Frameworks & Standards

The Essential Eight is a prioritized set of eight mitigation strategies that ASD recommends as a baseline for cyber security. Each strategy has four maturity levels. They are mandatory for Australian government entities and widely adopted in the private sector.

The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. Version 8.1 updated mappings and added guidance for cloud environments.

The Cybersecurity Maturity Model Certification (CMMC) framework is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the defense industrial base. CMMC 2.0 streamlined the model to 3 levels aligned with NIST SP 800-171 and 800-172.

DORA's ICT risk management framework establishes requirements for EU financial entities to manage ICT risks, report incidents, test resilience, and manage third-party ICT risks. It is supported by extensive Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

The HIPAA Security Rule establishes national standards to protect electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards.

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. The 2022 revision restructured Annex A controls into 4 themes with 93 controls.

ISO/IEC 27002 provides a reference set of generic information security controls including implementation guidance. It is the companion standard to ISO 27001, providing detailed guidance on the Annex A controls.

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

NIS2 Article 21 establishes 10 minimum cybersecurity risk management measures that essential and important entities must implement. ENISA provides guidance on implementation.

The NIST AI RMF provides a framework for managing risks related to AI systems throughout their lifecycle. It is designed to be voluntary, rights-preserving, non-sector-specific, and use-case agnostic.

The NIST CSF 2.0 provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or cybersecurity sophistication — to better understand, assess, prioritize, and communicate its cybersecurity efforts. Version 2.0 added the Govern function and expanded guidance for supply chain risk management.

NIST SP 800-171 provides requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. Rev. 3 restructured requirements and added organization-defined parameters. It is the basis for CMMC Level 2.

NIST SP 800-53 provides a catalog of security and privacy controls for information systems and organizations. It is the primary control catalog for US federal agencies and is widely used in the private sector. Rev. 5 integrated privacy controls and added supply chain risk management controls.

NIST SP 800-82 provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations.

PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Version 4.0.1 introduced new requirements for phishing-resistant MFA, customized implementation, and targeted risk analysis.

The NCA Essential Cybersecurity Controls (ECC) establish 114 mandatory cybersecurity controls for Saudi government entities and organizations of national importance, covering governance, defense, resilience, third-party risk, and industrial control systems.

The MAS Cyber Hygiene Notice sets out legally binding requirements for financial institutions in Singapore to implement fundamental cybersecurity measures. It covers secure configuration, patch management, MFA, network perimeter defense, malware protection, employee awareness, and data loss prevention.

SOC 2 is an auditing procedure that ensures service providers securely manage data to protect the interests of the organization and the privacy of its clients. It is based on the Trust Services Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy.