ISO 27001, SOC 2, NIST, Essential 8... where to begin?!

Or... do you even need a cybersecurity framework at all?

Often the advice on cyber resilience is focused on these frameworks, which aren't always the right fit for smaller organisations. They also shouldn't be the first step if you don't have the foundations in place.

Let's decode the purpose of these cybersecurity frameworks, dissect the popular ones (like ISO, SOC and NIST, as well as local additions), and review which framework (or not...) is the most suitable for your business needs.

The purpose of cybersecurity frameworks

Cybersecurity frameworks, often called security compliance frameworks, serve as assurance mechanisms, allowing organisations to communicate trust and maturity levels to stakeholders, clients, and partners.

These frameworks range from voluntary self-assessment options to highly audited, industry-mandated standards like PCI DSS.

"Frameworks seek to prove that an organisation is worthy of doing business with," says Phil Howie, CEO and founder of Onwardly. Essentially, they're a way to telling the world that you have security sorted. This is especially important in situations involving sensitive information or at the request of a client.

Deciphering the popular frameworks

ISO 27001, SOC 2, and NIST are among the most recognised cybersecurity frameworks. Here's the high-level to get a jist of what these letters and numbers mean:

• ISO 27001, developed by the International Standards Organisation, offers a risk-based approach suitable for organisations of various sizes.
• SOC 2, originating from the finance world, focuses on specific controls, often requested by US-based companies.
• NIST, from the National Institute of Standards and Technology, provides a well-established, self-auditable framework across five key areas.

Exploring local frameworks

Local frameworks, such as New Zealand's NZISM and Australia's Essential 8, cater to regional needs and regulatory requirements.

• The New Zealand Information Security Manual (NZISM) is the New Zealand Government's manual on information assurance and information systems security. NZISM, while niche, offers tailored guidance, particularly for government organisations.
• Essential 8 is a comprehensive set of mitigation strategies, developed by the Australian government, to aid in the protection against cyber threats. Organisations are recommended to implement these eight essentials to reach varying levels of maturity, serving as a baseline level of defence.
• Notable mention to NZ's CERT (Computer Emergency Response Team) Top 10; these are critical controls designed to help organisation to decide where best to spend time and money when it comes to cyber resilience.

Alternatives to compliance

When choosing a framework, organisations, especially small-medium sized businesses, must align with their risk profile and business objectives.

On the podcast, Phil stresses the distinction between compliance and security, emphasising the need for a pragmatic approach that prioritises fundamental security principles over blindly pursuing extensive frameworks.

While compliance frameworks are valuable, organisations can enhance security through guidance resources like CERT's Top 10 or tailored security programs offered by cybersecurity companies like Onwardly. These options provide scalable solutions that focus on foundational security practices without the burden of compliance requirements

--

Selecting the right cybersecurity framework is an important part of safeguarding your organisation's assets and maintaining stakeholder trust.

Whether opting for globally recognised standards or leveraging local frameworks, your org must prioritise security principles that align with your business goals. By focusing on foundational practices, you'll be in a better position to navigate the complexities of cybersecurity with confidence.

Listen to the full episode here and follow us on LinkedIn to catch us live each week.