Framework Selection — modularCISO

Module 01 · Lesson 02

Which security framework do you actually need?

There are dozens of security frameworks. In practice, most organizations anchor on one of three. Let me give you the decision tree.

The Big Three

Three frameworks. Different purposes.

NIST CSF 2.0

Strategic & Flexible

Six functions: Govern, Identify, Protect, Detect, Respond, Recover. Risk-based. Board-friendly.

Not certifiable

ISO 27001:2022

Certifiable Standard

93 controls across 4 themes. Independently auditable. EU/enterprise supply chain requirement.

Certifiable ✓

CIS Controls v8.1

Prescriptive & Prioritized

18 controls in 3 Implementation Groups. IG1 = essential hygiene (56 safeguards).

Not certifiable

NIST CSF 2.0

The strategic layer

NIST CSF 2.0

Strategic & Flexible

Six core functions translate naturally to executive communication. The board understands "Detect" and "Respond."

ISO 27001

Certifiable

CIS Controls

Prescriptive

Strength: Flexible, risk-based, board-friendly. "Govern" added in v2.0 (2024) reflects evolving CISO role.

Limitation: Too flexible for immature orgs that need prescriptive guidance. No certification.

ISO 27001:2022

The certifiable standard

NIST CSF

Strategic

ISO 27001:2022

Certifiable Standard

93 controls. Org, People, Physical, Tech themes. Independent auditor verifies compliance and issues certificate.

CIS Controls

Prescriptive

Strength: Certifiable. Enterprise customers and EU regulators expect it. Proves management system, not just tools.

Limitation: Can become checkbox exercise. Significant cost for SMBs. Ongoing ISMS maintenance required.

CIS Controls v8.1

The implementation guide

NIST CSF

Strategic

ISO 27001

Certifiable

CIS Controls v8.1

Prescriptive & Prioritized

IG1: 56 safeguards, ~80% of common attacks. IG2: dedicated security staff. IG3: sophisticated threat profile.

Strength: Tells you what to do first. IG1 is the best starting point for building from scratch. Prioritized by impact.

Limitation: Less auditor/regulatory recognition. Not certifiable. Weaker for board-level strategy.

Decision Tree

How to choose

Do you have a formal security program?

No →

Start with CIS Controls IG1 · 56 safeguards · Your crawl phase

Do customers/regulators require certification?

Yes →

Primary framework: ISO 27001 · Begin gap analysis

Need a strategic layer for board reporting?

Yes →

Strategic layer: NIST CSF 2.0 · Six functions boards understand

Framework Mapping

In practice, you use all three

Layer	Framework	Purpose
Strategic	NIST CSF 2.0	Board reporting, risk communication, maturity tracking
Compliance	ISO 27001	Certification, customer trust, regulatory requirements
Operational	CIS Controls	Day-to-day implementation guide for the security team

Framework mapping is the key skill: NIST PR.AC → ISO A.5.15–A.5.18 → CIS Control 6. Implement once, satisfy all three.

Key Takeaway

Crawl → Walk → Run

Crawl

No formal program

CIS Controls IG1. Essential hygiene. 56 safeguards.

Walk

Dedicated team

NIST CSF strategy. ISO 27001 gap analysis. CIS IG2.

Run

Fully integrated

ISO certified. NIST for boards. CIS for benchmarks.

Remember this

Start where you are, not where you want to be. The framework is the scaffolding — your security program is the building.

1 / 8