Top 10 Cyber Security Frameworks

    Planning meeting with group around a table looking at a woman working with post it notes on a whiteboard.

    In 2021, if you're running a business or project on any scale, your security efforts can only be effective if they are systematic and carefully controlled. Following a cyber security framework won't just protect sensitive customer information. It will also prevent you from missing essential tasks by providing a system to manage your organization's risk, including guidelines and best practices to follow.

    Because all frameworks aim to do roughly the same thing, they have similar tasks but involve slightly different priorities and target audiences. We'll outline ten of the best below, which work for different types of organizations — starting with our top recommendation for small and mid-sized businesses.

    1. Cyber Essentials (and Cyber Essentials Plus)

    If you've already had a quick browse of the cyber security frameworks out there, you've probably come across Cyber Essentials. Published by the UK government, it's one of the most popular options — it takes an approach simple enough for most companies or managers to undertake, but it's effective enough to keep attacks at bay.

    The focus here is on tackling the basics by implementing the most critical security measures.

    If you want to take things to the next level, you could also consider Cyber Essentials Plus. The main difference is that the basic version requires you to self-certify documentation, whereas the Plus option requires independent testing and auditing to confirm documentation.

    2. Center for Internet Security (CIS) Framework

    Now you've heard that Cyber Essentials is our top recommendation for most smaller businesses. So you might be questioning whether it's even worth looking into any other options. Well, how about this to change your mind: at Fresh Security, we use CIS Security Controls. Why? It's accessible for a medium-sized business and doesn't contain too much security jargon.

    The CIS Security Controls framework is comprehensive and identifies 18 areas to cover, and implementation splits into three groups. It takes a more comprehensive approach than some frameworks, which is helpful for those who want to gain better coverage of their business.

    Of course, you don't have to reach the same conclusion as us— so here are eight more frameworks for you to consider.

    3. International Office of Standardization (ISO) 27001

    Few standards bodies have the history of ISO — it dates back to 1947. Since then, governments worldwide have joined to create the most recognized standards body in the world.

    The ISO 27001 aims to help organizations set best practices, taking factors like organizational context and current operations into account to build a solid information security management system.

    4. American Institute of CPAs' Service Organization Control (SOC 2)

    SOC 2 ensures data is safe by considering the principles of privacy (protecting personal information), confidentiality (safeguarding client data), availability (maintaining software), security (protecting systems against attacks), and processing integrity (reducing errors and inaccuracy).

    Each one of these categories is a cornerstone of the framework and used to guarantee cyber security.

    5. Control Objectives for Information Technology (COBIT)

    The COBIT framework is slightly different from the others on this list because it begins by starting its process thinking about stakeholder needs to find how this links with the technology.

    The framework's process involves understanding a company's overall strategy and governance systems, examining the scope, and completing the design.

    6. Payment Card Industry Data Security Standard (PCI DSS)

    As the name suggests, PCI DSS was created for the payment card industry. It's essential if you are working with payments and alongside major players like Mastercard and American Express.

    In addition to the usual security processes, it focuses on payment-specific aspects like safeguarding and restricting access to cardholder data.

    7. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

    The CSA is a non-profit that's all about cloud computing and encourages best practices within the industry, educating those involved about security. The Cloud Controls Matrix (CCM) framework offers guidance about implementing controls in the cloud computing supply chain.

    There are a whopping 197 control objectives, split into 17 domains spanning everything from cryptography to human resources to supply chain management. The CCM outlines how to keep each one secure.


    MITRE Corporation is another non-profit, but this one focuses on cyber security research and led to the creation of ATT&CK. This framework model the behaviour and actions of cyber attackers. The approach helps companies to find patterns and track potential threats ahead of time.

    It's identified 14 tactics that cyber threats tend to employ, consisting of activities like credential access and resource development.

    MITRE has also recently launched a process to tackle mobile threats, which takes a similar approach but with adapted categories.

    9. European Union Agency for Cybersecurity (ENISA) National Capabilities Assessment Framework

    The ENISA framework was made by the EU Agency for Cybersecurity, set up to address cyber security issues and therefore maintain political stability. Consequently, it makes the most sense for companies operating within Europe, but anyone can follow the guiding principles.

    The EU introduced this framework to give member states guidance about addressing their risks, including ways to carry out self-assessments to gauge the extent of the problem. Key steps include the definition of scope, risk assessment, risk acceptance, and risk communication.

    10. National Institute of Technologies (NIST) Cybersecurity Framework (CSF)

    Last but certainly not least, NIST is a government agency related to the United States Department of Commerce. It developed the cyber security framework (CSF,) which has become one of the more popular cyber frameworks and is implemented worldwide.

    The framework contains the core functions of identifying, protecting, detecting, responding and recovering — these describe stages of dealing with cyber security risks.

    It was initially designed for the critical infrastructure industry, but it can also be helpful for companies that want to meet US data protection standards.

    Ready to get protected?

    As the entries above have shown, there's lots of overlap and commonalities between different cyber security frameworks. They're not miles apart, but each targets a specific industry or area, so it's important to make your final selection carefully.

    This can all get a little complicated — that's why we like to keep things simple at Fresh Security. We offer a security service that will help you see your business and its vulnerabilities through the lens of a hacker. Then we give you real-time insights about your cyber risks in a language you can understand. Sound good? Take a deep breath and check out how much you're exposing.

    October 11, 2021
    5 Minutes Read

    Subscribe to Fresh Thoughts

    Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

    We'll never share your email.


    Fresh Security Support

    Your Questions


    Fresh Sec Limited

    Call: +44 (0)203 9255868