How to choose a cybersecurity framework that works for you

How to choose a cybersecurity framework that works for you

A cybersecurity framework provides security teams with a set of standards and a common language across borders and industries to understand security postures. With a cybersecurity framework in place, it can help define the procedures and processes that your organisation must take to monitor, asses and mitigate cybersecurity risk. 

Let’s take a closer look at the most common cybersecurity frameworks. 

National Institute of Standards and Technology (NIST framework)  

The NIST Cybersecurity Framework was devised to improve the national and economic security of the United States which depends on the reliable function of critical infrastructure. The President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role. 

Created through collaboration between industry and government, the voluntary cybersecurity framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure, including third-party risk. The prioritised, flexible, repeatable, and cost-effective approach of the framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. 

ISO 27001 and ISO 27002 certification

Created by the International Organisation for Standardisation (ISO), ISO 27001 and ISO 27002 certifications provide requirements for establishing, implementing, maintaining and continually improving an information security management system.

The adoption of an information security management system is a strategic decision for any organisation. The establishment and implementation of an organisation’s information security management system is influenced by the organisation’s needs and objectives, security requirements, the organisational processes used and the size and structure of the organisation. All of these influencing factors are expected to change over time. 

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It is important that the information security management system is part of, and integrated with, the organisation’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organisation. 

RiskXchange provides ISO 27001 Certification as a par of our professional security services.

SOC2 cybersecurity framework

The Service Organisation Control (SOC) Type 2 is a trust-based cybersecurity framework and auditing standard developed by the American Institute of Certified Public Accountants (AICPA). The framework was devised to help verify that vendors and partners are securely managing client data. 

SOC2 specifies more than 60 compliance requirements and auditing processes for third-party systems and controls. It is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organisation relevant to security, availability, and processing integrity of the systems the service organisation uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in: 

  • Oversight of the organisation 
  • Vendor management programs 
  • Internal corporate governance and risk management processes 
  • Regulatory oversight 


The North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC CIP) is a set of cybersecurity standards designed to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC develops and enforces reliability standards; annually assesses seasonal and long‐term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel.  


To improve the efficiency and effectiveness of the healthcare system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic healthcare transactions and code sets, unique health identifiers, and security. At the same time, Congress recognised that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.  


The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. Fines for non-compliance can reach up to €20,000,000 or 4% of global revenue. 

FISMA cybersecurity framework 

The Federal Information Security Modernisation Act of 2014 (FISMA 2014) is a comprehensive cybersecurity framework that protects federal government information and systems against cyber threats. FISMA also extends to third parties and vendors who work on behalf of federal agencies. 

FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting the Office of Management and Budget (OMB) in developing those policies. The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices.  

RiskXchange and cybersecurity 

RiskXchange’s integrated cybersecurity risk platform helps you discover, continuously monitor and reduce the risk across your enterprise and supply chain. RiskXchange is the only platform that provides a complete 360-degree view of your attack surface, including that of your vendors. It will continuously monitor your complete attack surface, highlight any risk and enable you to fix any issues before the attacker discovers them. 

Get in touch with RiskXchange to find out more about a cybersecurity framework that works for you.