14 Security Frameworks and Standards to ConsiderDiscover details about 14 popular security frameworks and standards, why they matter, and how your organization can prove compliance.
by Rick Stevenson
There may be a growing number of cybersecurity threats, but there are also several security frameworks and standards you can implement to reduce your risk and exposure to cyber threats. The question is: Which ones do you need to focus on?
To help you make this decision, we've compiled a list of the most popular cybersecurity frameworks and standards organizations should consider. We’ll cover:
NIST Special Publication 800-53
NIST Special Publication 800-171
Before You Start With Any Framework or Standard
All cybersecurity frameworks and standards are valuable when it comes to keeping data safe, but they aren’t created equal. Some are required for certain industries. You’ll need to evaluate additional frameworks to see what makes the most sense, depending on how your organization operates.
Pay close attention to how these frameworks will apply to your organization before you start the audit process or pursue a certification.
The Payment Card Industry Data Security Standard (PCI DSS) is a framework for organizations that handle payment cards. It was developed by the Payment Card Industry Security Standards Council and is published by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
PCI requirements depend on what type of organization you are and your PCI DSS level. PCI defines two types of organizations, merchants and service providers. Depending on your PCI organization type and level, you may be able to submit a self-assessment questionnaire or you may be required to undergo an audit in order to demonstrate your compliance.
The Health Insurance Portability and Accountability Act, protects the privacy of health information by regulating its use and disclosure by covered entities. These entities include healthcare providers, clearinghouses, and plan sponsors. HIPAA also defines a second type of entity, called a Business Associate, who have less requirements under HIPAA but must still demonstrate the protections they have implemented with regards to health information.
Covered entities must implement administrative, physical, and technical safeguards to protect the privacy of protected health information (PHI). HIPAA does not require an audit, but many organizations undergo a HIPAA audit to demonstrate their compliance to customers and potential partners.
The Cybersecurity Maturity Model Certification (CMMC) is a U.S. standard for measuring the maturity of an organization's cybersecurity program. CMMC is a framework based on NIST 800-171 and was created by the U.S. Department of Defense (DoD) to help secure data sent to or produced by external organizations for the DoD called Controlled Unclassified Information (CUI).
CMMC has three levels, and depending on your level, you may be able to self-attest your CMMC compliance. Some levels do require an audit in order to have a CMMC certification issued.
If you do need an audit, you can find a C3PAO, which is an independent service provider to audit defense contractors and verify your CMMC compliance efforts. After you undergo a complete assessment, it will be reviewed. If your organization passes, you’ll receive a three-year certification.
The NIST CSF is a voluntary framework that provides a common language for cybersecurity. It's a risk management framework with five steps: Identify, Protect, Detect, Respond, and Recover.
Implementing NIST CSF is voluntary for industry organizations, but required for U.S. Federal Agencies. If you are in the supply chain for a U.S. Federal Agency, you should examine your contract with the agency or contractor of the agency to determine if you're required to adhere to the NIST CSF.
NIST Special Publication 800-53
NIST Special Publication 800-53 is a U.S. government standard for information security management systems, which includes the development and operation of a cybersecurity program. However, in version five, revised in 2020 this framework was opened to all types of organizations. It provides one comprehensive set of controls for businesses across industries.
NIST 800-53 comes in multiple levels, called impact levels, which are traditionally low, moderate, and high. Additional categories of NIST 800-53 controls also exist, such as privacy controls which may be incorporated into the framework. NIST 800-53 is the basis for FedRAMP.
NIST Special Publication 800-171
NIST Special 800-171 is a cybersecurity framework that was developed by NIST in collaboration with the public and private sectors. Specifically, NIST 800-171 is a framework for federal agencies that work with non-federal departments or companies.
The intent behind NIST 800-171 is to protect Controlled Unclassified Information (CUI). There is no formal audit for NIST 800-171 and compliance with the standard is purely self-attestation. Because there is no formal audit process for 800-171, CMMC was developed by the Department of Defense.
The EU General Data Protection Regulation is an EU-wide law that regulates how companies handle personal data. GDPR requires organizations handling the personal data of EU citizens to implement strong safeguards around the collection, use, transfer, and storage of such information.
