February 2024 (significant expansion to cover governance and supply chain aspects)

Developed by the U.S. National Institute of Standards and Technology in response to Executive Order 13636 of 2013, which called for a framework to reduce risks to critical infrastructure. The NIST CSF has become one of the most widely adopted frameworks globally. Its popularity lies in its flexibility and pragmatic approach.

The framework is structured around five fundamental functions:

1. Identify: Develop an organizational understanding to manage cybersecurity risks to systems, people, assets, data, and capabilities. This role includes asset management, business context, governance, risk assessment, and risk management strategy.
2. Protect: Develop and implement appropriate safeguards to ensure the delivery of critical services. This encompasses identity and access management, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
3. Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. It includes anomalies and events, continuous security monitoring, and detection processes.
4. Respond: Develop and implement appropriate activities to take action in the event of a detected cybersecurity incident. It encompasses response planning, communications, analysis, mitigation, and improvements.
5. Recover: Develop and implement appropriate activities to maintain resiliency plans and restore any capacity or service that has been impacted due to a cybersecurity incident. This includes recovery planning, upgrades, and communications.

The NIST CSF is particularly valuable because it can be tailored to organizations of any size and industry, providing a common language for cybersecurity risk management.

Original creation date: December 2005 (evolved from the British standard BS7799-2 of 1999) Major updates:

• ISO/IEC 27001:2013: October 2013 (restructuring according to Annex SL to align with other ISO standards)
• ISO/IEC 27001:2022: October 2022 (review of security controls and adaptation to new technological environments)

This international standard specifies the requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). Unlike NIST CSF, ISO 27001 can be certified, allowing organizations to formally demonstrate their commitment to information security.

ISO 27001 is based on a risk management approach and follows the Plan-Do-Check-Act (PDCA) model:

• Plan: Establish the ISMS, including policy, objectives, processes and procedures.
• Do: Implement and operate policy, controls, processes, and procedures.
• Check: Monitor and review the performance of the ISMS.
• Act: Maintain and improve the ISMS based on audit results.

Annex A of the standard originally contained 114 controls organized into 14 domains, although in the 2022 version they were reorganized to 93 controls in 4 sections, reflecting the evolution of the security landscape.

Date Created: 2008 (originally as “SANS Top 20 Critical Security Controls”) Major Updates:

• Version 6: October 2015 (company-wide expansion)
• Version 7: March 2018 (reorganization and update)
• Version 8: May 2021 (restructuring to address cloud environments and remote work)

CIS (Center for Internet Security) Controls offer a prioritized approach to cybersecurity. They began as an initiative of the SANS Institute and have evolved considerably. The current version consists of 18 controls (reduced from 20 in previous versions) designed to mitigate the most common and damaging attacks.

The controls are organized into three main groups:

1. Basic Controls (1-6): Essential for any organization, such as inventory and control of hardware and software assets, continuous vulnerability management, etc.
2. Fundamental Controls (7-16): Best practice techniques, such as email and browser protections, malware defense, etc.
3. Organizational Controls (17-18): They involve people and processes, such as cybersecurity awareness and training and incident response.

What sets CIS Controls apart is their prescriptive and detailed approach, offering specific recommendations on how to implement each control.

Date of establishment: 1996 (by ISACA, originally focused on IT auditing) Major updates:

• COBIT 4.0: 2005 (expanded the scope to IT management)
• COBIT 5:2012 (integrated several ISACA frameworks)
• COBIT 2019:2018 (updated framework with greater flexibility)

COBIT is an IT governance and management framework developed by ISACA. Unlike other frameworks that focus exclusively on security, COBIT addresses IT governance in its entirety, with security as a critical component.

The current version, COBIT 2019, defines 40 governance and management objectives organized into five domains:

1. Assess, Direct, and Monitor
2. Align, Plan, and Organize
3. Build, Procure, and Deploy
4. Give, Serve, and Support
5. Monitor, Evaluate, and Assess

COBIT is especially valuable for organizations looking to align security with business objectives and comply with regulatory requirements.

Date of creation: 2013 (internal use at MITRE); Public Release: 2015 Major Updates:

• Continuous quarterly expansion since 2018
• ICS ATT&CK Matrix Integration: 2020
• Continuous addition of new techniques and tactics based on observed threats

Unlike previous frameworks, MITRE ATT&CK is not a set of guidelines, but a knowledge base of tactics, techniques, and procedures (TTPs) used by attackers. It has become an essential resource for understanding how adversaries operate.

