Infosec frameworks: An overview of the most common ones

By 
Jacob Høedt Larsen
November 19, 2024

ISO, NIST, SOC2, CIS18. Information security, frameworks, and regulations can feel like a jungle to navigate. Here, we provide an overview of the information security frameworks and regulations we most frequently encounter. So, you’re well-prepared.

Key Standards in the ISO 2700x Series

ISO 27001: The management system (ISMS) that helps you structure working with critical information.

ISO 27002: Includes 93 controls you can select and adapt to suit your organisation.

ISO 27005: Provides specific guidance on how to organise risk management.

ISO 27701: Enables you to integrate data protection (i.e., GDPR compliance) into your processes.

For more standards in the series, see: https://www.iso.org/standard/iso-iec-27000-family.

Benefits of frameworks

Let’s start with the basics. What are the advantages of using a framework?

1. Standards are typically developed by experts and practitioners.

2. They are continually tested across various types of organisations.

3. They are well-known by professionals, reducing dependency on individual employees.

4. They represent recognised best practices, serving as a quality stamp for your organisation.

5. They are often designed to provide a solid foundation for complying with legal requirements.

Disadvantages of frameworks

While there are many good reasons to use frameworks, there are also challenges:

1. Every organisation is unique, so a framework is unlikely to fit perfectly.

2. Security threats evolve constantly, requiring ongoing adjustments.

3. Your organisation’s objectives should remain central and drive your security efforts.

This is why we often see organisations using more than one standard. More on this later.

The ISO 2700x Series: A Common Choice

In Europe, ISO 27001 and the broader 2700x series are widely adopted, likely making it the most recognised information security framework.

It’s a good idea to consider ISO 2700x because it:

  • Provides access to professionals experienced in the framework.
  • Makes it easier to collaborate with other organisations using the same framework.

ISO 2700x is an international standard that:

  • Implements a management system to handle information security in a risk-based manner.
  • Includes risk management.
  • Introduces a range of controls from ISO 27002.

This framework offers substantial support throughout the process and can easily be expanded to address data protection and GDPR compliance.

{{factbox-dark}}

Other standards and frameworks

We also encounter several other standards and frameworks across Europe:

CIS 18 (Critical Security Controls): A set of 18 specific controls designed to protect organisations from cyber threats. It’s often a favourite in IT departments due to its practical approach.

NIS2 Directive: EU legislation aimed at improving cybersecurity in critical and essential organisations. Most companies covered by NIS2 also adopt an additional standard, often ISO 2700x.

Cyber Essentials: A British standard designed to enhance security in a straightforward way. Backed by the UK government, it’s frequently a requirement for suppliers in the UK. We (Wired Relations) are certified under this standard. Learn more here.

SOC 2: A security framework specifying how organisations should protect customer data from unauthorised access, incidents, and vulnerabilities. It’s often used as evidence when selling to clients, particularly for cloud service providers.

NIST Cyber Security Framework: Often considered the US counterpart to ISO standards, this voluntary framework helps organisations prevent, detect, and respond to cybersecurity threats.

These are the standards and frameworks we most frequently encounter at Wired Relations. However, many others exist, including sector-specific standards, audit frameworks, and data protection laws like GDPR.

Many Organisations Use Multiple Standards

It’s common for organisations to work with multiple standards and regulations simultaneously. For example:

1. A company might adopt Cyber Essentials to meet the requirements of a British customer.

2. Later, they decide to implement ISO 27001 for a broader framework.

3. Meanwhile, the IT department benefits from the practical controls in CIS 18.

4. The organisation may also fall under the scope of the NIS2 Directive.

Suddenly, the organisation is working with 3–5 sets of standards and rules, many of which overlap.

In such cases, it’s essential to manage the work in a way that avoids duplicating tasks or performing the same control twice.

See How Wired Relations Can Help

Want to learn how to efficiently manage multiple standards and frameworks? Book a demo to find out how Wired Relations can make this easier.