Frameworks give you a structured, proven way to build a security program — so you're not reinventing the wheel. Compliance ensures you meet legal and contractual obligations.
| Name | Focus |
|---|---|
| NIST Cybersecurity Framework (CSF) | Govern, Identify, Protect, Detect, Respond, Recover |
| ISO/IEC 27001 | International standard for an ISMS (certifiable) |
| NIST 800-53 | Detailed control catalog (US federal) |
| CIS Controls | Prioritized, practical "top 18" safeguards |
| SOC 2 | Trust criteria audit (common for SaaS vendors) |
| PCI DSS | Payment card data security (contractual) |
| MITRE ATT&CK | Adversary behavior (detection, not compliance) |
GOVERN — set strategy, roles, risk decisions (added in CSF 2.0)
IDENTIFY — know your assets and risks
PROTECT — safeguards
DETECT — find events
RESPOND — act on incidents
RECOVER — restore and learn
| Regulation | Scope |
|---|---|
| GDPR (EU) | Personal data; 72-hour breach notice; heavy fines |
| HIPAA (US) | Healthcare data (PHI) |
| CCPA/CPRA (California) | Consumer privacy |
| PCI DSS | Cardholder data (industry-mandated) |
| SOX | Financial reporting controls |
| DPDP Act (India) | Personal data protection |
Many overlap. A solid ISO 27001 / NIST CSF program satisfies large portions of multiple regulations at once.
| Document | Role | Example |
|---|---|---|
| Policy | High-level intent (mandatory) | "All data must be encrypted" |
| Standard | Specific mandatory rule | "Use AES-256" |
| Procedure | Step-by-step how-to | "How to rotate a key" |
| Guideline | Recommended (optional) | "Prefer passphrases" |
Compliance is a floor, not a ceiling. "Compliant" ≠ "secure" — many breached companies were compliant. Use frameworks to build genuine security; treat compliance as the minimum bar, not the goal.