How do you choose your main framework?
.jpg)
Multiple frameworks can pull your organisation in different directions. Choosing one as your overarching one makes it easier to align your information security work and keep it on course.
.webp)
Gry Josefine Løvgren is a content specialist at Wired Relations, where she writes about all things GRC, data protection, and cybersecurity for our blog and social media channels. She holds a journalism degree from Roskilde University and uses her professional expertise to communicate complex topics in an engaging and easy-to-understand way.
Read more from the authorISO 27001, CIS 18 or perhaps NIST?
Which framework should you choose as your overarching one – your guiding star in the big cyber universe? 🌟
Many data protection and information security professionals today work across several different frameworks. For example, you may have worked with ISO 27001 for a long time, but now also have to comply with NIS2. Or maybe your organisation is completely new to information security, and it can feel overwhelming to figure out where to start and how to make sense of the many frameworks available.
“When you have to comply with several different standards, laws or frameworks, it makes sense to have one main framework, so you don’t end up creating double documentation – and double the work,” says Marie Bjerre Simonsen, Information Security Expert at Wired Relations.
By choosing a main framework, you create a starting point, and from there it becomes easier to map other frameworks against it. This gives you an overview of where there is an overlap and where there are differences that need to be addressed and managed.
But how can you structure this, and when do the different frameworks make sense?
“There are sectors that by definition are required to comply with ISO standards, such as municipalities, agencies and ministries. CIS 18 is most often chosen as the main framework by organisations with a more technical focus. And NIST can be a good fit for smaller and less mature organisations,” Marie Bjerre Simonsen explains.
Also read: Infosec frameworks: An overview of the most common ones
DANX Carousel: Keeping direction
DANX Carousel is an example of a company that has embraced a main framework. In an interview, Head of Information Security, Anders Thingholm, explains that he works with ISO 27001 as the foundation for the company’s information security work. The organisation spans across several countries and frequently acquires new companies, making a strong foundation absolutely essential.
“There isn’t anyone working in this field who couldn’t work endlessly if they didn’t know where to draw the line (…) so you need something that keeps you on course, otherwise you’ll end up going down 200 rabbit holes every day,” says Anders Thingholm.
He also explains that the ISO standard is helpful in due diligence processes, making it easier to quickly align with newly acquired companies.
“It’s not that I intend to ask them 93 questions covering every ISO requirement in the new version and demand a comprehensive answer. That doesn’t make sense for a company of three or five people. But with larger companies, you can certainly ask about those kinds of things”.
In addition, ISO is an advantage when working with NIS2, as much of it aligns with ISO 27001 and anything extra can easily be added.
Ultimately, choosing one main framework is about avoiding duplicate work and at the same time ensuring that the organisation has a common language for information security.
Read more about how you can work with multiple frameworks in Wired Relations.
Free e-book
From compliance theater to real protection – five trends shaping the future of information security and data protection.
Today’s organisations need more than just checklists to stay compliant.They need sustainable, people-focused governance and that requires a modern approach. Read more in our free e-book.