ATT&CK is organized into matrices for different environments (Enterprise, Mobile, ICS) and details:

• Tactics: Attackers’ tactical objectives (the “whys”)
• Techniques: Methods used to achieve those goals (the “hows”)
• Procedures: Specific implementations of techniques observed in real attacks

This framework is invaluable for activities such as threat intelligence, intrusion detection, and network team testing, as it allows organizations to understand and anticipate attacker tactics.

Conceptualization date: 2010 (by John Kindervag at Forrester Research) Formal development:

• ZTA Publication by NIST (800-207): August 2020
• U.S. Executive Mandate for Federal Adoption: May 2021
• CISA Implementation Guidelines: January 2022

Zero Trust is not a framework in the traditional sense, but a security model based on the principle of “never trust, always verify”. This approach assumes that threats exist both inside and outside of traditional networks, eliminating the concept of a trusted perimeter.

The core principles of Zero Trust include:

1. Verify explicitly: Always authenticate and authorize, based on all available information.
2. Use Least Privilege Access: Limit user access with Just-in-Time and Just-Enough-Access (JIT/JEA).
3. Assume the breach: Minimize the scope of the impact and prevent lateral movement.

Implementing Zero Trust typically involves technologies such as multi-factor authentication, micro-segmentation, identity and access management, and continuous monitoring. This model is gaining traction as a response to evolving threats and distributed work environments.

Initial Creation Date: December 2005 Major Updates:

• Revision 3: August 2009
• Revision 4: April 2013
• Revision 5: September 2020 (significant expansion to include privacy controls)

This special publication provides a comprehensive catalog of security and privacy controls for federal information systems. Revision 5 includes more than 1,000 checks organized into 20 families, such as:

• Access Control
• Awareness and training
• Audit and Accountability
• Security assessment, authorisation and monitoring
• Contingency planning

Each control includes a base statement, improvement requirements, and implementation guides. Although originally designed for federal agencies, NIST 800-53 has become a valuable resource for organizations in all industries looking to implement robust security controls.

Initial Release Date: June 2015 Key Updates:

• Revision 1: December 2016
• Revision 2: February 2020

This standard addresses the protection of Controlled Unclassified Information (CUI) in non-federal systems. Developed in response to growing concerns about supply chain security, especially for defense contractors.

NIST 800-171 organizes its requirements into 14 families, including:

• Access Control
• Awareness and training
• Configuration Management
• Identification and authentication
• Incident Response

This standard has gained prominence due to its incorporation into the U.S. Department of Defense’s Cybersecurity Maturity Model (CMMC) Certification Program.

Publication date: September 2017

This post focuses specifically on containerized application security. It addresses the unique risks associated with container technologies, such as Docker and Kubernetes, that have become critical in modern development environments. It is an example of how standards evolve to address new technologies.

NIST 800-190 covers threats and controls for:

• Container Images
• Container Logs
• Orchestrators
• Container Hosts
• Containerized applications

It provides actionable recommendations for securing every component of the container ecosystem, from development to deployment.

Publication date: August 2020

This special publication defines the concepts, components, and workflows of Zero Trust architecture. It provides a roadmap for organizations looking to migrate to this security model. It is one of the most recent publications and reflects the paradigm shift in network security approaches.

NIST 800-207 details:

• Assumptions taken and not taken into account in Zero Trust
• Logical components of a Zero Trust architecture
• Different Implementation Approaches
• Use cases and migration scenarios

This standard is especially valuable given the growing interest in the Zero Trust model as a response to remote work environments and advanced threats.

Original Creation Date: 2005 (evolved from 1995 BS7799-1 standard) Major Updates:

• ISO/IEC 27002:2013: October 2013
• ISO/IEC 27002:2022: February 2022 (fundamental reorganization of controls)

This standard provides guidelines for the implementation of the security controls listed in Annex A of ISO 27001. In its 2022 version, it reorganized the original 114 controls into 93 controls grouped into 4 main sections, reflecting the evolution of the security environment.

The most recent version (2022) reorganizes the controls into 4 main sections and 11 clauses:

• Organizational Controls
• Controls of people
• Physical Controls
• Technology Controls

Each control includes a description, implementation information, and examples, making it an invaluable resource for security professionals looking to implement best practices.

Publication date: August 2019

This relatively new extension of ISO 27001 and 27002 provides a framework for managing privacy information. It was developed in direct response to the European GDPR and other emerging global privacy regulatory frameworks.

The standard defines roles such as:

• Personally Identifiable Information (PII) Controller
• PII Processor

And it provides additional role-specific controls. For organizations that already have an ISMS based on ISO 27001, 27701 offers a path to extend it to a Privacy Information Management System (PIMS).

