Cybersecurity Standards and Frameworks | IT Governance USA (2024)

What is a cybersecurity standard?

A cybersecurity standard is a set of guidelines or best practices that organizations can use to improve their cybersecurity posture.

Organizations can use cybersecurity standards to help them identify and implement appropriate measures to protect their systems and data from cyber threats. Standards can also provide guidance on how to respond to and recover from cybersecurity incidents.

Cybersecurity frameworks are generally applicable to all organizations, regardless of their size, industry, or sector. This page details the common cybersecurity compliance standards that form a strong basis for any cybersecurity strategy.

Free PDF download: Cybersecurity 101 – A guide for SMBs

DFARS (Defense Federal Acquisition Regulation Supplement)

The DFARS (Defense Federal Acquisition Regulation Supplement) is a set of regulations issued by the DOD (Department of Defense) that supplements the Federal Acquisition Regulation. The DFARS provides guidance and procedures for acquiring supplies and services for the DOD.

DOD government acquisition officials, contractors, and subcontractors doing business with the DOD must adhere to the DFARS.

Learn more about DFARs >>

FISMA (Federal Information Security Management Act)

The FISMA (Federal Information Security Management Act) is a US federal law enacted as Title III of the E-Government Act of 2002. The law establishes a comprehensive framework for ensuring the security of information and information systems for all executive branch agencies.

The FISMA was put in place to strengthen information security within federal agencies, NIST, and the OMB (Office of Management and Budget). It requires federal agencies to implement information security programs to ensure their information and IT systems’ confidentiality, integrity, and availability, including those provided or managed by other agencies or contractors.

Learn more about FISMA >>

HIPAA (Health Insurance Portability and Accountability Act)

The HIPAA (Health Insurance Portability and Accountability Act) is a set of federal regulations that protect the privacy of patients’ health information. The HIPAA applies to all forms of health information, including paper records, electronic records, and oral communications.

It aims to make it easier for people to keep their health insurance when they change jobs, protect the confidentiality and security of health care information, and help the health care industry control its administrative costs.

Learn moreabout HIPAA >>

ISO 22301

ISO 22301 is an international standard that outlines how organizations can ensure business continuity and protect themselves from disaster. The Standard provides a framework for a comprehensive BCMS (business continuity management system). It can be used by any organization, regardless of size, industry, or location.

Learn more about ISO 22301 >>

ISO/IEC 27001

ISO 27001 is an international standard for information security that provides a framework for managing sensitive company information. The Standard includes requirements for developing an ISMS (information security management system), implementing security controls, and conducting risk assessments.

The Standard’s framework is designed to help organizations manage their security practices in one place, consistently and cost-effectively.

Learn more about ISO 27001 >>

ISO/IEC 27002

ISO 27002 is the code of practice for information security management. It provides guidance and recommendations on how to implement security controls within an organization. ISO 27002 supports the ISO 27001 standard, which provides the requirements for an ISMS.

Learn more about ISO 27002>>

ISO/IEC 27031

ISO 27031 is a standard for ICT (information and communications technology) preparedness for business continuity. It provides guidance on how organizations can use ICT to protect their business operations and ensure continuity in the event of an incident or a disaster.

Achieving compliance with ISO 27031 helps organizations understand the threats to ICT services, ensuring their safety in the event of an unplanned incident.

Learn more about ISO 27031 >>

ISO/IEC 27032

ISO 27032 is an internationally recognized standard that provides guidance on cybersecurity for organizations. The Standard is designed to help organizations protect themselves against cyber attacks and manage the risks associated with the use of technology. It is based on a risk management approach and provides guidance on how to identify, assess, and manage cyber risks. The Standard also includes guidance on incident response and recovery.

ISO/IEC 27701

ISO 27701 specifies the requirements for a PIMS (privacy information management system) based on the requirements of ISO 27001. It is extended by a set of privacy-specific requirements, control objectives, and controls.

Organizations that have implemented ISO 27001 can use ISO 27701 to extend their security efforts to cover privacy management. This can help demonstrate compliance with data protection laws such as the California Privacy Rights Act (CPRA) and the EU General Data Protection Regulation (GDPR).

Learn more about ISO 27701 >>

NIST CSF (Cybersecurity Framework)

The NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) is a voluntary framework that provides a set of standards, guidelines, and best practices for managing cybersecurity risks.

The framework helps organizations to identify, assess, and manage their cybersecurity risks in a structured and repeatable manner. The framework is not mandatory, but it is increasingly being adopted by organizations as a voluntary measure to improve their cybersecurity posture.

Learn more about the NIST CSF >>

Ready to simplify your security? Let’s get started.

Let us share our expertise and support you on your journey to cybersecurity best practice.