Cyber security frameworks provide an excellent basis for building your cyber strategy and increasing your security maturity. Here are our recommendations for five of the best frameworks to get started with.
Backed by the UK Government, Cyber Essentials aims to provide straightforward steps that any organisation can take to improve its security against the most common cyber threats.
The framework is a great starting point for any business trying to create a solid cyber strategy for the first time, with a strong focus on establishing a picture of security level and getting the basics right. A Cyber Essentials certification is required for many contracts in the public sector.
Cyber Essentials Plus
Once you have a Cyber Essentials Certification, you can take things a step further with the Plus route. This builds on the straightforward approach of the baseline framework to deliver more advanced security measured. Gaining a Cyber Essentials Plus certification requires hands-on technical verification.
ISO/IEC 27000 series
The ISO/IEC family is one of the most reliable standards of security for yourself and your customers. There are more than a dozen of these frameworks covering the implantation of different processes. 27001 is one of the best starting points as it focuses on systematically examining your security risks and accounting for threats and impacts before moving on to implement controls to reduce the risk.
COBIT (Control Objectives for Information and Related Technologies) is a longstanding framework created by ISACA nearly 25 years ago. The framework covers all the most important processes needed for effective IT management. It is a useful general resource, but the most recent release COBIT 5 has a heavy emphasis on information security, particularly when it comes to addressing the changing enterprise permitter in the wake of factors like BYOD and remote working.
Originating in the US, the NIST Cybersecurity Framework was created for private sector organisations but has seen heavy adoption by governments worldwide. NIST provides a solid framework for preventing, detecting, and responding to a range of the most common cyber attacks.
A little different from the others on this list, MITRE ATT@CK is more of a knowledge base than a set framework. Based on real-world experience, it offers a series of matrices providing information on the most common attack tactics, and advice on addressing them. You can focus on any point of the cyber kill chain, or skip to specific targets and attack types to effectively create your own custom framework.