Top 7 information security standards, frameworks and laws explained

Multiple information security and cybersecurity frameworks are available to help organizations build their own information security plans. Many of these are also already supported in Cyberday.

Information security frameworks come in many types - e.g. international standards, local programs, EU regulations or directives, industry-specific legislations, organization-specific criteria catalogs or other sets of security best practices.

Here's key information about some of the most popular information security standards.

Last updated: 4.3.2024

ISO 27001 standard

ISO/IEC 27001 is an international standard to manage information security. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure.

ISO 27001 emphasizes the importance of identifying and assessing information security risks. Organizations are required to implement risk management processes to identify potential threats, evaluate their impact, and develop appropriate mitigation strategies.

ISO 27001 also promotes a culture of continual improvement in information security. Regular monitoring, performance evaluation, and periodic reviews help organizations adapt to evolving threats and enhance their ISMS effectiveness.

ISO 27001 structure

22 top management requirements for managing information security

• 4. Context of the organization
• 5. Leadership
• 6. Planning
• 7. Resources
• 8. Operation
• 9. Performance evaluation
• 10. Improvement

93 controls for implementing information security

• 5. Organizational controls (e.g. asset management, supplier relationships, continuity)
• 6. People controls
• 7. Physical controls
• 8. Technological controls (e.g. vulnerability management, incident management, secure development, secure configuration)

ISO 27001 specialities

• Originally published in 2005, revised in 2013 and again most recently in 2022
• A gold standard: known all over the world with many other laws, frameworks etc. refer to ISO 27001
• Certification available and many accredited auditing companies in multiple countries
• Many extending standards available (ISO 27017 (cloud security), ISO 27018 (cloud privacy), ISO 27701 (privacy management), ISO 27799 (health industry), ISO 27031 (disaster recovery), ISO 27040 (storage security))

DORA (Digital Operational Resilience Act)

Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience.

After DORA, they must also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring.

DORA acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is "adequate" capital for the traditional risk categories.

DORA structure

DORA includes 41 requirements in total. Main contents for end user organizations in chapters II - VI.

• ICT risk management (articles 5-16)
• ICT-related incident management, classification and reporting (articles 17-23)
• Digital operational resilience testing (articles 24-27)
• Managing of ICT third-party risk (articles 28-44)
• Information-sharing arrangements (article 45)

DORA specialities

• EU regulation
• Will apply as of 17 January 2025
• Affects financial entities such as banks, insurance companies or investment firms and their supply chains

NIS2 directive

NIS2 (The Network and Information Systems Directive 2) is EU's new regulatory framework for information security on important industries.

It sets a new bar for information security standards, extends the scope from original NIS, introduces strict supervisory activities for compliance, and also potential penalties for violations. Goal is to safeguard Europe's information infrastructure better.

Especially important to note is, that NIS2 doesn’t just set the standards for organizational cybersecurity; it holds top management accountable for reaching them. Negligence or insufficient engagement with these regulations could have significant legal repercussions. If you do not demonstrate due diligence in implementing robust cybersecurity measures consistent with NIS2 standards, top management may be personally held responsible for any resulting security failures.

NIS2 structure

On NIS2 full text, only Chapter IV lists requirements for end user organizations.

Chapter IV called “Cybersecurity risk-management measures and reporting obligations” has the following articles:

• 20 - Governance: Underlines top managements role as responsible for implementing the information security measures.
• 21 - Cybersecurity risk-management measures: Lists the information security areas, for which organizations need to have documented and implemented measures for.
• 22 - Union level coordinated security risk assessments of critical supply chains
• 23 - Reporting obligations: Lists requirements for reporting incidents to authorities and service users.
• 24 - Use of European cybersecurity certification schemes
• 25 - Standardisation

NIS 2 requires organizations to have documented and implemented measures for following information security areas:

• Risk management and information system security
• Incident management and reporting
• Logging and detecting incidents
• Business continuity and backups
• Supply chain security & monitoring
• Secure system acquisition and  development
• Assessing effectiveness of security measures
• Cyber hygiene practices and training
• Encryption
• Human resource security
• Access control
• Asset management
• Multi-factor authentication (MFA)

NIS2 specialities

• EU directive
• NIS2 will become effective on October 18, 2024
• Specified industries in scope
• Supply chain effect broadens scope to also the important suppliers of NIS2 organizations
  

NIST CSF (1.1)

The NIST Cybersecurity Framework (CSF) is a set of cybersecurity best practices and recommendations from the National Institute of Standards and Technology (NIST) from the United States.

The CSF puts forth a set of recommendations and standards that enable organizations to be better prepared in identifying and detecting cyber-attacks, and also provides guidelines on how to respond, prevent, and recover from cyber incidents.

NIST CSF is widely considered to be the gold-standard for building a cybersecurity program.

NIST CSF structure

NIST CSF includes a total of 108 requirements. These requirements are categorized under 5 core functions: Identify (ID), Protect (PR), Detect (DE), Respond (RS) and Recover (RC).

