Step 2:

Decide on a framework

How to prove the ROI of cybersecurity ▸ Step 2: Decide on a framework

With your KPIs in mind, it’s time to choose the best cybersecurity framework for your organization’s needs. A framework provides a structured approach to identifying, assessing, and managing risks, ensuring compliance with industry standards, and improving overall security resilience. Here are some key factors to consider when evaluating cybersecurity frameworks:

Alignment: Ensure the framework aligns with your business objectives, critical assets, and regulatory requirements
Scope: Assess the framework's breadth, level of detail, and scalability
Implementation: Consider the complexity, alignment with existing processes, and access to support
Reputation: Evaluate industry recognition and community support to ensure you’re engaging with a trusted network
Resources: Estimate the financial and resource requirements for training, implementation, and ongoing maintenance

Based on the above considerations, you can dig deeper into various cybersecurity frameworks to determine which best fits your requirements.

Popular cybersecurity frameworks:

NIST Cybersecurity Framework
This comprehensive framework, developed by the National Institute of Standards and Technology (NIST), provides a risk-based approach to cybersecurity and is designed to help organizations align with cybersecurity best practices. Used across regions and industries, NIST measures an organization’s ability to identify, protect against, detect, respond to, and recover from cybersecurity risks.

ISO 27001 and ISO 27002
Developed by the International Organization for Standardization (ISO), these two standards specify principles and practices to ensure organizations take action to protect their data. The ISO 27001 framework is an international standard for information security management, while ISO 27002 provides more granular cybersecurity controls.

CIS Controls
This prioritized list of security controls was developed by the Center for Internet Security (CIS) to provide a practical approach to cybersecurity. It includes 20 controls across three categories — Basic, Foundational, and Organizational — covering cybersecurity at all levels.

SOC 2
The Service Organization Control (SOC) 2 framework is a set of standards and criteria developed by the American Institute of Certified Public Accountants (AICPA) that assess a service organization's controls related to security, availability, processing integrity, confidentiality, or privacy.

How to prove the ROI of cybersecurity ▸ Step 2: Decide on a framework

Framework	Pros	Cons
NIST Cybersecurity Framework	Comprehensive and flexible Risk-based approach Aligned with industry best practices	Can be complex to implement Requires significant resources and expertise
ISO 27001	Internationally recognized standard Provides a systematic approach to information security management Can enhance organizational credibility and trust	Can be bureaucratic and time-consuming to implement Requires extensive documentation and certification
ISO 27002	Provides specific security controls Can be used to supplement ISO 27001 or as a standalone standard Offers practical guidance for implementing security measures	May require significant effort to implement and maintain May not be as comprehensive as other frameworks
CIS Controls	Prioritized and actionable Focuses on practical security measures Can be tailored to specific organizational needs	May not be as comprehensive as other frameworks Requires ongoing maintenance and updates
SOC 2	Focuses on specific controls related to security, availability, processing integrity, confidentiality, or privacy Can improve trust and credibility with customers and partners	Requires significant effort to achieve and maintain compliance May not address all aspects of cybersecurity

The framework you choose will ultimately depend on your organization’s industry, scale, and scope. As Charlotte Wylie, senior vice president and deputy CSO at Okta, says, “Bringing in an independent third party, or using the NIST-CSF or other regionally or industry appropriate frameworks, to validate your security systems can provide a valuable measure of efficacy and maturity.”