‍Comparing the main cybersecurity frameworks so you don’t have to

Can we aim for one framework, then strap on the rest?

If you’re a CISO or the poor Shemp wrangling firewalls at an SME, you’ve probably wondered: which standard should we actually align to?  ISO 27001? NIST CSF? CIS Controls? Or do we just mutter “GDPR” and hope the auditor and regulator nod and smile? 

Pragmatically, most cybersecurity frameworks have some major common themes. The trick is to pick a backbone that maps cleanly to your risks, customers, and regulators, and then plug in any sector-specific extras. Brace for a lot of acronyms.

What They All Agree On

(the common denominators)

Across the major heavyweights (NIST CSF 2.0, ISO/IEC 27001:2022, CIS Controls v8.1, PCI DSS 4.x, GDPR Article 32, plus regionals like NIS2, Cyber Essentials, HIPAA, SOC 2, and NYDFS), you’ll see the same refrain:

• Access control: least privilege, strong authentication (MFA), joiner-mover-leaver discipline. You’ll find this in ISO 27001/27002, CIS, NIST, PCI, HIPAA, and NYDFS (which explicitly calls out MFA). Access control is where you win or lose. It’s not sexy. Nobody brags about deprovisioning workflows. But it’s usually how attackers walk in: unnecessary SaaS app admins, over-privileged service accounts, or forgotten contractors. Most standards know that, which is why it’s the single most consistent requirement. Added points for Just-In-Time access.
• Secure configuration & patching: standard builds, timely updates, vulnerability management. A staple of CIS Controls and expected everywhere else.  
• Governance & risk management: define scope, assign accountability, assess risk, and improve continuously. NIST CSF 2.0 literally adds a Govern function and structures everything around Govern-Identify-Protect-Detect-Respond-Recover.  
• Asset inventory (devices, software, data, services), because you can’t defend what you don’t know you own. CIS Controls makes this Items #1–#2, with v8.1 refinements.  
• Logging, monitoring & detection: collect meaningful telemetry, monitor, and respond. Baked into NIST CSF and mirrored by ISO 27001 control families.  
• Incident response & recovery: plan, test, improve, and communicate. NIST CSF formalizes Respond/Recover; GDPR mandates breach notification discipline (Articles 33–34).  
• Data protection by design: classify data, use encryption/pseudonymization where appropriate (GDPR Art. 32), key management, and backups you’ve actually tested.  
• Third-party risk: vendor due diligence, contractual controls, and monitoring—elevated under NIS2 and expected in SOC 2 and NYDFS.  
• People: awareness, role-based training, and accountability. HIPAA spells out administrative, physical, and technical safeguards. NIS2 pushes board-level responsibility.  

If you strengthen those domains, you’ll meet 70–80% of what most auditors want to see before you even get to logo-collecting.

So… What’s The “Best” One to Aim At?

Short Answer: GDPR isn’t a cybersecurity framework; it’s a regulation with a risk-based security clause (Article 32). Treat it as a privacy overlay, not your backbone.  

For SMEs needing broad, credible coverage:

• Use NIST CSF 2.0 as your operating model. It’s flexible, free, and maps well to other frameworks. It’s a great way to organize the program and increase maturity over time.  
• Pursue ISO/IEC 27001:2022 for certifiable assurance once you’ve got the basics humming. ISO 27001 gives you an auditable information security management system (ISMS) and a customer-friendly badge value.  
• Layer CIS Controls v8.1 for a pragmatic, prioritized control set. It’s especially handy for network security teams translating policy into concrete hardening.  

Think of it like this: 

NIST CSF for structure → ISO 27001 for certification → CIS v8.1 for control depth → local overlays (GDPR/NIS2/Cyber Essentials) for regulatory reality.