Identify (ID) function covers the following security aspects:

• Asset management
• Business environment
• Governance
• Risk assessment
• Risk management strategy
• Supply chain risk management

Protect (PR) function covers the following security aspects:

• Identity management, authentication and access control
• Awareness and training
• Data security
• Information protection processes and procedures
• Maintenance
• Proactive technology

Detect (DE) function covers the following security aspects:

• Anomalities and events
• Security continuous monitoring
• Detection processes

Respond (RS) function covers the following security aspects:

• Response planning
• Communications
• Analysis
• Mitigation
• Improvements

Recover (RC) function covers the following security aspects:

• Recovery planning
• Improvements
• Communications

NIST CSF specialities

• Considered a gold standard for building a cybersecurity program - especially in the North American market.
• Many other frameworks have embraced NIST CSF's core function division: Identify-Protect-Detect-Respond-Recover
• NIST has also published more technical catalogs of security and privacy controls, e.g. NIST SP 800-53 and NIST SP 800-171
• Initially published in 2014, updated in April 2018 to v1.1

NIST CSF (2.0)

NIST CSF will be updated in early 2024.

Key changes

• Introduction of a sixth core function "Govern" to emphasize governance-related requirements
• Explicit guidance extended to organizations of all sizes, sectors, and maturity levels
• Goal of enabling smaller businesses to effectively utilize the framework

Cybersecurity Capability Maturity Model (C2M2)

The Cybersecurity Capability Maturity Model (C2M2) helps organizations evaluate their cybersecurity capabilities and optimize security investments.

While the U.S. Department of Energy and the energy industry in general led development of the C2M2 and championed its adoption, any organization—regardless of size, type, or industry—can use the model to evaluate, prioritize, and improve their cybersecurity capabilities.

C2M2 structure

C2M2 is a large framework with a total of 356 requirements (or practices, as they call them) split down to 3 different maturity levels.

Level 1 includes 56 requirements, level 2 a total of 222 and level 3 the full 356.

Framework's contents are split to

• ASSET: 5 sections and 23 requirements related to asset, change, and configuration management
• THREATS: 3 sections and 19 requirements related threat and vulnerability management
• RISK: 5 sections and 23 requirements related to risk management
• ACCESS: 4 sections and 25 requirements related to identity and access management
• SITUATION: 4 sections and 16 requirements related situational awareness
• RESPONSE: 5 sections and 32 requirements related to event and incident response & continuity of operations
• THIRD-PARTIES: 3 sections and 14 requirements related to third-party risk management
• WORKFORCE: 5 sections and 19 requirements related to workforce management
• ARCHITECTURE: 6 sections and 36 requirements related to cybersecurity architecture
• PROGRAM: 3 sections and 15 requirements related to cybersecurity program management

C2M2 specialities

• Splits all its practices to 3 separate MILs (i.e. maturity levels) to let organizations count out and compare their own cybersecurity maturity
• National applications of C2M2 framework have been created (e.g. in Finland known as Kybermittari).
  
• MILs and dividing requirements to Fully / Largely / Partially / Not implemented help in calculating your relative maturity and comparing to other organizations

CIS Critical Security Controls v8 (CIS 18)

The Center for Internet Security (CIS) Critical Security Controls (previously known as the SANS Top 20), is a prioritized set of safeguards to mitigate the most prevalent cyberattacks agains systems and networks.

CIS Controls takes quite a technical approach to information security and it can be successfully applied alongside more security management related frameworks, like ISO 27001 or NIST CSF, to harden the technical protections.

Over the years, the CIS Controls have matured into an international community of volunteer individuals and institutions that share insights into cyber threats, identify root causes, and translate that into defensive action.

CIS Controls structure

The 18 controls covered in CIS Controls are very top-level security functions, and they are further divided down to the actual requirements (called safeguards).

CIS Controls includes a total of 163 requirements (i.e. safeguards).

18 CIS controls are the following:

• 01 - Inventory and control of enterprise assets (5 safeguards)
• 02 - Inventory and control of software assets (7 safeguards)
• 03 - Data protection: Identify and classify data. Securely handle, retain and dispose data. (14 safeguards)
• 04 - Secure configuration of enterprise assets and software (12 safeguards)
• 05 - Account management: Assign and manage authorization to credentials for user accounts. (6 safeguards)
• 06 - Access control management: Create, assign, manage, and revoke access credentials securely. (8 safeguards)
• 07 - Continuous vulnerability management (7 safeguards)
• 08 - Audit log management (12 safeguards)
• 09 - Email and web browser protections (7 safeguards)
• 10 - Malware defenses (7 safeguards)
• 11 - Data recovery: Practices for restoring in-scope enterprise assets to a pre-incident and trusted state. (5 safeguards)
• 12 - Network infrastructure management (8 safeguards)
• 13 - Network monitoring and defense (11 safeguards)
• 14 - Security awareness and skills training (9 safeguards)
• 15 - Service provider management (7 safeguards)
• 16 - Application software security: Manage the security life cycle of developed or or acquired software to prevent weaknesses. (14 safeguards)
• 17 - Incident response management (19 safeguards)
• 18 - Penetration testing (5 safeguards)

CIS Controls specialities

• First version of CIS Controls was published in 2008. Latest update (Version 8) was released in 2021.
• Implementation groups (IGs): CIS Controls are divided down to 3 separate implementation groups - a bit like levels. IG1 is defined as “essential cyber hygiene” and the later safeguards build upon that.
• Mapping: CIS Controls are quite nicely mapped into common compliance frameworks, like ISO 27001 and NIST CSF, to ensure alignment and to bring common goals visible.