Security Frameworks
After thirteen chapters of individual controls, the obvious question is "how do I know I have covered everything, and in what order?" — and that is what security frameworks answer. They are the field's accumulated checklists and operating models: NIST CSF organizes a whole program into six functions, CIS Controls prioritize concrete actions, and ISO 27001 defines a certifiable management system.
This topic gives you a map of the major frameworks and, crucially, how to use one to structure Meridian's program rather than drown in it — because a framework adopted as paperwork reduces no risk at all.
Why Frameworks Exist
Frameworks encode hard-won consensus on what a complete security program contains, so you do not have to rediscover it by being breached. A framework turns "are we secure?" into "how do we score against a known-good structure?" — a question you can actually answer and track, which is the difference between a program and a pile of controls someone happened to build.
NIST Cybersecurity Framework
The NIST CSF (as of version 2.0) organizes everything into six functions — Govern, Identify, Protect, Detect, Respond, Recover — which is the structure this whole book maps to. Govern was added in 2.0 and sits underneath the other five: it covers the risk-management strategy, policy, roles and oversight, and supply-chain risk that decide how well the rest actually get done. The CSF is an outcome-oriented common language for program structure and maturity, not a checklist of specific settings, which makes it the right tool for describing and assessing the shape of a program at a high level.
CIS Controls
The CIS Controls are a prioritized, concrete list of safeguards ordered by impact — the top handful (inventory, secure configuration, access control, vulnerability management) prevent the majority of attacks. This is the best "where do we start" for a practical program: rather than trying to do everything, you work the prioritized list from the top, which is where the impact is.
ISO 27001 and Choosing One
ISO 27001 is a certifiable information-security management system built around a risk-assessment process and continuous improvement — it is about managing security as a governed, auditable program, and certification signals that to customers. Choose a framework by fit: structure with NIST CSF, act with CIS Controls, certify with ISO 27001 when customers or regulators require it. Map existing controls to the framework to find gaps, and use it as a living roadmap, not an audit artifact.
NIST CSF — outcome-based program structure (six functions, with Govern added in 2.0), a common language and maturity model, and free.
CIS Controls — a prioritized, concrete action list; best for "what do we do first."
ISO 27001 — a certifiable management-system standard centered on risk process and continuous improvement; best when you need auditable certification. They compose: structure with CSF, act with CIS, certify with ISO.
- Adopting a framework as paperwork — mapping controls once for an audit and never using it to drive improvement.
- Trying to implement an entire framework at once instead of using CIS-style prioritization to sequence by impact.
- Confusing certification (ISO 27001) with security — a certified management system proves a managed process exists, not that you cannot be breached.
- Picking a framework by fashion rather than fit (regulatory requirement, customer demand, program maturity).
- Never mapping existing controls to the framework, so gaps stay invisible.
- Use a framework to structure and assess the program (NIST CSF as the common language) and to find and prioritize gaps.
- Sequence implementation by impact (CIS Controls' prioritization) rather than trying to do everything at once.
- Treat certification (ISO 27001) as a business and assurance signal built on a real risk-managed program, not as security itself.
- Choose the framework that fits your regulatory, customer, and maturity context, and use it as a living roadmap.
- Map your existing controls to the framework so the gaps become an actionable list.
Knowledge Check
What is the primary value of adopting a security framework?
- It gives a consensus structure you can score against
- It guarantees the organization simply cannot ever be breached
- It replaces the need for any actual security controls
- It is primarily a document to show to external auditors
Which framework is best suited to answering "what do we do first"?
- CIS Controls, a prioritized list ordered by impact
- ISO 27001, because getting certification always comes first
- NIST CSF, because it lists the specific settings to apply
- None — frameworks never really help you with prioritization
Why is ISO 27001 certification not the same as being secure?
- It proves a risk-managed process is followed, not that breach can't happen
- Certification is purely a marketing exercise with no real underlying substance
- ISO 27001 has nothing to do with risk
- Certified organizations never need to patch
You got correct