Initial Release Date: 2012 Major Updates:

• ISO/IEC 22301:2019: October 2019

This standard on Business Continuity Management Systems (BCMS) became especially relevant after events such as the NotPetya ransomware (2017), which highlighted the importance of organizational resilience to disruptive cyberattacks.

While not exclusively focused on cybersecurity, this standard is critical to organizational resilience. It specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, and continuously improving a BCMS.

ISO 22301 addresses:

• Business Impact Analysis
• Risk assessment
• Continuity strategies
• Incident Response Procedures
• Recovery plans

Given the growing threat of ransomware and other disruptive cyberattacks, business continuity has become a crucial component of cybersecurity.

Date Created: 2005 (by NIST) Major Updates:

• CVSSv2: June 2007
• CVSSv3.0: June 2015
• CVSSv3.1: June 2019

The CVSS provides a standardized method for assessing the severity of security vulnerabilities. Powered by FIRST (Forum of Incident Response and Security Teams), CVSS assigns numerical scores (0-10) based on various metrics.

In its current version (CVSSv3.1), the system includes three groups of metrics:

1. Base Metrics: Intrinsic and constant characteristics of a vulnerability, such as:
   • Attack vector (network, adjacent, local, physical)
   • Complexity of the attack
   • Required Privileges
   • User Interaction
   • Scope
   • Impacts on confidentiality, integrity and availability
2. Temporal Metrics: Factors that change over time, such as:
   • Exploitation code maturity
   • Patch availability
   • Reporting confidence
3. Environmental Metrics: Factors specific to the user’s environment, such as:
   • Modified safety requirements
   • Impacts modified according to the environment

CVSS allows organizations to prioritize vulnerability remediation based on their actual severity in a specific context.

Published by the Open Web Application Security Project (OWASP), this ranking is updated approximately every 3-4 years. Each new version reflects changes in the most prevalent web vulnerabilities. Updated regularly (the most recent version is from 2021), the Top 10 reflects the most prevalent and dangerous security risks.

The current list includes:

1. Loss of access control
2. Cryptographic flaws
3. Injection
4. Insecure design
5. Incorrect security settings
6. Vulnerable and outdated components
7. Identification and authentication failures
8. Software and data integrity failures
9. Failures in logging and monitoring
10. Server-Side Request Forgery (SSRF)

The OWASP Top 10 serves as an essential checklist for developers and security teams, helping them focus their efforts on the most critical vulnerabilities.

Initial Creation Date: 2009 Major Updates:

• Annual updates until 2011
• Integration with CWE Top 25: 2019

Compiled by the SANS Institute and MITRE, this list identifies the 25 most dangerous programming errors that lead to serious security vulnerabilities. This list has evolved to integrate with the CWE (Common Weakness Enumeration) Top 25 list, which is updated annually.

Errors are organized into three categories:

1. Failure failures: Not doing enough, such as inadequate input validation.
2. Failures of Rigor: Not doing it correctly, such as errors in resource management.
3. Timing and status failures: Doing things at the wrong time or in the wrong order.

This list provides developers and code auditors with practical guidance on what to look for during code development and review.

Release date: 2005 Continuous development:

• Daily update for CVEs
• CVSSv3 Implementation: 2016
• Integration with automation: RESTful API since 2018

Maintained by NIST, the NVD is a comprehensive repository of security vulnerabilities. It includes standardized data on vulnerabilities, such as:

• Common Vulnerabilities and Exposures (CVE) identifiers
• CVSS Scores
• Common Platform Enumeration (CPE) to identify affected products
• CWE (Common Weakness Enumeration) to categorize types of vulnerabilities

The NVD is an essential resource for security professionals who need to stay up-to-date on known vulnerabilities and their severity.

Initial publication date: 2020

This framework helps map vulnerabilities to reference frameworks, allowing organizations to understand the potential impact of a specific vulnerability on their security posture.

CVMAP allows you to correlate:

• Vulnerabilities (CVEs)
• Weak Points (CWE)
• Attack Tactics and Techniques (MITRE ATT&CK)
• Security Controls (NIST CSF, CIS Controls)

This holistic approach helps organizations understand not only the technical vulnerability, but also how it could be exploited and what controls should mitigate it.

Initial Release Date: 2002 Major Updates:

• Revision 2: 2005
• Revision 3: 2013
• Revision 4: 2020

This publication provides guidance for managing security patches in enterprise environments. Currently in its Revision 4, it addresses the full patch management lifecycle:

1. Acquiring Patch Information
2. Patch prioritization
3. Patch Testing
4. Patch deployment
5. Verification and monitoring

NIST 800-40 recognizes the practical challenges of patch management and provides strategies to balance the need for security with operational limitations.

