24 Great

Cybersecurity
Frameworks
1.0, 11.12.2023, Andrey Prozorov
[Link]/AndreyProzorov
Agenda
1. ISO 27001 (ISMS) [Link] Cyber Security Framework
2. ISO 27002 (IS Controls) [Link] Essentials (UK)
3. Standard of Good Practice for Information Security [Link]-Grundschutz
(ISF SoGP) [Link] Cloud Controls Matrix (CCM)
4. NIST Cybersecurity Framework (CSF) [Link] of the art (TeleTrusT)
5. NIST SP 800-53 (Security and Privacy Controls) [Link] Capability Maturity Model (C2M2)
6. CIS Critical Security Controls [Link] Framework
7. PCI DSS [Link] Cybersecurity Standards
8. Katakri (Information Security Audit Tool for [Link] CSF
Authorities)
[Link] Information Security Management Maturity
9. COBIT Focus Area: Information Security Model (O-ISM3)
[Link] Security Manual (ISM) [Link] Controls Framework (SCF)
[Link] Zealand Information Security Manual (NZISM) [Link] 62443-2-1 (IACS Security Program)
[Link] Cybersecurity Controls (ECC) The Cyber Security Body Of Knowledge (CyBOK)
Other
2
[Link]/posts/isms-family-of-90663913

3
 ISO/IEC 27001:2022 Information security, cybersecurity
and privacy protection — Information security
management systems — Requirements
ISO/IEC 27001 is the world's best-known standard for
information security management systems (ISMS).
It defines requirements an ISMS must meet.
The ISO/IEC 27001 standard provides companies of any size and
from all sectors of activity with guidance for establishing,
implementing, maintaining and continually improving an
ISO 27001 information security management system.
Conformity with ISO/IEC 27001 means that an organization or
business has put in place a system to manage risks related to
the security of data owned or handled by the company, and that
this system respects all the best practices and principles
enshrined in this International Standard.
Organisation: International Organization for Standardization
(ISO)
Price: CHF 124 ($140)
4
5
6
 ISO/IEC 27002:2022 Information security, cybersecurity
and privacy protection Information security controls
ISO/IEC 27002 is an international standard that provides
guidance for organizations looking to establish, implement, and
improve an Information Security Management System (ISMS)
focused on cybersecurity. While ISO/IEC 27001 outlines the
requirements for an ISMS, ISO/IEC 27002 offers best practices
and control objectives related to key cybersecurity
aspects including access control, cryptography, human resource
security, and incident response.
ISO 27002
The standard serves as a practical blueprint for organizations
aiming to effectively safeguard their information assets against
cyber threats. By following ISO/IEC 27002 guidelines, companies
can take a proactive approach to cybersecurity risk management
and protect critical information from unauthorized access and
loss.
Organisation: International Organization for Standardization
(ISO)
Price: CHF 208 ($240)
7
8
9
 Standard of Good Practice for Information Security
(SOGP), 2022
The most up-to-date, comprehensive and globally adopted security
framework.
Exclusive to ISF Members, the SOGP presents business-oriented
information security topics with practical and trusted
guidance. The SOGP helps organisations deliver up-to-date good
practice that
can be integrated into their business processes, information security
ISF SoGP programme and policy, risk management and compliance
arrangements.
Designed for risk management specialists, information security
managers and security practitioners, SOGP helps organisations:
• Be agile when exploiting new opportunities whilst managing the
associated risk
• Respond to rapidly evolving threats, avoiding costly incidents,
operational impacts and reputational damage
• Identify and meet regulatory and compliance requirements
Organisation: Information Security Forum (ISF)
Price: For members only 10
11
Related Tools:
• Information Risk Assessment
Methodology 2 (IRAM2)
• Supply Chain Assurance
Framework (SCAF)
• Supplier Security Evaluation (SSE)
• The Benchmark

12
 NIST Cybersecurity Framework (CSF)
V.1.1, April 2018. CSF 2.0 Draft is also published
The NIST Cybersecurity Framework can help an organization
begin or improve their cybersecurity program.
Built off of practices that are known to be effective, it can help
organizations improve their cybersecurity posture. It fosters
communication among both internal and external stakeholders
about cybersecurity, and for larger organizations, helps to better
integrate and align cybersecurity risk management with broader
NIST CSF enterprise risk management processes as described in the
NISTIR 82865 series.
The Framework is organized by five key Functions – Identify,
Protect, Detect, Respond, Recover. These five widely
understood terms, when considered together, provide a
comprehensive view of the lifecycle for managing cybersecurity
risk over time.
Organisation: National Institute of Standards and Technology
(NIST)
13
Price: Free
14
15
[Link]/posts/nist-framework-1-87424608

