Opening Framing
Security frameworks provide structured approaches to building and measuring security programs. Rather than inventing security from scratch, organizations leverage frameworks that encode decades of collective wisdom about what controls matter and how to organize security efforts. Frameworks also create common language—when a customer asks "Are you SOC 2 compliant?" they're asking about a specific, well-defined set of criteria that both parties understand.
However, frameworks are tools, not goals. Checking boxes without understanding why leads to "compliant but not secure" situations. The best security programs use frameworks as foundations while adapting to their specific risks and business context. They also recognize that multiple frameworks often apply, requiring intelligent mapping and integration rather than duplicative efforts.
This week covers major security frameworks including SOC 2, ISO 27001, NIST Cybersecurity Framework, and CIS Controls. You'll learn their purposes, structures, and how to select and map frameworks for your organization's needs.
Key insight: The best framework is the one your organization will actually implement consistently.
1) Framework Landscape
Understanding the different types and purposes of frameworks helps in selection:
Framework Categories:
FRAMEWORK TYPES:
┌─────────────────────────────────────────────────────────────┐
│ CONTROL FRAMEWORKS: │
│ Define what security controls to implement │
│ - NIST SP 800-53 (comprehensive control catalog) │
│ - CIS Controls (prioritized, actionable) │
│ - ISO 27001 Annex A (high-level control objectives) │
│ │
│ PROGRAM FRAMEWORKS: │
│ Define how to organize security programs │
│ - NIST Cybersecurity Framework (identify-protect-detect- │
│ respond-recover structure) │
│ - ISO 27001 (management system approach) │
│ - COBIT (IT governance) │
│ │
│ RISK FRAMEWORKS: │
│ Define how to assess and manage risk │
│ - NIST RMF (federal risk management) │
│ - ISO 27005 (information security risk) │
│ - FAIR (risk quantification) │
│ │
│ ATTESTATION/AUDIT FRAMEWORKS: │
│ Define what auditors examine │
│ - SOC 2 (service organization controls) │
│ - ISO 27001 (certification audit) │
│ - PCI DSS (payment card industry) │
└─────────────────────────────────────────────────────────────┘
FRAMEWORK SELECTION FACTORS:
┌─────────────────────────────────────────────────────────────┐
│ Customer/Market Requirements: │
│ - What do customers ask for? (SOC 2, ISO 27001) │
│ - What does your market expect? │
│ - Competitive differentiation needs │
│ │
│ Regulatory Requirements: │
│ - Industry-specific mandates (PCI, HIPAA, etc.) │
│ - Geographic requirements (GDPR, etc.) │
│ - Government contracts (FedRAMP, CMMC) │
│ │
│ Organizational Factors: │
│ - Current maturity level │
│ - Available resources │
│ - Existing frameworks in use │
│ - Internal expertise │
│ │
│ Framework Characteristics: │
│ - Prescriptive vs. flexible │
│ - Cost of implementation and certification │
│ - Maintenance requirements │
│ - Recognition in your industry │
└─────────────────────────────────────────────────────────────┘Common Framework Comparison:
Framework Comparison Matrix:
┌────────────┬────────────┬────────────┬────────────┬────────────┐
│ │ SOC 2 │ ISO 27001 │ NIST CSF │ CIS Controls│
├────────────┼────────────┼────────────┼────────────┼────────────┤
│ Type │ Attestation│ Certifica- │ Program │ Control │
│ │ │ tion │ framework │ framework │
├────────────┼────────────┼────────────┼────────────┼────────────┤
│ Origin │ AICPA (US) │ ISO (Intl) │ NIST (US) │ CIS (US) │
├────────────┼────────────┼────────────┼────────────┼────────────┤
│ Focus │ Service │ Management │ Risk-based │ Technical │
│ │ providers │ system │ security │ controls │
├────────────┼────────────┼────────────┼────────────┼────────────┤
│ Output │ SOC report │ Certificate│ Self-assess│ Self-assess│
│ │ (Type I/II)│ (3 years) │ or audit │ or audit │
├────────────┼────────────┼────────────┼────────────┼────────────┤
│ Cost │ $30-150K │ $50-200K │ Free │ Free │
│ (initial) │ for audit │ for cert │ framework │ framework │
├────────────┼────────────┼────────────┼────────────┼────────────┤
│ Best For │ B2B SaaS, │ Global │ All orgs, │ All orgs, │
│ │ US market │ companies │ especially │ tactical │
│ │ │ │ critical │ focus │
│ │ │ │ infra │ │
├────────────┼────────────┼────────────┼────────────┼────────────┤
│ Renewals │ Annual │ Annual │ Continuous │ Continuous │
│ │ audit │ surveillance│ │ │
└────────────┴────────────┴────────────┴────────────┴────────────┘Key insight: Most organizations need multiple frameworks— one for customers (SOC 2/ISO), one for program structure (NIST CSF), and one for technical controls (CIS).
