Key Frameworks

ISO 27701

An international standard that acts as a privacy extension to the ISO 27001 to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS)

ISO 27002

An international standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems (ISMS)

Center for Internet Security (CIS)

Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)

Cloud Security Alliance's Reference Architecture

A methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business

Risk Management Framework (RMF)

A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations

Cybersecurity Framework (CSF)

A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks

System and Organization Controls (SOC)

A suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services

Cloud Security Alliance's Cloud Control Matrix

Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

ISO 31000

An international standard for enterprise risk management that provides a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies, and paradigms that differed between industries, subject matters, and regions

ISO 27001

An international standard that details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS)