A framework is like a treasure map, a medkit, and a compass all rolled into one – it helps beginners avoid chaos and lets pros act with strategy and confidence. It saves time, covers blind spots, makes teamwork smoother, and boosts your credibility with recruiters. Instead of playing a “guessing game,” you’ll be following a smart, battle-tested plan used by thousands of professionals before you.
Frameworks
Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and privacy. Frameworks support organizations’ ability to adhere to compliance laws and regulations. For example, the healthcare industry uses frameworks to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient information safe.
Cybersecurity area has its own frameworks – these are ready-made schemes that simplify work. They play a key role in helping businesses comply with industry regulations and laws. For instance, healthcare organizations in the U.S. rely on frameworks to meet the requirements of HIPAA – a law that mandates the protection of patients’ personal health information.
In cybersecurity, frameworks act like prebuilt roadmaps. Rather than figuring out what to do from scratch in every situation, you follow a well-defined structure that walks you through each stage – from risk assessment and threat detection to incident response and recovery. They help teams distribute responsibilities, streamline decision-making, and reduce the chance of human error during high-stress moments.
Specifications and guidelines can change depending on the type of organization you work for.
Below are some of the other well-known frameworks commonly used in the world of cybersecurity. Each one offers a different approach depending on the organization’s size, industry, and regulatory needs:
The Federal Energy Regulatory Commission – North American Electric Reliability Corporation (FERC-NERC)
FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. These types of organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC.
The Federal Risk and Authorization Management Program (FedRAMP®)
FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers.
Center for Internet Security (CIS®)
CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs.
General Data Protection Regulation (GDPR)
GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a U.S. federal law established in 1996 to protect patients‘ health information. This law prohibits patient information from being shared without their consent. It is governed by three rules:
- Privacy
- Security
- Breach notification
Organizations that store patient data have a legal obligation to inform patients of a breach because if patients‘ Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a security framework and assurance program that helps institutions meet HIPAA compliance.
International Organization for Standardization (ISO)
ISO was created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services.
System and Organizations Controls (SOC type 1, SOC type 2)
The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization’s user access policies at different organizational levels such as:
- Associate
- Supervisor
- Manager
- Executive
- Vendor
- Others
They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.
There are a number of regulations that are frequently revised. You are encouraged to keep up-to-date with changes and explore more frameworks, controls, and compliance. Two suggestions to research: the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.
Controls
Security controls are safeguards designed to reduce specific security risks. Security controls are the measures organizations use to lower risk and threats to data and privacy. For example, a control that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a measure like MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private data.
Controls often work in tandem with security frameworks. While frameworks provide structure and strategy, controls are the specific actions that help enforce them. For example, to comply with HIPAA in a healthcare setting, a control might involve requiring multi-factor authentication (MFA) for patients accessing their medical records. This helps ensure that only authorized users can access sensitive information.
Security controls are generally grouped into three categories: physical, technical, and administrative. Each type plays a different role in preventing, detecting, or correcting security issues.
Examples of physical controls:
- Gates, fences, and locks
- Security guards
- Closed-circuit television (CCTV), surveillance cameras, and motion detectors
- Access cards or badges to enter office spaces
Examples of technical controls:
- Firewalls
- MFA
- Antivirus software
Examples of administrative controls:
- Separation of duties
- Authorization
- Asset classification
By layering these types of controls, organizations can create defense-in-depth – a strategy that helps ensure no single point of failure leads to compromise. Together with frameworks, controls form the practical foundation of any effective cybersecurity strategy.
Specific frameworks and controls
There are many different frameworks and controls that organizations can use to remain compliant with regulations and achieve their security goals. Frameworks covered in this reading are the Cyber Threat Framework (CTF) and the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001. Several common security controls, used alongside these types of frameworks, are also explained.
Cyber Threat Framework (CTF)
According to the Office of the Director of National Intelligence, the CTF was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors‘ many tactics and techniques.
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001
An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards enables organizations of all sectors and sizes to manage the security of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture.
Security frameworks give you the “why” and “what”, while controls give you the “how”. Together, they help organizations build structured, defensible, and compliant cybersecurity programs – capable of adapting to the ever-changing risk landscape.
As a security specialist, you don’t need to remember every framework out there. But understanding the core ones and how they shape real-world security decisions – is key. Especially as the threat landscape keeps evolving, being familiar with these structures helps you protect both the systems you defend and the people behind them.