2) SOC 2
SOC 2 is the dominant compliance framework for B2B technology companies, especially SaaS providers:
SOC 2 Overview:
WHAT IS SOC 2:
┌─────────────────────────────────────────────────────────────┐
│ - Developed by AICPA (American Institute of CPAs) │
│ - Attestation report by licensed CPA firm │
│ - Evaluates controls at service organizations │
│ - Based on Trust Services Criteria │
│ - Primarily US-focused but globally recognized │
│ │
│ Purpose: Provide assurance to customers that their data │
│ is protected when using your services │
└─────────────────────────────────────────────────────────────┘
TRUST SERVICES CRITERIA (TSC):
┌─────────────────────────────────────────────────────────────┐
│ │
│ SECURITY (Required - "Common Criteria") │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Protection against unauthorized access │ │
│ │ - CC1: Control environment │ │
│ │ - CC2: Communication and information │ │
│ │ - CC3: Risk assessment │ │
│ │ - CC4: Monitoring activities │ │
│ │ - CC5: Control activities │ │
│ │ - CC6: Logical and physical access │ │
│ │ - CC7: System operations │ │
│ │ - CC8: Change management │ │
│ │ - CC9: Risk mitigation │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ AVAILABILITY (Optional) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ System is available for operation as committed │ │
│ │ - A1: Meet objectives related to availability │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ PROCESSING INTEGRITY (Optional) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ System processing is complete, accurate, timely │ │
│ │ - PI1: Meet objectives related to processing integrity │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ CONFIDENTIALITY (Optional) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Confidential information is protected as committed │ │
│ │ - C1: Meet objectives related to confidentiality │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ PRIVACY (Optional) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Personal information is collected, used, retained, │ │
│ │ disclosed, disposed as committed │ │
│ │ - P1-P8: Various privacy criteria │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
SOC 2 REPORT TYPES:
┌─────────────────────────────────────────────────────────────┐
│ TYPE I: │
│ - Point-in-time assessment │
│ - Controls designed appropriately (as of date X) │
│ - No testing of operating effectiveness │
│ - Faster to achieve (typically 2-3 months) │
│ - Less assurance value │
│ - Good for: Initial compliance, bridge to Type II │
│ │
│ TYPE II: │
│ - Period-of-time assessment (typically 6-12 months) │
│ - Controls designed AND operating effectively │
│ - Evidence of control operation over the period │
│ - Higher assurance value │
│ - Required by most sophisticated customers │
│ - Good for: Ongoing compliance demonstration │
└─────────────────────────────────────────────────────────────┘SOC 2 Implementation:
SOC 2 Implementation Process:
PHASE 1: READINESS (2-4 months)
┌─────────────────────────────────────────────────────────────┐
│ 1. Scope Definition │
│ - Define system boundaries │
│ - Select Trust Services Criteria │
│ - Identify in-scope systems and processes │
│ │
│ 2. Gap Assessment │
│ - Map current controls to criteria │
│ - Identify missing controls │
│ - Prioritize remediation │
│ │
│ 3. Remediation │
│ - Implement missing controls │
│ - Document policies and procedures │
│ - Train personnel │
│ │
│ 4. Readiness Assessment (optional) │
│ - Pre-audit by CPA firm │
│ - Identify issues before formal audit │
└─────────────────────────────────────────────────────────────┘
PHASE 2: TYPE I AUDIT (1-2 months)
┌─────────────────────────────────────────────────────────────┐
│ 1. Auditor Selection │
│ - Choose licensed CPA firm │
│ - Negotiate scope and fees │
│ │
│ 2. Evidence Collection │
│ - Provide documentation │