16
 NIST SP 800-53 Rev. 5, Security and Privacy Controls for
Information Systems and Organizations
September 2020 (includes updates as of Dec. 10, 2020)
This publication provides a catalog of security and privacy
controls for information systems and organizations to protect
organizational operations and assets, individuals, other organizations,
and the Nation from a diverse set of threats and risks, including hostile
attacks, human errors, natural disasters, structural failures, foreign
intelligence entities, and privacy risks.
NIST SP 800-53 The controls are flexible and customizable and implemented as part of
an organization-wide process to manage risk. The controls address
diverse requirements derived from mission and business needs, laws,
executive orders, directives, regulations, policies, standards, and
guidelines. Finally, the consolidated control catalog addresses security
and privacy from a functionality perspective (i.e., the strength of
functions and mechanisms provided by the controls) and from an
assurance perspective (i.e., the measure of confidence in the security
or privacy capability provided by the controls).
Organisation: National Institute of Standards and Technology (NIST)
Price: Free 17
18
19
 CIS Critical Security Controls (CIS Controls)
v.8, May 2021
The CIS Critical Security Controls (CIS Controls) are a
recommended set of actions for cyber defense that provide
specific and actionable ways to thwart the most pervasive
attacks. The CIS Controls are a relatively short list of high-
priority, highly effective defensive actions that provide a
“must-do, do-first” starting point for every enterprise seeking to
CIS Critical Security improve their cyber defense.
Controls
Prioritization is a key benefit to the CIS Controls. They were
designed to help organizations rapidly define the starting point
for their defenses, direct their scarce resources on actions with
immediate and high-value payoff, and then focus their attention
and resources on additional risk issues that are unique to their
business or mission.
Organisation: Center for Internet Security (CIS)
Price: Free
20
21
22
 Payment Card Industry Data Security Standard
v.4.0, March 2022
The Payment Card Industry Data Security Standard (PCI DSS)
was developed to encourage and enhance payment card
account data security and facilitate the broad adoption of
consistent data security measures globally. PCI DSS provides a
PCI DSS baseline of technical and operational requirements
designed to protect account data. While specifically
designed to focus on environments with payment card account
data, PCI DSS can also be used to protect against threats and
secure other elements in the payment ecosystem.
Organisation: PCI Security Standards Council (PCI SSC)
Price: Free

23
24
25
 Information security auditing tool for authorities –
Katakri, 2020
Katakri is the authorities’ auditing tool, which an authority can
use in assessing the target organisation’s ability to protect an
authority’s classified information.
Katakri can be used as an auditing tool when assessing a
company’s security arrangements in the facility security clearance
and in evaluations of the security of the authorities’ information
Katakri systems. It can also be used to help companies, organisations
and the authorities in other security work and its development.
Katakri is used with the aim of ensuring that the target
organisation has adequate security arrangements to
prevent the disclosure of an authority’s classified
information in all of the environments where the information is
handled.
Organisation: National Security Authority of Finland
Price: Free
26
27
28
 COBIT Focus Area: Information Security, 2020
The publication provides guidance related to information security
and how to apply COBIT to specific information security
topics/practices within an enterprise. The publication is based on the
COBIT core guidance for governance and management objectives, and
enhances the core guidance by highlighting security-specific practices
and activities as well as providing information security-specific metrics.
Key publication details include:
• Provides a contemporary view on information security governance and management
COBIT Focus Area:
• Clarifies roles of governance and management and shows how they relate to each
Information Security other in the context of information security
• Provides a clear end-to-end view into distinction within the enterprise and during all
process steps between information security governance and information security
management practices
• Provides a comprehensive and holistic guidance on information security – not only to
processes but to all components in an enterprise, including organization structure,
skills, policies, etc.
• Additional information security-specific activities, metrics and information flows.
Organisation: ISACA
Price: $50 (for members) / $90
29
30
31
 Information Security Manual (ISM)
Published: 1 December 2023
The purpose of the ISM is to outline a cyber security framework
that an organisation can apply, using their risk management
framework, to protect their systems and data from cyber threats.
Information Security
Manual (ISM) The ISM is intended for Chief Information Security Officers, Chief
Information Officers, cyber security professionals and
information technology managers.
Organisation: Australian Signals Directorate (ASD) / Australian
Cyber Security Centre (ACSC)
Price: Free

