"Which cybersecurity framework should we use?" is one of the most common questions I hear, and it is the wrong one. Frameworks are not rival teams you pick between. They do different jobs, at different layers, and the skill is in combining them deliberately. This guide gives you enough real detail on each to make that decision well.
Four kinds of framework
Most of the confusion disappears once you sort the landscape into four kinds of thing.
The control landscape, by layer
The layers build on each other. Laws say what outcome is required. Standards let you demonstrate you have a system. Control catalogues tell you how to build it. A metaframework lets you do the work once and point it at everything else.
You do not choose one framework. You choose a law you must meet, a standard to prove it, and a control set to build it, and you make them work together.
How comprehensive is each framework?
ISO/IEC 27001:2022 — the certifiable ISMS standard
ISO 27001 is the international standard for an Information Security Management System (ISMS): a documented, risk-driven system for managing security, that an accredited body can certify. That certificate is the global currency of "we take security seriously," which is why customers and tenders ask for it. The standard itself has two parts: the management-system clauses 4 to 10 (context, leadership, planning, support, operation, performance evaluation, improvement), which are mandatory, and Annex A, a reference set of 93 controls grouped into four themes in the 2022 version.
ISO 27001:2022 Annex A, 93 controls in four themes
Best for: almost any organisation that needs to prove its security to customers or regulators. It is framework-agnostic about how you implement controls, which is why it pairs so well with the catalogues below.
NIST CSF 2.0 — the common language for risk
The NIST Cybersecurity Framework, updated to version 2.0 in 2024, is voluntary, outcome-based and vendor-neutral. It is the best shared language between a security team and a board, because it organises everything into six functions, expanded across 22 categories and 106 subcategories. The newest function, Govern, now wraps the other five, putting strategy, roles, policy and supply-chain risk at the centre.
NIST CSF 2.0, the six functions
Best for: structuring a programme and reporting posture upward. It tells you what outcomes to achieve, but not the specific controls, for that, most teams pair it with CIS Controls or ISO 27002.
CIS Controls v8 — the prioritised place to start
If NIST CSF is the map, the CIS Controls are the turn-by-turn directions. Version 8 distills security into 18 controls and 153 safeguards, ordered by impact, and groups them into three Implementation Groups so you know what to do first:
- IG1 (essential cyber hygiene) — the 56 foundational safeguards every organisation should implement.
- IG2 — adds safeguards for organisations managing more sensitive data or complexity.
- IG3 — the full set, for high-risk organisations facing sophisticated attackers.
| # | CIS Control v8 | What it does |
|---|---|---|
| 1 | Inventory of enterprise assets | Know every device connected to your network |
| 2 | Inventory of software assets | Know and manage all installed software |
| 3 | Data protection | Identify, classify and protect your data |
| 4 | Secure configuration | Harden assets and software away from insecure defaults |
| 5 | Account management | Control the lifecycle of accounts and credentials |
| 6 | Access control management | Least privilege and multi-factor authentication |
| 7 | Continuous vulnerability management | Find and fix weaknesses on a cycle |
| 8 | Audit log management | Collect, retain and review logs |
| 9 | Email & web browser protections | Reduce the most common attack surface |
| 10 | Malware defenses | Prevent and detect malicious code |
| 11 | Data recovery | Reliable, tested backups you can restore |
| 12 | Network infrastructure management | Securely configure network devices |
| 13 | Network monitoring & defense | Detect and respond to threats on the network |
| 14 | Security awareness & skills training | Build a security-conscious workforce |
| 15 | Service provider management | Manage third-party and supplier risk |
| 16 | Application software security | Build and buy software securely |
| 17 | Incident response management | Plan, staff and run incident response |
| 18 | Penetration testing | Test your defenses by simulating attacks |
Best for: any team that wants action over theory, especially SMEs. Start at IG1 and grow.
The other frameworks you will meet
These appear constantly in contracts, audits and questionnaires. You rarely implement all of them, but you should know what each is for.
| Framework | Owner | Structure / size | Best for | Certifiable? |
|---|---|---|---|---|
| NIST SP 800-53 | NIST (US) | ~1,000 controls, 20 families | Deep control catalogue, US federal & high-assurance | No |
| NIST 800-171 / CMMC | NIST / US DoD | 110 requirements; CMMC Levels 1–3 | US defense supply chain (CUI) | CMMC: yes |
| SOC 2 | AICPA (US) | 5 Trust Services Criteria | Proving controls to US customers | Attestation report |
| PCI DSS v4.0 | PCI SSC | 12 requirements, 6 goals | Storing or processing card data | Yes, validation |
| COBIT 2019 | ISACA | 40 governance & management objectives | IT & security governance alignment | No |
| CSA CCM | Cloud Security Alliance | 197 controls, 17 domains | Cloud-specific assurance (CSA STAR) | Via STAR |
| Cyber Hygiene for SMEs (DSA) | Cyprus DSA / NCC-CY | Baseline control set for SMEs | Cypriot SMEs establishing basic cyber hygiene (funding available) | Yes, certification |
The laws that drive it all
In Europe especially, the frameworks above are increasingly chosen to satisfy legal obligations. These are not "frameworks you adopt", they are obligations you meet, usually by implementing a control catalogue and proving it with a standard.
| Law | Region | Applies to | Core demand |
|---|---|---|---|
| NIS2 | EU | Essential & important entities in critical sectors | Risk-management measures, governance & incident reporting |
| DORA | EU | Financial entities & their ICT providers | ICT risk management, resilience testing, third-party oversight |
| GDPR | EU | Anyone processing EU personal data | Lawful processing, security of data, breach notification |
| Cyber Resilience Act | EU | Manufacturers of products with digital elements | Security by design, vulnerability handling & reporting, CE marking (main obligations from Dec 2027) |
How they fit together: do it once, map to many
Here is the payoff. Because these frameworks overlap heavily, by most estimates 70 to 80 percent of controls map across NIST CSF, ISO 27001 and CIS, you do not implement them separately. You build and operate one control set, then map the same evidence outward to every law, standard and framework that asks for it. That mapping job is exactly what a metaframework like the Secure Controls Framework (SCF) does.
The approach in three steps
Practical tips: choosing your frameworks
- Start from obligations, not acronyms. List the laws and customer demands you must satisfy first, then work backwards to the controls.
- Pick one control backbone. Choose a single control set (CIS v8 to start, or an SCF-based catalogue to scale) and make everything map to it.
- Use NIST CSF 2.0 as your board language. Its six functions are the cleanest way to report posture upward.
- Certify only where it pays. ISO 27001 or SOC 2 should be driven by a real commercial or regulatory need, not collected for display.
- Map once, reuse forever. The same evidence should serve ISO, NIS2, DORA and customer questionnaires.
- Right-size to your maturity. 800-53 is overkill for most SMEs; CIS v8 IG1 is a far more honest starting point.
The organisations that handle this well are not the ones with the most certificates on the wall. They understood the layers, chose deliberately, built one strong control backbone, measured their maturity honestly, and mapped it all outward. That is how a confusing landscape becomes a single, defensible programme.
Not sure which frameworks you actually need?
We help organisations cut through the landscape, pick the right standards for their obligations, and build one control backbone that maps to all of them.
Book a 20-minute discovery callThis article is general information from circl3.tech, not legal advice. Frameworks and their versions evolve; figures cited (ISO 27001:2022, NIST CSF 2.0, CIS Controls v8, and others) reflect the landscape at the time of writing. We recommend a scoped assessment for your organisation.