│ - Demonstrate control design │
│ │
│ 3. Testing │
│ - Auditor reviews control design │
│ - Walkthroughs of key processes │
│ │
│ 4. Report Issuance │
│ - Draft report review │
│ - Final SOC 2 Type I report │
└─────────────────────────────────────────────────────────────┘
PHASE 3: TYPE II AUDIT (6-12 month period + 1-2 months audit)
┌─────────────────────────────────────────────────────────────┐
│ 1. Audit Period │
│ - Operate controls for 6-12 months │
│ - Collect evidence throughout period │
│ - Address any issues that arise │
│ │
│ 2. Evidence Collection │
│ - Population samples (e.g., all access reviews) │
│ - System-generated evidence (logs, configs) │
│ - Process documentation │
│ │
│ 3. Testing │
│ - Sample testing of control operation │
│ - Inquiry, observation, inspection, re-performance │
│ │
│ 4. Report Issuance │
│ - Findings and exceptions documented │
│ - Final SOC 2 Type II report │
└─────────────────────────────────────────────────────────────┘
COMMON SOC 2 CONTROLS:
┌─────────────────────────────────────────────────────────────┐
│ Access Control: │
│ - User access provisioning/deprovisioning │
│ - Access reviews (quarterly) │
│ - MFA for remote access │
│ - Privileged access management │
│ │
│ Change Management: │
│ - Change request and approval process │
│ - Testing before production │
│ - Segregation of duties │
│ - Emergency change procedures │
│ │
│ Monitoring: │
│ - Security event logging │
│ - Log review procedures │
│ - Alerting for security events │
│ - Incident response │
│ │
│ Risk Management: │
│ - Annual risk assessment │
│ - Vendor risk management │
│ - Vulnerability management │
└─────────────────────────────────────────────────────────────┘Key insight: SOC 2 is about demonstrating your controls work, not just that they exist. Type II proves ongoing operation.
3) ISO 27001
ISO 27001 is the international standard for information security management systems:
ISO 27001 Overview:
WHAT IS ISO 27001:
┌─────────────────────────────────────────────────────────────┐
│ - International standard from ISO/IEC │
│ - Specifies requirements for an ISMS │
│ - Certification by accredited certification body │
│ - Risk-based approach to security │
│ - Globally recognized │
│ │
│ ISMS = Information Security Management System │
│ A systematic approach to managing sensitive information │
└─────────────────────────────────────────────────────────────┘
ISO 27001 STRUCTURE:
┌─────────────────────────────────────────────────────────────┐
│ │
│ MAIN BODY (Clauses 4-10): Management System Requirements │
│ │
│ Clause 4: Context of the Organization │
│ - Understanding organization and context │
│ - Understanding needs of interested parties │
│ - Determining scope of the ISMS │
│ │
│ Clause 5: Leadership │
│ - Leadership commitment │
│ - Policy │
│ - Roles, responsibilities, authorities │
│ │
│ Clause 6: Planning │
│ - Actions to address risks and opportunities │
│ - Information security objectives │
│ - Planning of changes │
│ │
│ Clause 7: Support │
│ - Resources │
│ - Competence │
│ - Awareness │
│ - Communication │
│ - Documented information │
│ │
│ Clause 8: Operation │
│ - Operational planning and control │
│ - Information security risk assessment │
│ - Information security risk treatment │
│ │
│ Clause 9: Performance Evaluation │
│ - Monitoring, measurement, analysis, evaluation │
│ - Internal audit │
│ - Management review │
│ │
│ Clause 10: Improvement │
│ - Nonconformity and corrective action │
│ - Continual improvement │
│ │
└─────────────────────────────────────────────────────────────┘
ANNEX A: CONTROL OBJECTIVES (93 controls in 4 themes)
┌─────────────────────────────────────────────────────────────┐
│ A.5 Organizational Controls (37 controls) │
│ - Policies, roles, asset management, access control │
│ - Supplier relationships, incident management │
│ - Business continuity, compliance │
│ │