32
33
34
 New Zealand Information Security Manual (NZISM)
Version 3.6, September 2022
The New Zealand Information Security Manual (NZISM) is the
New Zealand Government's manual on information assurance
and information systems security.
Information Security
Manual (ISM) The NZISM is a practitioner’s manual designed to meet the needs
of agency information security executives as well as vendors,
contractors and consultants who provide services to agencies.
Organisation: New Zealand Government
Price: Free

35
36
 Essential Cybersecurity Controls (ECC – 1: 2018)
The Essential Cybersecurity Controls has developed to set the
minimum cybersecurity requirements based on best
practices and standards to minimize the cybersecurity risks to
the information and technical assets of organizations that
originate from internal and external threats. The Essential
Cybersecurity Controls consist of 114 main controls, divided into
Essential five main domains: Cybersecurity Governance, Cybersecurity
Cybersecurity Controls Defense, Cybersecurity Resilience, Third-party and Cloud
(ECC) Computing Cybersecurity, Industrial Control Systems
Cybersecurity.
The Essential Cybersecurity Controls are mandatory where all
organizations, within the scope of these controls must implement
whatever necessary to ensure continuous compliance with the
controls.
Organisation: National Cybersecurity Authority, Saudi Arabia
Price: Free
37
38
39
 SAMA Cyber Security Framework
v.1.0, May 2017
The issuance of a Framework seeks to support our regulated
entities in their efforts to have an appropriate cyber security
governance and to build a robust infrastructure along with the
necessary detective and preventive controls. The Framework
articulates appropriate controls and provides guidance on how to
SAMA Cyber Security assess maturity level.
Framework
The adoption and implementation of the Framework is a vital
step for ensuring that Saudi Arabian Banking, Insurance and
Financing Companies sectors can manage and withstand cyber
security threats.
Organisation: Saudi Arabian Monetary Authority (SAMA)
Price: Free

40
41
42
 Cyber Essentials: Requirements for IT infrastructure
v.3.1, April 2023
Cyber Essentials helps you to guard against the most
common cyber threats and demonstrate your
commitment to cyber security.
Cyber Essentials is an effective, Government backed scheme that
will help you to protect your organisation, whatever its size,
Cyber Essentials
against a whole range of the most common cyber attacks.
(UK)
There are two levels of certification:
• Cyber Essentials (self-assessment)
• Cyber Essentials Plus (+technical verification)

Organisation: National Cyber Security Centre, UK

Price: Free

43
44
45
 IT-Grundschutz. A systematic basis for information security
v.1.0, 2017
As a sound and sustainable methodology for information security
management systems (ISMS), IT-Grundschutz covers technical,
organisational, infrastructural and personnel aspects in equal measure.
With its broad foundation, IT-Grundschutz offers a systematic
approach to information security that is compatible to ISO/IEC
27001.
With the BSI Standards, IT-Grundschutz offers essential publications for
IT-Grundschutz all kinds of institutions who want to set up an ISMS:
• BSI Standard 200-1 defines the general requirements for an ISMS
• BSI Standard 200-2 explains how an ISMS can be built based on one
of three different approaches
• BSI Standard 200-3 contains all risk-related tasks
• BSI Standard 200-4 covers Business Continuity Management (BCM)
• Guide to Basic Protection based on IT - Grundschutz
Organisation: Federal Office for Information Security (BSI), Germany
Price: Free
46
47
 CSA Cloud Controls Matrix (CCM)
Release Date: 07.06.2021, v.4
The CSA Cloud Controls Matrix (CCM) is a cybersecurity
control framework for cloud computing.
It is composed of 197 control objectives that are structured in 17
domains covering all key aspects of cloud technology. It can be
used as a tool for the systematic assessment of a cloud
CSA Cloud Controls implementation, and provides guidance on which security
Matrix (CCM) controls should be implemented by which actor within the cloud
supply chain. The controls framework is aligned to
the CSA Security Guidance for Cloud Computing, and is
considered a de-facto standard for cloud security assurance and
compliance.