Initial Release Date: 2002 Major Updates:

• Revision 1: September 2012

This guide defines a structured process for risk assessment in information systems. It provides a framework for identifying, estimating, and prioritizing risks, including those related to security vulnerabilities.

The risk assessment process includes:

1. Preparing for the Assessment
2. Conducting the Assessment
   • Threat Identification
   • Vulnerability Identification
   • Controls Analysis
   • Probability Determination
   • Impact analysis
   • Risk Assessment
3. Communication of results
4. Maintenance of the assessment

This methodology helps organizations make informed decisions about which vulnerabilities to address first based on the actual risk they pose.

Initial Release Date (Part 1): 2011 Continued Development:

• Additional parts published between 2015-2020

This multi-part standard focuses on application security. It provides a framework to help organizations integrate security into the software development lifecycle (SDLC).

ISO 27034 introduces concepts such as:

• Organisational Regulatory Framework (ONF)
• Application Confidence Level (ATL)
• Application Security Processes (ASP)

These elements help organizations establish security requirements, controls, and verifications appropriate to the specific context of each application.

Initial Release Date: 2014 Major Updates:

• ISO/IEC 29147:2018: October 2018

This standard provides guidelines for vulnerability disclosure. It addresses how vendors should receive, process, and respond to vulnerability reports about their products and services.

ISO 29147 covers aspects such as:

• Communication channels for vulnerability reports
• Information to include in vulnerability announcements
• Methods for distributing vulnerability information

Effective implementation of this standard improves collaboration between security researchers and vendors, speeding up vulnerability identification and remediation.

Initial Release Date: 2013 Major Updates:

• ISO/IEC 30111:2019: October 2019

Complementary to ISO 29147, this standard defines the internal processes that organizations must follow to manage vulnerabilities once they are reported. It provides a framework for:

1. Preparation and planning
2. Receiving vulnerability reports
3. Verification and prioritization
4. Developing Fixes
5. Publishing and post-publishing

ISO 30111 helps organizations establish a systematic process for handling vulnerabilities, from identification to resolution.

Initial Release Date: 2010 (as part of NIST 800-37 Rev. 1) Major Updates:

• NIST 800-37 Rev. 2: December 2018 (added a “Preparation” step and increased integration with privacy)

The FMR provides a structured process for integrating security risk management activities into the system lifecycle. Formally documented in NIST 800-37, the framework consists of seven steps:

1. Prepare: Essential activities to manage security risks.
2. Categorize: Determine the impact of loss of confidentiality, integrity, and availability.
3. Select: Choose baseline security controls and adapt them as needed.
4. Implement: Implement security controls.
5. Assess: Determine if controls are in place correctly and working as intended.
6. Authorize: Provide formal approval to operate the system based on acceptable risk.
7. Monitor: Continuously observe the controls and threat environment.

The FMR is designed to be flexible and adaptable to all types of systems, from traditional to cloud-based to the Internet of Things.

Initial Release Date: 2008 Major Updates:

• ISO/IEC 27005:2011: June 2011
• ISO/IEC 27005:2018: July 2018
• ISO/IEC 27005:2022: October 2022

This standard provides guidelines for information security risk management. It complements ISO 27001, providing a detailed method for carrying out the risk assessment and treatment process required by the standard.

The ISO 27005 risk management process includes:

1. Setting the Context
2. Risk Identification
3. Risk analysis
4. Risk assessment
5. Risk treatment
6. Risk Acceptance
7. Risk Communication
8. Risk monitoring and review

The standard does not prescribe a specific methodology, allowing organizations to tailor their approach to their context and needs.

Initial development date: 2005 (by Jack Jones) Key milestones:

• Adopted by The Open Group: 2013
• Published as O-RT standard: 2020

Unlike other risk frameworks that are primarily qualitative, FAIR provides a quantitative model for analyzing and measuring information security risk in financial terms. This allows organizations to:

• Estimate the expected loss in monetary terms
• Compare different risk scenarios objectively
• Justify security investments based on return on investment (ROI)

FAIR breaks down risk into factors such as loss event frequency and loss magnitude, each with its own subfactors. This structured approach facilitates the accurate estimation of risk components. It was formally adopted by The Open Group in 2013 and has continued to evolve with publications of how-to guides.

Initial Release Date: 1999 Major Updates:

• OCTAVE-S (for small organizations): 2003
• OCTAVE Allegro (simplified version): 2007

Developed by Carnegie Mellon’s Software Engineering Institute, OCTAVE is a set of methodologies and tools for risk assessment. There are several variants, such as OCTAVE Allegro, adapted to different sizes and types of organization.