It also gives individuals greater control over their data by requiring companies to notify them when a breach affects their personal information. As GDPR is considered to be one of the strictest privacy regulations in the world, there are a number of obligations businesses must comply with. You can learn more by reading our guide on GDPR compliance.
SOC 2 is a security framework that defines how companies should manage, process, and store customer data based on the five Trust Services Categories which are: Security, Confidentiality, Availability, Privacy, and Processing Integrity. It’s also one of the most well-recognized ways to prove your commitment to information security. Auditors will look at how effectively your controls are operating, how quickly you respond to risks or incidents, if you're complying with the commitments you have made to your customers, and how clearly you communicate about risks and recovery processes to determine if you’re compliant.
ISO 27001 is an international standard for Information Security Management Systems (ISMS). It defines the requirements of an ISMS, outlines how to implement it, and provides guidance on how to maintain it. Any business experiencing growth in international markets that wants to demonstrate its ability to preserve the confidentiality, integrity, and availability of information can benefit from ISO 27001.
Once you’re ready to go for ISO 27001 certification, you’ll need to choose an accredited certification body to perform the audit. After you have completed your audit, you are issued an ISO 27001 certification, which is valid for a three-year period.
ISO 27701 is a global standard for protecting the privacy of personal information. Rather than being its own framework to achieve certification, it’s an extension of ISO 27001. What this means is that in order to implement and get certified against ISO 27701, you must also implement ISO 27001.
Where ISO 27001 covers Information Security Management System (ISMS), ISO 27701 extends the ISMS and establishes what ISO calls a Privacy Information Management System (PIMS). You can get certified against ISO 27001 and then separately get certified against ISO 27701 or you can complete both certifications during one audit.
The FFIEC framework is a set of standards that all banks, savings associations, and credit unions must implement to minimize the threat that increasingly sophisticated hackers pose to both organizations and customers.
To determine compliance with FFIEC guidelines, comprehensive assessments of the environment must be conducted and you’ll need to prepare for an FFIEC audit. FFIEC also puts out a self-assessment tool which the audits are based upon. This tool, called the Cybersecurity Assessment Tool (CAT) can be used internally to prepare for the audit.
FFIEC defines five levels of maturity for each of the five domains covered by the framework: Baseline, Evolving, Intermediate, Advanced, and Innovative.
In order to be considered at a particular level, you must meet all of the requirements at that level and any lower level. For example, in order to be considered Intermediate in Domain 1, you must have implemented all requirements at Baseline, Evolving, and Intermediate in Domain 1.
According to Microsoft's website, the Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft's data processing instructions, through the Microsoft Supplier Data Protection Requirements (DPR), to suppliers working with Personal Data and/or Microsoft Confidential Data. All enrolled suppliers are assigned a profile based upon the types of data they possess/process for Microsoft and must complete an annual self-attestation of DPR compliance.
Depending on your profile, suppliers who process certain types of data may be required to undergo a third-party audit. Microsoft maintains a list of pre-selected assessors that are authorized to conduct these audits. Microsoft purchasing tools validate the SSPA status is compliant for each supplier in scope for SSPA before allowing an engagement to take place.
ITGCs or IT General Controls are a subset of the Sarbanes-Oxley (SOX) internal control set.
The objective of SOX ITGC is to ensure the integrity of the data and processes that the systems support. During a SOX compliance audit, the auditor will review overall IT management, as well as specific ITGC controls. This includes security of IT systems and data centers, data backup and storage, and change management activities.
All publicly traded companies in the U.S. are required to undergo a SOX audit on an annual basis. SOX additionally applies to certain privately-held companies.
Bottom Line: Taking Steps Toward Compliance
Whether you’re adding another standard under your belt or just starting your compliance journey, Drata’s compliance automation platform is just what you need to streamline the process for the frameworks covered on this list and more.
Additionally, as you achieve compliance for one framework, the Drata Platform provides full visibility into your readiness for additional frameworks—helping you take advantage of any overlap and reduce redundant work. Learn more about how to get started by visiting this page.