Security Frameworks

While working in the area of information security, it is important to have an understanding of the common security standards or frameworks. While reading this article, you will obtain some knowledge of the controls specified by ISO/IEC 27001, the Federal Information Processing Standards (FIPS), the NIST cybersecurity framework and NIST Special Publication 800-53, as well as COBIT5.

Information security standards and control frameworks

Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known are outlined below.


International Standards Organization

ISO/IEC 27001 specifies 114 controls in 14 groups:

  • A.5: Information security policies
  • A.6: How information security is organised
  • A.7: Human resources security–controls that are applied before, during, or after employment.
  • A.8: Asset management
  • A.9: Access controls and managing user access
  • A.10: Cryptographic technology
  • A.11: Physical security of the organisation's sites and equipment
  • A.12: Operational security
  • A.13: Secure communications and data transfer
  • A.14: Secure acquisition, development, and support of information systems
  • A.15: Security for suppliers and third parties
  • A.16: Incident management
  • A.17: Business continuity/disaster recovery (to the extent that it affects information security)
  • A.18: Compliance – with internal requirements, such as policies, and with external requirements, such as laws.


U.S. Federal Government information security standards

The Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems under the purview of the Committee on National Security Systems are managed outside these standards.

Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems", specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53.

FIPS 200 identifies 17 broad control families:

  1. AC Access Control.
  2. AT Awareness and Training.
  3. AU Audit and Accountability.
  4. CA Security Assessment and Authorization. (historical abbreviation)
  5. CM Configuration Management.
  6. CP Contingency Planning.
  7. IA Identification and Authentication.
  8. IR Incident Response.
  9. MA Maintenance.
  10. MP Media Protection.
  11. PE Physical and Environmental Protection.
  12. PL Planning.
  13. PS Personnel Security.
  14. RA Risk Assessment.
  15. SA System and Services Acquisition.
  16. SC System and Communications Protection.
  17. SI System and Information Integrity.

National Institute of Standards and Technology


NIST Cybersecurity Framework

A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core".


NIST SP-800-53

A database of nearly one thousand technical controls grouped into families and cross references.

  • Starting with Revision 3 of 800-53, Program Management controls were identified. These controls are independent of the system controls, but are necessary for an effective security program.
  • Starting with Revision 4 of 800-53, eight families of privacy controls were identified to align the security controls with the privacy expectations of federal law.
  • Starting with Revision 5 of 800-53, the controls also address data privacy as defined by the NIST Data Privacy Framework.


Commercial Control Sets

COBIT5

A proprietary control set published by ISACA.

  • Governance of Enterprise IT
    • Evaluate, Direct and Monitor (EDM) – 5 processes
  • Management of Enterprise IT
    • Align, Plan and Organise (APO) – 13 processes
    • Build, Acquire and Implement (BAI) – 10 processes
    • Deliver, Service and Support (DSS) – 6 processes
    • Monitor, Evaluate and Assess (MEA) – 3 processes


CIS Top – 20

A commercially licensable control set published by the Center for Internet Security.

  • 20 controls developed by a network of volunteers and made available for commercial use through a license agreement.


ts mitigation

An open (Creative Commons) and commercially licensable control set from Threat Sketch.

  • Open: 50 business language mitigations mapped to one hundred NIST Cybersecurity Framework controls.
  • Open: 50 business language mitigations mapped to nearly one thousand NIST SP – 800-53 controls.