Organisation: Cloud Security Alliance (CSA)

Price: Free
48
49
 IT Security Act (Germany) and EU General Data
Protection Regulation: Guideline "State of the art",
Technical and organisational measures (TOMs), 2023
When the German IT Security Act came into effect in July 2015,
the IT Security Association Germany (TeleTrusT) launched the
Task Force ”State of the art” to provide interested parties with
recommended actions and guidelines on the “state of the art”
"State of the art" required for technical and organisational measures.
in IT security These guidelines are considered a starting point for determining
statutory IT security measures that correspond to the state of
the art. They are not a replacement for technical, organisational
or legal advice or assessment in individual cases.

Organisation: TeleTrusT + ENISA

Price: Free

50
51
 Cybersecurity Capability Maturity Model (C2M2)
V.2.1, June 2022
The Cybersecurity Capability Maturity Model (C2M2) is a free tool
to help organizations evaluate their cybersecurity
capabilities and optimize security investments. It uses a
set of industry-vetted cybersecurity practices focused on both
information technology (IT) and operations technology (OT)
C2M2 assets and environments.
While the U.S. energy industry led development of the C2M2 and
championed its adoption, any organization—regardless of size,
type, or industry—can use the model to evaluate, prioritize, and
improve their cybersecurity capabilities.
Organisation: Office of Cybersecurity, Energy Security, and
Emergency Response (CESER)
Price: Free
52
53
54
 CyberFundamentals Framework
01.03.2023
The CyberFundamentals Framework is a set of concrete
measures to:
• protect data,
• significantly reduce the risk of the most common cyber-attacks,
• increase an organisation's cyber resilience.
CyberFundamentals
Framework The framework is based on and linked with 4 commonly used
cybersecurity frameworks: NIST CSF, ISO 27001 / ISO 27002,
CIS Controls and IEC 62443.
To respond to the severity of the threat an organization is
exposed to, in addition to the starting level Small, 3 assurance
levels are provided: Basic, Important and Essential.
Organisation: Cybersecurity Centre Belgium (CCB)
Price: Free
55
56
 Cyber Security (CYBER); Critical Security Controls for
Effective Cyber Defence; Part 1: The Critical Security
Controls
v.4.1.2, April 2022
The present document captures and describes the prioritized
set of actions that collectively form a defence-in-depth set of
best practices that mitigate the most common attacks
ETSI Critical against systems and networks. These actions are specified
Security Controls by ETSI in the present document, the Critical Security Controls
(CSCs), which are developed and maintained by the Center for
Internet Security (CIS) as an independent, expert, global non-
profit organization.

Organisation: ETSI
Price: Free

57
58
 HITRUST Common Security Framework (CSF)
v.11.2.0, October 10, 2023
The HITRUST CSF provides the structure, transparency, guidance, and
cross-references to authoritative sources that organizations globally
need to be certain of their data protection compliance. The initial
development of the HITRUST CSF leveraged nationally and
internationally accepted security and privacy-related regulations,
standards, and frameworks – including ISO, NIST, PCI, HIPAA, and
GDPR – to ensure a comprehensive set of security and privacy controls.
HITRUST CSF HITRUST continually incorporates additional authoritative sources as
they are released and accepted in industry and global sectors. The
HITRUST CSF standardizes these requirements across authoritative
sources to provide clarity and consistency and reduce the burden of
compliance.
The commitment and expertise demonstrated by HITRUST ensures that
organizations leveraging the framework are prepared when new
security and privacy regulations and risks are introduced.
Organisation: HITRUST
Price: Free
59
60
 Open Information Security Management Maturity Model
(O-ISM3), v.2.0, 2017
O-ISM3 is The Open Group framework for managing information
security, and wider still to managing information in the wider
context. It aims to ensure that security processes in any
organization are implemented so as to operate at a level
consistent with that organization’s business requirements.
O-ISM3 is technology-neutral. It defines a comprehensive but
manageable number of information security processes
O-ISM3 sufficient for the needs of most organizations, with the relevant
security control(s) being identified within each process as an
essential subset of that process. In this respect, it is fully
compatible with the well-established ISO/IEC 27000:2009,
COBIT® , and ITIL® standards in this field. Additionally, as well
as complementing the TOGAF® framework for Enterprise
Architecture, O-ISM3 defines operational metrics and their
allowable variances.
Organisation: The Open Group
Price: Free 61
62
 Secure Controls Framework (SCF), 2023.2
The SCF focuses on internal controls. These are the cybersecurity &
data privacy-related policies, standards, procedures, technologies and
associated processes that are designed to provide reasonable
assurance that business objectives will be achieved and
undesired events will be prevented, detected and corrected.
The concept is to address the broader People, Processes, Technology
and Data (PPTD) that are what controls fundamentally exists to govern.
Using the SCF should be viewed as a long-term tool to not only help
Secure Controls with compliance-related efforts but to ensure cybersecurity & data
Framework (SCF) privacy principles are properly designed, implemented and maintained.
The SCF helps implement a holistic approach to protecting the
Confidentiality, Integrity, Availability and Safety (CIAS) of your data,
systems, applications and other processes. The SCF can be used to
assist with strategic planning down to tactical needs that impact the
people, processes and technologies directly impacting your
organization.
Organisation: SCF Council
Price: Free
63
64
65
 IEC 62443-2-1:2010 Industrial communication networks
- Network and system security - Part 2-1: Establishing an
industrial automation and control system security
program
IEC 62443-2-1:2010 defines the elements necessary to establish
a cyber security management system (CSMS) for
industrial automation and control systems (IACS) and
provides guidance on how to develop those elements. This
standard uses the broad definition and scope of what constitutes
IEC 62443-2-1
an IACS described in IEC/TS 62443-1-1.
The elements of a CSMS described in this standard are mostly
policy, procedure, practice and personnel related, describing
what shall or should be included in the final CSMS for the
organization.