Where They Differ

‍(add-ons by standard)

Here are the deltas that often tip implementation detail:

• PCI DSS 4.x (payments): very prescriptive scoping (cardholder data environment), technical requirements (segmentation, ASV scans, web app firewalls, strong cryptography), and detailed testing procedures. If you touch PANs, there’s no substitute.  
• HIPAA Security Rule (health): explicitly codifies administrative, physical, and technical safeguards for ePHI; watch for the 2025 update proposals around inventories, MFA, vendor notifications, and incident planning.  
• SOC 2 (customers of SaaS love it): audited against Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy). It’s not a framework you implement so much as a controls-assurance report you earn—great for sales.  
• NYDFS 23 NYCRR 500 (finance NY): requires MFA, risk-based programs, CISO accountability, data retention limits, and prompt incident reporting—applies even to many smaller covered entities.  
• NIS2 (EU critical/important entities & supply chains): board-level accountability, risk-management measures, supply-chain security, reporting timelines, and potential sanctions. If you’re upstream of critical sectors, assume expectations will flow down.  
• Cyber Essentials (UK baseline): There are five control areas, or pillars: firewalls, secure config, access control, malware protection, and patching, with a defined scope and evidence check. Plus, it adds independent testing.  

A sensible roadmap for SMEs

1. Baseline with CIS v8.1 and Cyber Essentials to close obvious gaps (asset inventory, MFA everywhere, patch SLAs, config hardening, EDR, backups, segmentation). It’s fast, measurable, and makes ransomware crews work for their supper.  
2. Run the program on NIST CSF 2.0, so your board, auditors, and insurers can see the plan: governance in place, risk tracked, controls mapped, incidents rehearsed, recovery tested.  
3. Pursue ISO/IEC 27001 certification when you’re ready to enshrine discipline (policies, risk treatment, internal audits, management review, continual improvement). It converts good practice into audited assurance.  
4. Overlay sectoral or buyer-driven regimes: PCI for payments; SOC 2 if you sell B2B SaaS; HIPAA if you process ePHI; NYDFS if you operate in anything finance that could touch New York (which I don’t think any bank or insurer can avoid); and be NIS2-aware if you’re inside EU critical supply chains.  

The Undeniable Power of Access Control

Access control is one of the most universal threads running through all the standards we just compared. It’s not an afterthought; it’s foundational.

Here’s how it plays out across the major frameworks:

• NIST CSF 2.0: Under “Protect”, you’ve got Identity Management, Authentication, and Access Control as core categories. It demands role-based assignment, least privilege, and revocation processes.
• ISO/IEC 27001/27002: Devotes an entire control family (A.5 in 27002:2022) to access control: policy, provisioning, user registration, privileged access, review, and removal.
• CIS Controls v8.1: Control #6 is “Access Control Management,” paired with #5 (Account Management). They’re explicit about MFA, admin account separation, and lifecycle hygiene.
• PCI DSS 4.x: Incredibly prescriptive—unique IDs, MFA for all admin and remote access, access restricted by “need to know,” and quarterly reviews of rights.
• HIPAA Security Rule: Defines administrative, physical, and technical safeguards for access, e.g. unique user IDs, emergency access procedures, and automatic logoff.
• GDPR Art. 32: This requires “appropriate” measures, like ensuring only authorized personnel have access to personal data, and enforced via role-based rights and auditability.
• NIS2 / Cyber Essentials / NYDFS: All hammer home MFA, least privilege, and clear accountability. Cyber Essentials specifically checks access control as one of its five pillars.

Common factors:

• Least privilege: users only get the elevated permissions they need and when they need them.
• Strong authentication: MFA is table stakes now, whether explicitly mandated (PCI, NYDFS) or heavily implied (NIST, CIS, Cyber Essentials).
• Identity lifecycle management: Joiner–Mover–Leaver processes are mandatory everywhere; orphaned accounts are viewed as negligence.
• Privileged account management: monitoring and just-in-time provisioning are emerging as best practices across the board.

So if you’re mapping requirements, access control is in the Protect domain (NIST), Annex A in ISO, and one of the “Top 5” in CIS and Cyber Essentials.

Final Word

(with just enough heresy)

If someone tells you “we’re doing GDPR security,” smile politely and ask which framework drives their controls. GDPR (and cousins) define outcomes (“appropriate to risk”), not how to build your SOC, segment your network, or run JML at scale. Your best general coverage isn’t a single acronym, it’s a stack: NIST CSF 2.0 + ISO 27001 + CIS v8.1, with regional/legal overlays to taste. Do that well, and most auditors, customers, and regulators will nod approvingly, which is the closest thing our industry has to a standing ovation.  

My unofficial post-it for busy teams:  Inventory first, access control FTW, MFA everywhere, patch ruthlessly, log like a novelist, rehearse incidents, encrypt what matters, and keep your board on the hook.

The rest is just paperwork and coffee.

Boom.