Guide: Essential Enterprise Data Protection

Cybersecurity Frameworks

In this chapter, we’ll take a deep dive into today’s leading cybersecurity frameworks and the ends they serve. The following topics will be covered:

  1. Why are Cybersecurity Frameworks Important?
  2. What is an IT Security Framework?
  3. What are Common Cybersecurity Control Frameworks? 
  4. Understanding NIST CSF Security Controls

Why are Cybersecurity Frameworks Important?

While the fragmented nature of the cybersecurity market serves the cat & mouse chase between attackers and guardians, the inevitable result is the existence of dozens of different cyber security vendors a midsize enterprise has to adopt and deploy across his supply chain and digital service delivery. This reality introduces significant complexity when it comes to running an effective enterprise information security program. Therefore, the number one purpose of Cyber security frameworks is to introduce standardization, best practices and structure around the technology implementation used for such programs.

What is an IT Security Framework?

An IT security framework is a collection of documents and procedures that a typical enterprise can use in order to implement an information security program and put a formal structure around the varying controls mentioned above. Such a framework will typically not specify tools or vendor selections.

What are Common Cybersecurity Control Frameworks?

With the introduction of industry specific regulations such as PCI-DSS, HIPAA, SOX, Fedramp, (and others) which started in the mid 90s’, and the maturity of information security practices, we’ve seen organizations such as NIST, ISO and CSA build structure and framework around enterprise security best practices and forming a set of cyber security frameworks. Here’s a list of the most common Frameworks out there:

summary table of cyber security frameworks

Understanding NIST CSF Security Controls

The NIST Cybersecurity Framework is organized in the following hierarchical way: 5 Core Function mapped to 23 Category broken down to 108 Sub categories in the following way (excluding sub categories):activities.




Asset Management

Business Environment


Risk Assessment

Risk Management Strategy

Supply Chain Risk Management


Identity Management and Access Control

Awareness and Training

Data Security

Information Protection Processes and Procedures


Protective Technology


Anomalies and Events

Security Continuous Monitoring

Detection Processes


Response Planning






Recovery Planning



*The full details of NIST CSF including the breakdown to the 108 sub categories can be found here


Interesting to note that NIST subcategories also include an Informative Reference to other 6 security frameworks: CIS CSC, COBIT, ISA 62443, ISO/IEC 27001 and NIST 800-53 making it easier for enterprises integrate different frameworks in tandem.

This article was originally published at

July 1, 2020