│ A.6 People Controls (8 controls) │
│ - Screening, terms of employment, awareness │
│ - Disciplinary process, responsibilities after termination │
│ │
│ A.7 Physical Controls (14 controls) │
│ - Physical security perimeters, entry controls │
│ - Securing offices, equipment security │
│ │
│ A.8 Technological Controls (34 controls) │
│ - User devices, privileged access, access restriction │
│ - Authentication, capacity, malware protection │
│ - Vulnerability management, logging, network security │
│ - Cryptography, secure development, testing │
└─────────────────────────────────────────────────────────────┘ISO 27001 Certification:
ISO 27001 Certification Process:
IMPLEMENTATION PHASES:
┌─────────────────────────────────────────────────────────────┐
│ Phase 1: Initiation (1-2 months) │
│ - Management commitment │
│ - Define scope │
│ - Appoint ISMS manager/team │
│ - Initial gap analysis │
│ │
│ Phase 2: Risk Assessment (2-3 months) │
│ - Asset identification │
│ - Threat and vulnerability assessment │
│ - Risk analysis and evaluation │
│ - Risk treatment plan │
│ │
│ Phase 3: Control Implementation (3-6 months) │
│ - Select controls from Annex A │
│ - Implement policies and procedures │
│ - Technical control implementation │
│ - Training and awareness │
│ │
│ Phase 4: Documentation (ongoing) │
│ - Information security policy │
│ - Statement of Applicability (SoA) │
│ - Risk assessment report │
│ - Risk treatment plan │
│ - Procedures and work instructions │
│ │
│ Phase 5: Internal Audit & Management Review (1-2 months) │
│ - Conduct internal audit │
│ - Address nonconformities │
│ - Management review meeting │
│ - Readiness determination │
└─────────────────────────────────────────────────────────────┘
CERTIFICATION AUDIT:
┌─────────────────────────────────────────────────────────────┐
│ Stage 1 Audit (Documentation Review): │
│ - Review ISMS documentation │
│ - Verify scope appropriateness │
│ - Identify potential issues │
│ - Plan Stage 2 audit │
│ - Typically 1-2 days onsite │
│ │
│ Stage 2 Audit (Implementation Audit): │
│ - Verify controls are implemented │
│ - Evidence collection and testing │
│ - Interview personnel │
│ - Observe processes │
│ - Typically 3-5 days onsite (depends on scope) │
│ │
│ Findings: │
│ - Major nonconformity: Must fix before certification │
│ - Minor nonconformity: Must have plan, fix within timeline │
│ - Opportunity for improvement: Recommendations │
│ │
│ Certificate issued if no major nonconformities │
└─────────────────────────────────────────────────────────────┘
MAINTENANCE:
┌─────────────────────────────────────────────────────────────┐
│ Year 1: Certification (Stage 1 + Stage 2) │
│ Year 2: Surveillance audit (subset of controls) │
│ Year 3: Surveillance audit │
│ Year 4: Recertification (full audit) │
│ │
│ Ongoing: │
│ - Internal audits (at least annual) │
│ - Management reviews │
│ - Continuous improvement │
│ - Maintain documentation │
└─────────────────────────────────────────────────────────────┘
STATEMENT OF APPLICABILITY (SoA):
┌─────────────────────────────────────────────────────────────┐
│ Key document that lists: │
│ - All 93 Annex A controls │
│ - Whether each is applicable (Yes/No) │
│ - Justification if not applicable │
│ - Implementation status │
│ - Reference to implementing policy/procedure │
│ │
│ Example: │
│ ┌───────────┬─────────┬─────────────────────────────────┐ │
│ │ Control │Applicable│ Justification / Implementation │ │
│ ├───────────┼─────────┼─────────────────────────────────┤ │
│ │ A.5.1 │ Yes │ Information Security Policy doc │ │
│ │ A.7.2 │ No │ No physical data center (cloud) │ │
│ │ A.8.5 │ Yes │ Authentication Policy, MFA impl │ │
│ └───────────┴─────────┴─────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘Key insight: ISO 27001 is a management system standard—it's about having processes for security, not just technical controls.
4) NIST Cybersecurity Framework
The NIST CSF provides a flexible, risk-based approach to organizing security programs:
NIST CSF Overview:
WHAT IS NIST CSF:
┌─────────────────────────────────────────────────────────────┐
│ - Developed by NIST (National Institute of Standards) │
│ - Voluntary framework (no certification) │
│ - Risk-based, outcome-focused │
│ - Widely adopted across industries │
│ - Free and publicly available │
│ - Recently updated to version 2.0 (2024) │
│ │
│ Purpose: Help organizations manage and reduce cyber risk │
│ through a common language and systematic approach │
└─────────────────────────────────────────────────────────────┘
CSF 2.0 CORE FUNCTIONS:
┌─────────────────────────────────────────────────────────────┐
│ │
│ ┌──────────┐ │
│ │ GOVERN │ │
│ └────┬─────┘ │
│ │ │
│ ┌──────────────────────┼──────────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌────────┐ ┌──────────┐ ┌─────────┐ │
│ │IDENTIFY│─────────►│ PROTECT │─────────►│ DETECT │ │
│ └────────┘ └──────────┘ └────┬────┘ │
│ │ │
│ ┌──────────┴─────────┐ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────┐ ┌────────┐│
│ │ RESPOND │─────────►│RECOVER ││
│ └─────────┘ └────────┘│
│ │
└─────────────────────────────────────────────────────────────┘
FUNCTION DETAILS:
┌─────────────────────────────────────────────────────────────┐
│ GOVERN (New in 2.0): │
│ Establish and monitor cybersecurity risk management │
│ - Organizational context │
│ - Risk management strategy │
│ - Roles, responsibilities, authorities │
│ - Policy │
│ - Oversight │
│ - Cybersecurity supply chain risk management │
│ │
│ IDENTIFY: │
│ Understand assets and risks │
│ - Asset management │
│ - Risk assessment │
│ - Improvement │
│ │
│ PROTECT: │
│ Implement safeguards │
│ - Identity management and access control │
│ - Awareness and training │
│ - Data security │
│ - Platform security │
│ - Technology infrastructure resilience │
│ │
│ DETECT: │
│ Identify security events │
│ - Continuous monitoring │
│ - Adverse event analysis │
│ │
│ RESPOND: │
│ Take action on detected events │
│ - Incident management │
│ - Incident analysis │
│ - Incident response reporting and communication │
│ - Incident mitigation │
│ │
│ RECOVER: │
│ Restore capabilities │
│ - Incident recovery plan execution │
│ - Incident recovery communication │
└─────────────────────────────────────────────────────────────┘Using NIST CSF:
NIST CSF Implementation:
CSF TIERS (Maturity Levels):
┌─────────────────────────────────────────────────────────────┐
│ Tier 1: Partial │
│ - Ad hoc, reactive │
│ - Limited awareness of cyber risk │
│ - Irregular risk management │
│ │
│ Tier 2: Risk Informed │
│ - Risk awareness but not organization-wide │
│ - Some processes established │
│ - Informal information sharing │
│ │
│ Tier 3: Repeatable │
│ - Formal policies and procedures │
│ - Organization-wide approach │
│ - Regular updates based on changes │
│ │
│ Tier 4: Adaptive │
│ - Continuous improvement culture │
│ - Proactive, predictive capabilities │
│ - Active information sharing │
│ │
│ Note: Tiers describe HOW you manage risk, not how much │
│ security you have. Higher tier = more mature process │
└─────────────────────────────────────────────────────────────┘
CREATING A PROFILE:
┌─────────────────────────────────────────────────────────────┐
│ Current Profile: Where you are today │
│ - Assess current state against CSF categories │
│ - Document existing capabilities │
│ - Identify current tier for each function │
│ │
│ Target Profile: Where you want to be │
│ - Based on business requirements │
│ - Based on risk tolerance │
│ - Based on regulatory requirements │
│ - Based on available resources │
│ │
│ Gap Analysis: Difference between current and target │
│ - Prioritize gaps │
│ - Develop action plans │
│ - Allocate resources │
│ │
│ Implementation: Close the gaps │
│ - Execute action plans │
│ - Measure progress │
│ - Update profiles │
└─────────────────────────────────────────────────────────────┘
CSF CATEGORIES AND SUBCATEGORIES:
┌─────────────────────────────────────────────────────────────┐
│ Example: PROTECT Function │
│ │
│ Category: Identity Management and Access Control (PR.AA) │
│ ├── PR.AA-01: Identities and credentials managed │
│ ├── PR.AA-02: Identities proofed and bound to credentials │
│ ├── PR.AA-03: Users authenticated │
│ ├── PR.AA-04: Identity assertions protected and verified │
│ ├── PR.AA-05: Access permissions managed │
│ └── PR.AA-06: Physical access managed │
│ │
│ Each subcategory can be: │
│ - Mapped to informative references (controls) │
│ - Assessed for current state │
│ - Assigned target state │
│ - Tracked for improvement │
└─────────────────────────────────────────────────────────────┘Key insight: NIST CSF is about organizing your thinking and prioritizing investment, not checking boxes.
5) CIS Controls
CIS Controls provide prioritized, prescriptive guidance for tactical security improvements:
CIS Controls Overview:
WHAT ARE CIS CONTROLS:
┌─────────────────────────────────────────────────────────────┐
│ - Developed by Center for Internet Security │
│ - Prioritized set of actions to protect organizations │
│ - Based on real-world attack data │
│ - Prescriptive and actionable │
│ - Free and publicly available │
│ - Currently version 8 │
│ │
│ Purpose: Provide specific, prioritized actions that │
│ address the most common attacks │
└─────────────────────────────────────────────────────────────┘
CIS CONTROLS v8 (18 Controls):
┌─────────────────────────────────────────────────────────────┐
│ Basic Controls (Foundational): │
│ 1. Inventory and Control of Enterprise Assets │
│ 2. Inventory and Control of Software Assets │
│ 3. Data Protection │
│ 4. Secure Configuration of Enterprise Assets and Software │
│ 5. Account Management │
│ 6. Access Control Management │
│ │
│ Foundational Controls: │
│ 7. Continuous Vulnerability Management │
│ 8. Audit Log Management │
│ 9. Email and Web Browser Protections │
│ 10. Malware Defenses │
│ 11. Data Recovery │
│ 12. Network Infrastructure Management │
│ 13. Network Monitoring and Defense │
│ │
│ Organizational Controls: │
│ 14. Security Awareness and Skills Training │
│ 15. Service Provider Management │
│ 16. Application Software Security │
│ 17. Incident Response Management │
│ 18. Penetration Testing │
└─────────────────────────────────────────────────────────────┘
IMPLEMENTATION GROUPS (IGs):
┌─────────────────────────────────────────────────────────────┐
│ IG1: Essential Cyber Hygiene (56 safeguards) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ For: Small organizations, limited IT resources │ │
│ │ Focus: Basic defenses against common attacks │ │
│ │ Examples: │ │
│ │ - Maintain asset inventory │ │
│ │ - Ensure only authorized software runs │ │
│ │ - Secure configurations │ │
│ │ - Control admin privileges │ │
│ │ - Maintain audit logs │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ IG2: Standard Cyber Hygiene (+74 safeguards = 130 total) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ For: Enterprises with IT staff, moderate complexity │ │
│ │ Focus: Defense against targeted attacks │ │
│ │ Adds: │ │
│ │ - Centralized log management │ │
│ │ - Boundary defenses │ │
│ │ - Wireless access control │ │
│ │ - Security awareness training │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ IG3: Full CIS Controls (+23 safeguards = 153 total) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ For: Large enterprises, high-value targets │ │
