What Are the Top 4 Cybersecurity Frameworks?

Many organizations must comply with a mixture of state-mandated, industry-specific, and international cybersecurity regulations. The challenge for an organization trading nationally, or even globally, is considerable.

According to Tenable’s Trends in Security Framework Adoption Survey, 84% of organizations in the US tackle this issue with the help of a security framework, and 44% use more than one.

The most cyber secure sector

Of all the companies considered in the survey, those in the banking and finance sector most frequently adopted security frameworks (16%), followed closely by information technology (15%).

The health care and medical sector was the worst, with 27% not having any framework in place at all.

What are the most popular cybersecurity frameworks?

The most frequently adopted cyber security management frameworks should come as no surprise to security practitioners. In this next section, we’ll run through them and explain why they are so popular.

1) NIST Framework for Improving Critical Infrastructure Security

Used by 29% of organizations, the NIST (National Institute of Standards Technology) Cybersecurity Framework is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.

However, the Cybersecurity Framework has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. Indeed, the document is regularly being amended to adapt to changing industry needs.

2) CIS Critical Security Controls

Used by 32% of organizations, the CIS Critical Security Controls are a set of best practices for cybersecurity.

They are designed to help organizations reduce the risk of cyber-attacks and protect their systems and data.

The controls are organized into 20 categories, each of which covers a specific area of cybersecurity.

3) ISO 27001

Used by 35% of organizations, ISO 27001 is the international standard that describes best practice for implementing an ISMS (information security management system).

Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether your data is adequately protected.


Used by 47% of organizations, the PCI DSS (Payment Card Industry Data Security Standard) governs the way credit and debit card information is handled.

The Standard applies to any organization (regardless of size or number of transactions) that accepts, stores, transmits or processes cardholder data.

Organizations that comply with the requirements are less likely to have their vulnerabilities exposed by hackers or to experience an internal data breach.

Although not federally mandated in the United States, PCI DSS is mandated by the Payment Card Industry Security Standard council. The council is comprised of major credit card bands and is an industry standard. Some states have even incorporated the standard into their laws.

Does company size matter?

Companies with more than 10,000 employees are slightly more likely to have adopted a security framework (90%) but even smaller companies with fewer than 1,000 employees report significant rates of adoption (77%).

Complying with multiple cybersecurity regulations

As the number of cyber attacks continues to rise, businesses are under increasing pressure to protect their systems from cyber attacks and data misuse. But the challenge of complying with multiple cybersecurity regulations is considerable.

The ISO 27001 Cybersecurity Documentation Toolkit will help you fulfill your cybersecurity obligations, build a robust cybersecurity management system, and comply with:

  • NIST SP 800-53
  • New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies
  • Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
  • ISO 27001, the internationally recognized cybersecurity framework

Containing customizable templates developed by industry experts, this toolkit provides a framework for you to build a robust management system that complies with multiple regulations.

Lead your ISO 27001 project with Lead Implementer training

This three-day live online course will help you implement an ISMS, allowing your business to achieve and demonstrate compliance with key legislation where data security is essential.

Free PDF download: NIST CSF and ISO 27001 – Becoming cyber secure

With data breaches and ransomware attacks on the rise, it’s important to protect your organization. Both NIST CSF and ISO 27001 are closely aligned, making ISO 27001 an excellent way to comply with the NIST CSF. Learn all about them and how they can benefit your organization in our free green paper.

A version of this blog was originally published on 17 January 2019.