What Are Cyber-Security Frameworks and Standards?

What are Frameworks and Standards?

Cyber-security frameworks and standards are used by organisations to improve their security measures to protect their assets. While a standard is usually rigid and set as the most current and internationally agreed best practise, a framework is more flexible, acting as a guide for the system you want while allowing you to experiment and implement it with your own methods.

What are some examples?

There are many different frameworks and standards available from many different internationally recognised bodies. Some of the main framework bodies that develop and maintain cyber-security frameworks and standards include:

• National Institute of Standards and Technology: NIST is a US government agency that develops and promotes standards for a wide range of industries. Some of their key cyber-security frameworks include the NIST Cyber-Security Framework (CSF) and the NIST Special Publication 800-53 which provides guidelines for securing US federal information systems.

• International Organisation for Standardisation: ISO is an international standard-setting body that develops and publishes international standards in a wide range of fields. One of their key cyber-security standards is ISO 27001, which provides a framework for implementing and maintaining an Information Security Management System (ISMS).

• International Electrotechnical Commission: IEC is a global organisation that develops and publishes international technical standards, safety standards, conformity assessment standards and much more. Some of the key areas of focus for the IEC include renewable energy, smart grids, electric vehicles, and cyber-security.

The IEC and ISO also have a Joint Technical Commission (JTC) that was established in order to develop and publish international standards in the fields of electrotechnology and information technology.

How are they used?

Organisations may choose to adopt one or more of these frameworks or standards to help them improve their cyber-security posture and meet regulatory requirements. Adopting a framework or standard involves conducting a security gap analysis to determine what controls and safeguards are already in place compared to what additional measures are needed to meet the requirements of the chosen framework or standard. It also involves ongoing monitoring and review to ensure that the controls and safeguards remain up-to-date with the latest version of the chosen framework or standard.

Overall, cyber-security frameworks and standards provide a valuable resource for organisations looking to improve their cyber-security posture and protect themselves from risks. By adopting a framework or standard and implementing the recommended controls and safeguards, organisations can both reduce their risk of a security incident and also be prepared to recover quickly with minimised damage in the event that they are still affected by a security incident.