IT Security Frameworks for Organizations

This post lists some of the most popular IT frameworks that can be used by an organization to implement their security.

List of cybersecurity frameworks:

  • ISO/IEC 27001
  • NIST Cybersecurity Framework (CSF)
  • CIS Critical Security Controls (CSC)
  • ISF Standard of Good Practice (SOGP)
  • CSA Cloud Controls Matrix (CSM)
  • Architectural approaches

List of Cybersecurity Frameworks

ISO/IEC 27001

Issued by ISO and IEC.

ISO/IEC 27001 defines the requirements for an Information Security Management System (ISMS).

Official link to ISO/IEC 27001

Latest version is ISO 27001:2013.

Official link to ISO/IEC 27001:2013

ISO/IEC 27002 adds guidelines to the IT controls in the annex 1 of 27001. It latest version is ISO/IEC 27002:2013, but it will be replaced by ISO/IEC FDIS 27002.

They all belong to the ISO/IEC 27000-series.

NIST Cybersecurity Framework (CSF)

NIST Cybersecurity Framwork (CSF) is issued by NIST (National Institution of Standards and Technology) of the United States Government.

Official link

If your organization is applying IT framework COBIT 5, you can get a certification to implement NIST CSF using COBIT 5. More info on this link.

COBIT 5 framework, issued and maintained by ISACA, is focused on IT governance and management, and it describes the common requirements that organizations should have in place surrounding their information systems. It is not included in this list as I consider it wider than just an IT security framework. More info about COBIT on this link.

CIS Critical Security Controls (CSC)

CIS Critical Security Controls (CSC), or CIS Critical Security Controls for Effective Cyber Defense, is a series of publications with best practices related to cybersecurity. It was informally known as CIS 20 because it consisted of 20 controls, but that is no longer the case.

It is now issued by CIS (Center for Security). Previously, it was published by SANS.

Official link

ISF Standard of Good Practice (SOGP)

The Standard of Good Practice in Information Security (SOGP) is issued by the international association Information Security Forum (ISF).

It claims it is compatible with other standards like ISO 27002 and COBIT.

Official link


Customer Security Programme (CSP) is a cybersecurity framework issued by the organzation SWIFT.

CSP is designed specifically for financial institutions that use the SWIFT network for interbank communication and financial transactions.

One of its key components is the Customer Security Controls Framework (CSCF).

Official link

CSA Cloud Controls Matrix (CCM)

CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It is developed by Cloud Star Alliance (CSA).

Official link

Architectural Approaches

There are several security architecture frameworks that are described on this post.

Some of the most popular architectural approaches are:

  • Zachman Framework

COBIT is considered to itself an Information Security Framework as well as an Enterprise Security Framework.

You might also be interested in…

External references


Leave a Reply

Your email address will not be published. Required fields are marked *