CIS Security Controls version 8 (CIS v8)

CIS v8 is a prioritized set of Safeguards to mitigate cyber-attacks against systems and networks. CIS v8 is broken down into 3 maturity levels:

• Implementation Group (IG) 1

• Implementation Group (IG) 2

• Implementation Group (IG) 3

CIS v8 is a comprehensive and well-rounded framework. CIS v8 takes into consideration modern systems and software, movement to cloud-based computing, mobility, outsourcing, Work-from-Home, and more. 

Recommended For: any organization

NIST Cybersecurity Framework (CSF)

NIST CSF was developed following Executive Order 13636 to create a voluntary framework, based on existing standards, guidelines, and practices to reduce cyber risks to critical infrastructure. However, due to its flexibility and ease of adoption, NIST CSF is being used by organizations across various industry verticals. NIST CSF was designed to foster risk and cybersecurity management amongst both internal and external organizational stakeholders.

Recommended For: any organization

NIST Special Publication (SP) 800-53

Currently on version 5, NIST SP 800-53 is a catalog of security and privacy controls for information systems and organizations to protect their operations, assets, individuals, and the nation from a diverse set of threats and risks. NIST SP 800-53 is a very extension framework, providing both high-level guidance as well as technical recommendations for implementing controls. Because of this, NIST SP 800-53 can be overwhelming for organizations that have little to no existing cybersecurity practices.

Recommended For: government and affiliated organizations, organizations with foundational cybersecurity practices

Cybersecurity Maturity Model Certification (CMMC)

Developed by the Department of Defense, CMMC is a unified standard for implementing cybersecurity across the defense industrial base, which includes over 300,000 companies in the supply chain. The DoD has started requiring CMMC certification from contractors for certain government contracts before they can be awarded and has additional plans to require this certification from all DoD contractors.

Recommended For: Defense Industrial Base organizations

Systems and Organization Controls (SOC) 2

Developed by the American Institute of CPAs (AICPA), SOC 2 defines the criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy. SOC 2 is different from other frameworks in that it focuses heavily on protecting customer data. SOC 2 also only provides control guidance for its five trust service principles, but not the controls themselves. Each organization adopting SOC 2 must design, develop, and implement its own controls to meet the defined criteria. 

Recommended For: service organizations that store, process, and transmit customer data

International Organization for Standardization (ISO) 27001

Published originally in 2013 by the ISO and IEC (International Electrotechnical Commission), and gone through multiple revisions and updates since then, ISO 27001 is an international standard that helps organizations manage the security of their information assets. The basic goal of ISO 27001 is to protect three aspects of information: Confidentiality, Integrity, and Availability. At the core of ISO 27001 is an Information Security Management System (ISMS), which is a defined and documented system that consists of policies, processes, and systems to manage organizational data and reduce risks. 

Recommended For: any organization