Skip to main content

Control Frameworks

Updated Jan 30, 2024 ·

Overview

Security professionals play a critical role in designing, implementing, and managing controls that protect an organization's confidentiality, integrity, and availability of information. These controls are essential for safeguarding against various threats and risks that could compromise organizational assets and operations. Security professionals use security control frameworks to guide the design of comprehensive security programs, ensuring all aspects of security are addressed effectively.

COBIT

COBIT (Control Objectives for Information and Related Technologies) provides a comprehensive framework for governance and management of enterprise IT. It helps organizations align IT with business goals and ensure effective management of IT-related risks.

  • Often used by auditors and has a strong focus on information security.
  • Aligns IT activities with business objectives.
  • Focuses on governance and management of enterprise IT.
  • Facilitates risk management and process improvement.

ISO 27001

ISO/IEC 27001 is an international standard for information security management systems (ISMS). It outlines requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organization's overall business risks.

  • Focuses on establishing an ISMS to protect information assets.
  • Provides a systematic approach to managing sensitive company information.
  • Requires organizations to assess risks and implement appropriate security controls.
  • Ensures compliance with legal, regulatory, and contractual requirements.

NIST 800-53

NIST Special Publication 800-53 provides a catalog of security and privacy controls for federal information systems and organizations. It is widely used by government agencies and private sector organizations to enhance cybersecurity posture. Key points about NIST 800-53 include:

  • Developed by the National Institute of Standards and Technology (NIST) for federal systems.
  • Includes a comprehensive set of security controls addressing various security objectives.
  • Categorizes controls into families such as access control, audit and accountability, and system and communications protection.
  • Supports risk-based management of information systems security.
  • Provides a structured approach for selecting and implementing security controls based on organizational risk assessments.