What is a control framework?
A control framework is a structured collection of security controls and guidelines that help organisations systematically protect their information. Instead of reinventing the wheel, frameworks provide proven methods.
The core: Frameworks are tools, not goals in themselves. They help you structure the work — but security is about actually implementing the controls, not just documenting them.
The most common frameworks
International standard for management systems. Certifiable. Focus on processes, risk management and continuous improvement. 93 controls in Annex A.
American framework with five functions: Identify, Protect, Detect, Respond, Recover. Flexible, adaptable, not certifiable.
18 prioritised, technical security controls. Implementation Groups (IG1-IG3) for different maturity levels. Practical and hands-on.
Trust Service Criteria for service providers. Focus on security, availability, integrity, confidentiality, privacy. Attestation by auditor.
EU directive for critical infrastructure. Legally binding, not voluntary. Minimum requirements for risk management, incident reporting, supplier control.
Comprehensive control catalogue, originally for American government agencies. Over 1000 controls. Often for high-security environments.
Comparison
| Framework | Focus | Certifiable | Geographic relevance | Complexity |
|---|---|---|---|---|
| ISO 27001 | Management system | Yes | Global | Medium-High |
| NIST CSF | Functions | No | Primarily USA | Low-Medium |
| CIS Controls | Technical controls | No | Global | Low (IG1) to High (IG3) |
| SOC 2 | Service providers | Attestation | USA, global | Medium |
| NIS2 | Critical infrastructure | N/A (law) | EU | Medium |
| NIST 800-53 | Comprehensive security | No | Primarily USA | High |
ISO 27001 in detail
Strengths:
- Internationally recognised certification
- Holistic focus (people, process, technology)
- Risk-based — adapt to your context
- Requirements for continuous improvement
- Opens doors globally
Weaknesses:
- Requires resources for implementation and certification
- Can become bureaucratic without proper focus
- Technical details left open
- Certification process takes time
Suitable for:
- Organisations with international customers
- B2B service providers
- Those wanting to demonstrate external commitment
- Baseline for multi-framework approach
NIST CSF in detail
The five functions:
| Function | Description | Example |
|---|---|---|
| Identify | Understand what you protect | Asset inventory, risk assessment |
| Protect | Implement safeguards | Access control, training, encryption |
| Detect | Discover anomalies | Monitoring, anomaly detection |
| Respond | Manage incidents | Incident response, communication |
| Recover | Restore capability | Recovery plans, lessons learned |
Suitable for:
- Organisations wanting flexibility
- Those needing to adapt to specific context
- Starting point for security work
- Complement to certification-focused frameworks
CIS Controls in detail
Implementation Groups:
| Group | Controls | Description |
|---|---|---|
| IG1 | 56 controls | Basic cyber hygiene. Minimum reasonable level for all. |
| IG2 | +74 controls | For organisations with more resources and sensitive data. |
| IG3 | +23 controls | Advanced defence against sophisticated threats. |
The 18 controls:
- Inventory and control of enterprise assets
- Inventory and control of software assets
- Data protection
- Secure configuration of enterprise assets
- Account management
- Access control management
- Continuous vulnerability management
- Audit log management
- Email and web browser protections
- Malware defences
- Data recovery
- Network infrastructure management
- Network monitoring and defence
- Security awareness and skills training
- Service provider management
- Application software security
- Incident response management
- Penetration testing
How do you choose the right framework?
- Identify regulatory requirements Are you covered by NIS2? GDPR? Industry-specific requirements? Regulatory requirements often drive the choice. NIS2-covered organisations need frameworks that address the directive's requirements.
- Understand customer expectations What do your customers require? International customers often expect ISO 27001. American customers expect SOC 2. B2C may have lower external requirements but GDPR applies.
- Assess organisational maturity Where are you starting? Complete beginner? CIS Controls IG1. Established base? ISO 27001. Advanced? Multi-framework with NIST 800-53 for high-risk areas.
- Evaluate available resources ISO 27001 certification requires resources. CIS Controls can be implemented incrementally. Be honest about what you can manage — a half-hearted ISO 27001 effort gives worse results than well-implemented CIS IG1 controls.
- Think long-term Frameworks can be combined and built upon. A common progression: CIS IG1 → ISO 27001 → SOC 2 (if service provider). Start where you are, build onwards.
Overlap between frameworks
Common areas:
Most frameworks cover the same fundamental areas with different angles:
| Area | ISO 27001 | NIST CSF | CIS Controls |
|---|---|---|---|
| Asset management | A.5.9-A.5.14 | ID.AM | Control 1-2 |
| Access control | A.5.15-A.5.18 | PR.AC | Control 5-6 |
| Encryption | A.8.24 | PR.DS | Control 3 |
| Incident response | A.5.24-A.5.28 | RS.* | Control 17 |
| Business continuity | A.5.29-A.5.30 | RC.* | Control 11 |
Mapping simplifies multi-framework: If you’ve implemented ISO 27001, you have ~70% of CIS Controls covered. Control mapping avoids duplicate work.
Common mistakes when choosing frameworks
ISO 27001 sounds good but if you don't have resources for proper implementation, the result is worse than simpler frameworks.
A framework popular in the USA might not suit the English context. NIS2 and GDPR are legally binding here — start there.
Chasing certificates without actual implementation. Paperwork doesn't protect against cyber attacks.
Trying to implement three frameworks simultaneously. Start with one, build the foundation, then expand.
Multi-framework approach
Combine smartly:
A pragmatic approach for English organisations:
- Base: ISO 27001 — internationally recognised, covers NIS2 foundation
- Technical support: CIS Controls — concrete implementation guidance
- Regulatory: NIS2/GDPR mapping — ensure legal compliance
- Specific: SOC 2 if service provider to US customers
Benefits:
- Implement once, satisfy multiple requirements
- Avoid duplicate work through control mapping
- Flexibility to add frameworks as needed
Practical next steps
If you have no framework
Start with CIS Controls IG1. It provides basic cyber hygiene with 56 concrete controls. Can be implemented incrementally without major investment.
If you have ISO 27001
Map against NIS2 to ensure regulatory compliance. Consider CIS Controls for more technical guidance in specific areas.
If customers require SOC 2
ISO 27001 provides good foundation. Add Trust Service Criteria-specific controls and prepare for attestation.
How Securapilot can help
Securapilot supports multi-framework compliance:
- Framework support — ISO 27001, NIS2, GDPR and more
- Control mapping — See overlap between frameworks
- GAP analysis — Identify what’s missing
- Evidence management — One control, evidence for multiple frameworks
- Dashboard — Overview of compliance status per framework
Book a demo and see how we can support your framework work.
Frequently asked questions
Must you choose only one control framework?
No, many organisations use multiple frameworks. ISO 27001 as a foundation with CIS Controls for technical implementation is common. Frameworks overlap and can be mapped against each other.
Which framework is easiest to implement?
CIS Controls IG1 (Implementation Group 1) has 56 controls and is designed for organisations with limited resources. It's a good starting point that can be built upon.
Do I need certification?
It depends on customer requirements and industry. ISO 27001 certification demonstrates external commitment but is resource-intensive. Many frameworks (NIST, CIS) have no formal certification.
How do I choose a framework?
Start from: 1) Customer requirements — what do your customers expect? 2) Regulatory requirements — what must you comply with? 3) Resources — what can you manage? 4) Maturity — where are you starting from?