OCTAVE is characterized by:

• Be self-directed (led by internal staff)
• Focus on critical assets
• Consider both organizational and technical aspects
• Include a workshop approach to risk identification

The method helps organizations develop threat profiles, identify vulnerabilities, and create risk mitigation strategies tailored to their specific environments.

Evolution through ITIL versions:

• Incorporated in ITIL v2: 2000-2001
• Expanded in ITIL v3: 2007
• Integrated in ITIL 4:2019

As part of the broader ITIL (Information Technology Infrastructure Library) framework, the Information Security Management process provides an approach to integrating security into IT service management.

ITIL Security Management addresses:

• Security policies
• Security Levels in Service Level Agreements (SLAs)
• Security Controls
• Security Incident Management
• Reporting and continuous improvement

This approach is valuable for organizations that already use ITIL for service management, as it allows security to be aligned with existing IT processes.

Publication date: March 2011

This publication provides a holistic approach to information security risk management. Unlike RMF (NIST 800-37) which focuses on individual systems, 800-39 addresses risk management at three levels:

1. Organization: Establishing the Risk Governance Structure
2. Mission/Business Processes: Aligning Risk Management with Operations
3. Information Systems: Addressing Technical Risks

NIST 800-39 provides a framework for integrating risk management into all aspects of an organization, ensuring that security decisions support business objectives.

Initial Release Date: 2004 Major Updates:

• Revision 1: February 2010 (formal establishment of the FMR)
• Revision 2: December 2018 (added “Prepare” step and integrated privacy considerations)

As already mentioned in the RMF, this publication details the six-step process for applying risk management to information systems. Revision 2 incorporates privacy concepts and adds the “Prepare” step, emphasizing the importance of pre-implementation activities.

NIST 800-37 provides templates, examples, and detailed guidance for each step of the process, making it easy to implement in practice.

Release Date (Vol. 1): November 2016 Major Updates:

• Volume 2 (cyber-resilience): November 2019

This publication focuses on the engineering of safe and resilient systems. Unlike other frameworks that focus on existing systems, the 800-160 addresses security integration from the earliest stages of development.

The NIST 800-160 consists of two volumes:

• Volume 1: Safety Engineering Considerations in the System Lifecycle
• Volume 2: Developing Cyber-Resilient Systems

This proactive approach helps develop systems that are inherently secure, rather than relying on subsequent patches and mitigations.

Initial Release Date: 2009 Major Updates:

• ISO 31000:2018: February 2018

This standard provides generic principles and guidelines for risk management, applicable to any type of organization and risk. It establishes a common framework for:

• Integrating risk management into governance
• Design risk management frameworks tailored to the context
• Implement risk management processes
• Evaluate the effectiveness of the risk management approach
• Continuously adapt risk management to changes

Although not specific to information security, ISO 31000 provides a solid foundation that complements more specific standards such as ISO 27005.

As described above, this standard provides specific guidelines for information security risk management. It aligns with the general concepts of ISO 31000, but focuses on the unique aspects of information security.

ISO 27005 is particularly valuable for organizations implementing an ISMS under ISO 27001, as it provides detailed methodologies for the risk assessment process required by that standard.

By analysing the evolution of these frameworks and standards, we can identify several clear trends:

1. Cyclical Update: Most frameworks undergo major revisions every 3-5 years, with minor updates more frequent.
2. Convergence: There is a trend towards interoperability and mapping between different frameworks (as seen in FIRST CVMAP).
3. Scope Expansion: Many frameworks have expanded their scope to include privacy considerations along with security (NIST 800-53 Rev. 5, ISO 27701).
4. Technology Adaptation: New frameworks are developed specifically to address emerging technologies (NIST 800-190 for containers).
5. Focus on Resilience: There has been a gradual shift from the focus on prevention to resilience and resilience (NIST 800-160 Vol. 2).
6. Human Factor Integration: Greater recognition of the critical role people play in cybersecurity.

Cybersecurity frameworks and regulations are living entities that are constantly evolving to reflect the changing landscape of threats, technologies, and organizational practices. Organizations need to stay up-to-date on these evolutions to ensure their defenses remain effective against emerging threats.

Cybersecurity frameworks, vulnerabilities, and risks are not just theory; They are essential tools for protecting assets in an increasingly threatened world.

From NIST CSF to Zero Trust, each framework has a specific purpose and applicability. The key is to understand which one is best suited to your organization and how to integrate it effectively.

Thanks for reading me!!! 🙂