NIST CSF
The NIST CSF is a basic “starter” framework to certify that a company meets basic cybersecurity standards. NIST CSF is used by small and medium sized businesses to assert to business partners and investors that they take cybersecurity
seriously. It is appropriate for any small business across any industry.
NIST 800-53
The NIST Special Publication 800-53 revision 4 is a heavyweight framework appropriate for medium and large sized businesses that need to meet regulatory requirements of U.S. Federal Government agencies and for businesses that want a
complete, open, and license-free framework to assert their compliance against a broad range of cybersecurity threats.
NIST 800-171
The NIST Special Publication 800-171 is a medium sized framework designed as a subset of the 800-53r4 framework specially developed by the DoD for small defense contractors and adopted widely throughout Government Contracting.
It has fewer requirements and is easier to achieve compliance but includes everything most small businesses should be doing to avoid cybersecurity risk.
PCI-DSS
The Payment Card Industry Data Security Standard (PCI-DSS) is a framework developed by the Payment Card Industry association designed to prevent data breaches resulting in the compromise of payment cards like Credit Cards
and ATM Debit Cards from retailers. It is heavily focused on twelve areas of cybersecurity compliance that are specific to data breach and is required to be implemented by all retailers that store credit card numbers and payment information in their information systems.
ISO 27002
ISO 27002 Code of practice for information security controls is the internationally recognized cybersecurity framework for global supply-chain companies. It extracts and distills the cybersecurity controls from ISO 27001,
and the two ISO standards are often used interchangeably. If you supply products internationally or are a multi-national company, ISO 27002 is likely to be the best single cybersecurity framework for your purposes.
HITRUST CSF
The HITRUST Cyber Security Framework is a privately produced product of the HITRUST alliance which aims to be a universal, one-size-fits-all framework that can map automatically to all of the other frameworks in this list.
As such, it is the most complex framework we implement. The HITRUST CSF is an excellent way to proof compliance with nebulous regulatory requirements such as HIPAA, where you have a requirement to have good security that
is not well defined. With true HITRUST CSF compliance, your security should be unimpeachable and defensible in legal situations. For that reason, HITRUST CSF is often implemented in the medical industry where HIPAA
regulatory liability is high and no specific standard is defined.
About Cybersecurity Frameworks
A Cybersecurity framework is a standardized set of information system controls—statements of proper security practice—that companies measure themselves against to determine how well they comply with industrially recognized best-practices,
and to prove their level of compliance to business partners.
The various frameworks have differing goals: Some are very specific to particular industries or activities, while others are designed for small businesses and others large businesses.
Some attempt to cover all types of businesses. Some of them are subsets of others.
Selecting the right cybersecurity framework is pretty easy: Usually, a major customer will specify exactly which framework you should implement. For example,
DoD and Government contractors must be NIST 171 compliant. Global supply chain companies usually look for ISO 27002 compliance. And retailers that accept payment cards must be PCI DSS compliant.
Medical and insurance companies usually look to HITRUST to certify their compliance with HIPAA and HITECH regulations.
If you have a choice of frameworks, small businesses should generally choose NIST CSF, and large businesses should choose NIST 800 S.P. 53r5. These general-purpose frameworks are open source and widely accepted and
respected across industries. NIST 800 compliance generally will mean that any other framework is merely a cross-mapping of controls exercise, since all the work will have been done.
Some companies may need to implement multiple frameworks, but the good news is that there’s a lot of overlap between them so the same effort gets you credit across multiple frameworks.
Unless you have a specific requirement from a business partner, QuickNIST recommends NIST CSF for small businesses, NIST 800-171 for medium-sized businesses, and NIST 800-53 for large businesses as
excellent best-practice control sets to reduce cybersecurity risks and liability that are free of private licensing fees and map well to other frameworks in all cases.