I’m often asked what security control framework is the best. Spoiler alert – I don’t think there is one! No single framework is a silver bullet – they all have pros and cons. Some frameworks are highly-prescriptive and have a narrow scope – cardholder and account data for PCI DSS, for example.
SOC 2, on the other hand is more principled-based and doesn’t mandate specific controls but rather a Trust Services Criteria.
ISO 27001 is another popular choice: it’s a risk-based framework, although also has a set of example controls in the standard that many people chose to adopt.
NIST Cybersecurity Framework and its functions (Identify, Protect, Detect, Respond and Recover) can aid communication with business stakeholders but it has its limitations too.
Your particular industry may have other specialised sets of requirements, like NERC CIP for electric power grid in North America. The list goes on.
Many organisations are subject to multiple regulation and legislation simultaneously, having to adopt multiple frameworks and compliance regimes. If not managed appropriately, this can be labour-intensive to maintain and demonstrate compliance. It helps to recognise that often, although worded differently, controls from different frameworks aim to achieve the same objective, so it pays to maintain cross-framework control mapping to streamline your compliance program.
While achieving compliance with a security framework is often a necessary step in establishing a baseline level of security, it’s often not sufficient to mitigate modern threats.
Compliance frameworks were developed with a specific objective in mind – to reduce risk. And they can get you part of the way there, just not all the way. An organisation can be compliant but still insecure. Security leaders should go beyond compliance and move towards actively identifying and managing risks, focusing on the overall security posture and risk reduction to survive and thrive in the digital world.