Organisation: International Electrotechnical Commission (IEC)

Price: CHF 380 ($140)
66
67
68
69
1. ISO 27001 - [Link]/standard/270012 13. SAMA Cyber Security Framework - [Link]/en-
2. ISO 27002 - [Link]/standard/[Link] us/rulesinstructions/pages/[Link]
3. ISF SoGP - [Link]/solutions-and- 14. Cyber Essentials - [Link]/cyberessentials
insights/standard-of-good-practice-for-information- 15. IT-Grundschutz -
security [Link]/EN/Themen/Unternehmen-und-
4. NIST CSF - [Link]/cyberframework/framework Organisationen/Standards-und-Zertifizierung/IT-
Grundschutz/it-grundschutz_node.html
5. NIST SP 800-53 -
[Link]/pubs/sp/800/53/r5/upd1/final 16. CSA Cloud Controls Matrix (CCM) -
[Link]/research/cloud-controls-matrix
6. CIS Controls - [Link]/controls
17. State of the art -
7. PCI DSS - [Link]/en/publikationen/broschueren/state-of-
[Link]/document_library the-art-in-it-security
8. Katakri - [Link]/information-security-auditing-tool- 18. C2M2 - [Link]/ceser/cybersecurity-capability-
for-authorities-katakri maturity-model-c2m2
9. COBIT Focus Area: Information Security - 19. CyberFundamentals Framework -
[Link]/s/store#/store/browse/detail/a2S4w0000 [Link]/tools-resources/cyberfundamentals-
04Ko9hEAC10 framework
10. Information Security Manual (ISM) - 20. ETSI Standards - [Link]/standards-search
[Link]/resources-business-and-
government/essential-cyber-security/ism 21. HITRUST CSF - [Link]/product-tool/hitrust-csf
11. New Zealand Information Security Manual (NZISM) - 22. O-ISM3 – [Link]/c17b
[Link] 23. Secure Controls Framework (SCF) -
12. Essential Cybersecurity Controls (ECC) - [Link]
[Link]/en/legislation 24. IEC 62443-2-1 - [Link]/publication/7030
70
[Link]

71
Other
1. NIST SP 800-171 Rev. 2. Protecting Controlled Unclassified Information in Nonfederal Systems
and Organizations - [Link]
2. MITRE ATT&CK - [Link]
3. SOC 2 (for service organisations) -
[Link]
smanagement
4. Essential Eight (Australia) - [Link]
government/essential-cyber-security/essential-eight
5. NCSC Cyber Security Framework - [Link]
framework
6. Cybersecurity Maturity Model Certification (CMMC) - [Link]
7. Cyber Assessment Framework (CAF) by NCSC - [Link]
assessment-framework
8. National Capabilities Assessment Framework (NCAF) by ENISA -
[Link]
72
Thanks, and good luck!

[Link]/in/andreyprozorov
[Link]/AndreyProzorov
73
Related presentations

[Link]/posts/my-presentation-88795477 [Link]/posts/12-best-privacy-89048414

74