SOC 2, CIS, NIST, ISO27001, PCI, and more. How do you choose?

Your company’s IT service isn’t just about hooking up printers and recovering passwords anymore. Cybersecurity is quickly becoming the most critical element of IT in an era where “big data” isn’t just a buzzword. Managing the ever-growing flow of data is crucial for businesses of all sizes and across all industries, and securing that data is more important than ever.

Accenture estimates there will be $5.2 trillion in losses to companies over the next five years due to cyber-attacks.

Because of that risk, IT teams are looking at different frameworks to help guide their cybersecurity programs. But with so many frameworks, which one is right for your company?

The first step towards picking the right cybersecurity framework is to get a basic understanding of the many framework options available. Many organizations blend multiple frameworks together into one program because they are required to do so by law or by their customers.

Here is a brief run-down of the most common cybersecurity frameworks so you can get an understanding of the differences, who uses each one, and why.


Created by the American Institute of Certified Public Accountants (AICPA), SOC 2 was created for service organizations that store customer data in the cloud. SOC 2 requirements cover policies and procedures, security, availability, processing, integrity, and confidentiality (privacy) of customer data. SOC 2 applies to Software as a Service (SaaS) organizations storing customer data in the cloud and to cloud-computing providers or organizations that own infrastructure hosting other companies’ customer data.


Created by the Center for Information Security (CIS), CIS contains the prioritized, top 20 actionable security requirements for all organizations. These requirements are typically viewed as industry best practices due to the reputation and credibility of CIS. The 20 high-level controls are organized into basic, foundational, and easy-to-organize recommendations and serve as a good first framework to use in building any cybersecurity program. The framework’s flexibility means it can work with any size business or budget and CIS compliance shows your clients that you take cybersecurity seriously, building confidence and gaining you more contracts. The CIS framework has a lot of overlaps with other frameworks, acting as a gateway to HIPAA, NIST, and ISO 27001 compliance, making it a great baseline for any non-governmental security program.


CMMC (Cybersecurity Maturity Model Certification) is a compliance standard for all organizations bidding on or renewing DoD contracts. This applies to all contractors and subcontractors, so not only do you need to be certified as compliant with CMMC, but your relevant subcontractors must also be CMMC compliant at the appropriate level or you will not be eligible for a new or renewed DoD contract. The CMMC framework goes with any industry that works with DoD contracts that have Controlled Unclassified Information (CUI), including manufacturing, environmental, wholesalers, infrastructure, and more. CMMC is derived from several of the industry’s most widely used frameworks including NIST 800-171, NIST 800-53, ISO 27031, ISO 27032, and others. CMMC has five certification levels from the most basic to the most mature cybersecurity processes and practices.


Signed into US law in 1996, the Health Information Portability and Accountability Act (HIPAA) outlines the ways Protected Health Information (PHI) can be used and disclosed within the healthcare industry. HIPAA consists of five main safeguards that cover general, administrative, physical, technical, organizational, and policies/procedures. Organizations required to follow HIPAA include healthcare providers such as hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists; health plan providers including health insurance providers, company health plans, and government healthcare programs; and healthcare clearinghouses that process or store health information.

ISO 27001

ISO 27001 was created by the International Standardization Organization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 serves as an international standard that outlines how organizations should manage information security. The ISO standard can be adopted by any organization and was written by a community of information security experts and serves as an industry best practice. Companies showing conformance can become ISO certified. This framework is commonly used in international business and across many industries, including finance, energy, telecommunications; any industry that needs to protect sensitive information. This is one of the most popular baseline security frameworks organizations can follow, but as a baseline it is typically supplemented by other security frameworks.

NIST Cybersecurity Framework Version (CSF)

Created by the National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework (CSF) was designed in response to the Cybersecurity Enhancement Act (CEA) of 2014, which called for a voluntary framework that organizations could adhere to establish a prioritized, flexible, repeatable, performance-based, and cost-effective approach to managing cyber threats. Includes more requirements on identity management and supply chain security. Generally considered a “lighter” version of the heavier NIST 800-53 framework, CSF is an established best-practice framework for all organizations seeking a best-practice program to assess against and is often required of contractors of the US federal government.

NIST 800-53

Created by the National Institute of Standards and Technology (NIST), the NIST 800-53 framework is a set of highly granular information security guidelines designed for federal information systems and to help entities meet the requirements set by the Federal Information Security Management Act (FISMA). Containing over 900 requirements, NIST 800-53 is known as the “heaviest” cybersecurity framework that can be implemented. Organizations following NIST 800-53 include federal agencies that operate federal information systems, organizations that maintain systems connected to federal information systems, and organizations that are seeking to comply with FISMA.

NIST 800-171

Created by the National Institute of Standards and Technology (NIST), the NIST 800-171 framework is a set of information security guidelines specifically for the US Department of Defense (DoD) and their contractors to help entities meet the requirements set by the Defense Federal Acquisition Regulation Supplement (DFARS). Organizations following NIST-171 include all DoD contractors who process, store, or transmit Controlled Unclassified Information (CUI) along with the DFARS minimum security standards, which NIST 800-171 was designed for.

How CBM Technology Can Help

Picking the right cybersecurity framework is the first step towards securing your organization’s data, but it’s easy to be overwhelmed by all the acronyms and their varied requirements if you are not a cybersecurity expert. But you don’t need to be an expert; that’s where CBM comes in. Our cybersecurity experts can help you understand the differences between frameworks and determine which one is right for you depending on the size of your organization, the platforms you use, and your budget and time constraints.

And that’s just step one! It only gets more complicated when you need to integrate that framework into your business. Luckily, we’re experts at that too. Contact CBM for a consultation today.