│ │ Focus: Defense against sophisticated attacks │ │
│ │ Adds: │ │
│ │ - Advanced threat detection │ │
│ │ - Penetration testing │ │
│ │ - Red team exercises │ │
│ │ - Data loss prevention │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘Using CIS Controls:
CIS Controls Implementation:
EXAMPLE CONTROL DETAIL:
┌─────────────────────────────────────────────────────────────┐
│ Control 1: Inventory and Control of Enterprise Assets │
│ │
│ 1.1 Establish and Maintain Detailed Enterprise Asset │
│ Inventory │
│ - IG1, IG2, IG3 │
│ - Inventory all assets connected to infrastructure │
│ - Include: hardware, software, data │
│ - Update at least weekly │
│ │
│ 1.2 Address Unauthorized Assets │
│ - IG1, IG2, IG3 │
│ - Remove or quarantine unauthorized assets │
│ - Weekly process │
│ │
│ 1.3 Utilize an Active Discovery Tool │
│ - IG2, IG3 │
│ - Automated scanning for asset discovery │
│ - Daily scans │
│ │
│ 1.4 Use Dynamic Host Configuration Protocol Logging │
│ - IG2, IG3 │
│ - Log all DHCP assignments │
│ - Correlate with asset inventory │
│ │
│ 1.5 Use a Passive Asset Discovery Tool │
│ - IG3 │
│ - Network traffic analysis for discovery │
│ - Identify assets active discovery misses │
└─────────────────────────────────────────────────────────────┘
PRIORITIZATION APPROACH:
┌─────────────────────────────────────────────────────────────┐
│ Start with IG1 regardless of organization size │
│ │
│ Priority Order: │
│ 1. Controls 1-2: Know what you have (assets, software) │
│ 2. Controls 4-6: Secure and control access │
│ 3. Controls 3,7: Protect data, manage vulnerabilities │
│ 4. Controls 8,10,11: Logging, malware, backup │
│ 5. Remaining controls based on risk │
│ │
│ Don't try to implement everything at once │
│ Build foundation before advanced controls │
└─────────────────────────────────────────────────────────────┘
CIS BENCHMARKS (Related):
┌─────────────────────────────────────────────────────────────┐
│ CIS Benchmarks = Specific configuration guidance │
│ │
│ Available for: │
│ - Operating systems (Windows, Linux, macOS) │
│ - Cloud platforms (AWS, Azure, GCP) │
│ - Applications (Office 365, databases) │
│ - Network devices (Cisco, Palo Alto) │
│ - Containers (Docker, Kubernetes) │
│ │
│ Example: CIS AWS Foundations Benchmark │
│ - 49 recommendations across IAM, storage, logging, etc. │
│ - Specific configuration requirements │
│ - Automated assessment tools available │
└─────────────────────────────────────────────────────────────┘Key insight: CIS Controls answer "what should we do first?" while other frameworks answer "what should we do overall?"
Real-World Context
Case Study: Framework Selection for a Startup
A B2B SaaS startup needed to close enterprise deals but kept losing to competitors with SOC 2 reports. They evaluated options: SOC 2 for customer requirements, ISO 27001 for European expansion, and CIS Controls for tactical guidance. Their approach: use NIST CSF for program structure, implement CIS Controls IG1 for immediate security improvement, pursue SOC 2 Type I quickly (3 months), then Type II for ongoing compliance. ISO 27001 was deferred until European revenue justified the investment. Within 6 months, they had SOC 2 Type I and were closing enterprise deals.
Case Study: Framework Mapping to Reduce Effort
A healthcare technology company faced SOC 2, ISO 27001, and HIPAA requirements simultaneously. Initially, they treated each as separate projects with different teams. Audit fatigue and duplicative effort consumed resources. They implemented a unified control framework mapping all requirements to a single control set. Evidence collected once satisfied multiple frameworks. One policy met multiple requirements. Audit effort dropped 40%, and they maintained compliance more consistently.
Framework Selection Quick Reference:
Framework Selection Guide:
QUICK DECISION TREE:
┌─────────────────────────────────────────────────────────────┐
│ Customer asks for security proof? → SOC 2 (US) or ISO 27001 │
│ US B2B SaaS? → SOC 2 │
│ Global/European focus? → ISO 27001 │
│ Need tactical controls? → CIS Controls │
│ Need program structure? → NIST CSF │
│ US Federal? → FedRAMP, NIST 800-53 │
│ Payment processing? → PCI DSS (required) │
│ Healthcare? → HIPAA (required) + SOC 2 or ISO │
└─────────────────────────────────────────────────────────────┘
COMMON COMBINATIONS:
┌─────────────────────────────────────────────────────────────┐
│ Typical SaaS Company: │
│ - SOC 2 (customer requirement) │
│ - NIST CSF (program organization) │
│ - CIS Controls (tactical guidance) │
│ │
│ Global Enterprise: │
│ - ISO 27001 (certification) │
│ - NIST CSF (program organization) │
│ - Industry-specific (PCI, HIPAA, etc.) │
│ │
│ Small Business: │
│ - CIS Controls IG1 (essential hygiene) │
│ - NIST CSF (when ready to mature) │
│ - SOC 2 (when customers require) │
└─────────────────────────────────────────────────────────────┘
MAPPING APPROACH:
┌─────────────────────────────────────────────────────────────┐
│ 1. Identify all applicable frameworks │
│ 2. Create unified control framework │
│ 3. Map each framework's requirements to unified controls │
│ 4. Implement controls once, satisfy multiple frameworks │
│ 5. Collect evidence once, use for multiple audits │
│ 6. Use GRC tool to manage mappings │
└─────────────────────────────────────────────────────────────┘Frameworks should reduce effort, not multiply it. Smart mapping and integration are essential for multi-framework environments.
Guided Lab: Framework Assessment
In this lab, you'll assess organizational needs and select appropriate frameworks.
Lab Scenario:
- Mid-size SaaS company (200 employees)
- Primarily US customers, expanding to Europe
- Processing payment data (not directly, via Stripe)
- Some healthcare customers asking about HIPAA
- No current certifications
Exercise Steps:
- Identify customer and regulatory requirements
- Evaluate framework options
- Recommend framework strategy
- Create 12-month compliance roadmap
- Map SOC 2 criteria to CIS Controls
- Develop framework selection presentation
Reflection Questions:
- How did you prioritize when multiple frameworks apply?
- What would change your recommendations?
- How would you handle customer requests for frameworks you don't have?
Week Outcome Check
By the end of this week, you should be able to:
- Distinguish between control, program, risk, and attestation frameworks
- Explain SOC 2 Trust Services Criteria and Type I vs Type II
- Describe ISO 27001 structure and certification process
- Apply NIST CSF functions and tiers to organize security programs
- Use CIS Controls and Implementation Groups for tactical guidance
- Select appropriate frameworks based on business requirements
- Map multiple frameworks to reduce compliance effort
- Develop framework implementation roadmaps
🎯 Hands-On Labs (Free & Essential)
Master compliance frameworks with hands-on implementation and gap assessment exercises.
📜 ISO 27001 Implementation Lab
What you'll do: Implement ISO 27001 controls—conduct gap analysis, document
ISMS, prepare for certification audit.
Why it matters: ISO 27001 is the international standard for information
security management systems.
Time estimate: 3-4 hours
🏢 SOC 2 Compliance Exercise
What you'll do: Map controls to SOC 2 Trust Service Criteria—Security,
Availability, Confidentiality, Processing Integrity, Privacy.
Why it matters: SOC 2 is essential for SaaS companies serving enterprise
customers.
Time estimate: 2-3 hours
🔒 CIS Controls Mapping
What you'll do: Implement CIS Critical Security Controls—prioritize
Implementation Groups, assess current state, plan remediation.
Why it matters: CIS Controls provide actionable, prioritized cybersecurity
best practices.
Time estimate: 2-3 hours
💡 Lab Strategy: Start with CIS Controls for quick wins, then layer on ISO 27001 for comprehensive management system.
Resources
Lab
Complete the following lab exercises to practice framework concepts.