The development of information technology over the past 30 years has created a world in which most sectors, both public and private, find themselves reliant on network systems in one way or another. As more private industries and government agencies have migrated their information and day-to-day processes toward network systems, so too have they opened themselves up to the omnipresent threat of cyberattacks. Regulators in particular have a vested interest in bolstering their cybersecurity defenses, as their systems contain sensitive citizen information that could compromise the public interest were it to fall into the wrong hands.

In recent years, particularly in the wake of the COVID-19 pandemic (which resulted in a hasty shift to network-based remote work arrangements for many), regulators have found themselves even more vulnerable to the threat of cyberattacks. Even prior to this development, public and private organizations around the world have created different cybersecurity standards and frameworks, many of which overlap in the topics and best practices they cover. The important frameworks for an organization to follow are largely dependent on industry and context. For example, government agencies will often hold themselves to different standards than, say, financial organizations or manufacturing companies.  

Here we will discuss the most popular standards for cyber defense as well as some overlaps in the subjects they outline.

ISO/IEC 27000 Series

One of the most well-known information security frameworks, the ISO/IEC 27000 Series, was developed by the International Organization for Standardization. A large part of this framework’s popularity stems from its flexibility and comprehensiveness – for example, different subsections of the framework cover topics from incident management to data collection, storage security, and beyond. ISO 27000 is used across many industries in many different sectors, and its certification must be handled by another ISO 270000-accredited body.

Importantly, this series deals with information security in healthcare, which makes it a popular standard for organizations trying to maintain HIPAA compliance, which involves the confidential handling and storage of patient information from healthcare providers. One section in particular, ISO 27799:2016, “applies to health information in all its aspects, whatever form the information takes, whatever means are used to store it, and whatever means are used to transmit it.” This outline, however, does not discuss the type of technology used to meet the standard, which means organizations are free to ensure compliance however they see fit – so long as the standard is met.

NIST Special Publication 800-53

Though it is used commonly in the private sector, NIST SP 800-53 was designed (starting in 2005) as a security benchmark for U.S. government agencies. Like the ISO 27000 series, NIST SP 800-53 is lenient with regards to the different measures agencies can take to ensure compliance, as long as compliance is achieved. This collection of security controls is intended to protect the U.S. (and private agencies) from threats including “hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.”

SOC 2

SOC 2 is a security framework that primarily concerns organizations handling customer data. Created by the American Institute of CPAs, SOC 2 revolves around five basic principles:

• Privacy: Controlling and protecting access to private customer information (for example, through methods like encryption and two-factor authentication).
• Security: Using firewalls, intrusion detection, and other preventive measures to ensure an organization’s network itself is safe from cyberthreats.
• Availability: Ensuring all necessary data is adequately accessible to customers and vendors alike.
• Confidentiality: Restricting access and exposure to data to a specific group of people and/or organizations.
• Processing Integrity: Ensuring a vendor’s system delivers the correct data, for the right price, at the right time. [Note that this exists separately from data integrity, which concerns the safety and adequate storage of the data at hand].

Like the previous two examples, SOC 2 compliance can be achieved through a variety of methods, so long as the organization in question meets these standards. Certification is handled by licensed Certified Public Accountants (CPAs), and while SOC 2 compliance is not legally mandated, it is one of the basic forms of compliance any business will look for when choosing a vendor, particularly in the software-as-a-service (SaaS) space. Though it is more flexible in scope than ISO 27000 compliance, the two frameworks share quite an overlap, with one study suggesting they share 96% of the same security controls.

PCI DSS

Launched in 2006, the Payment Card Industry Data Security Standard (PCI DSS) was designed to protect all aspects of consumer payment card data. Though it is not officially a law, PCI DSS compliance is written into virtually every agreement a vendor makes with a card company, and many individual states have incorporated elements of this framework into their legislature. PCI DSS compliance is crucial to any regulator or government agency that handles card payment through its own systems. According to the American Bar Association, this compliance is reliant upon twelve basic steps, which include everything from maintaining firewalls to protect cardholder data, encrypting transmission of this data, restricting access to this data from other businesses on a need-to-know basis, and other payment card security controls.

Alternative frameworks

From Cybersecurity Maturity Model Certification (CMMC) to the NIST CyberSecurity Framework, Control Objectives for Information and Related Technologies (COBIT), the Center for Internet Security (CIS) Critical Security Controls, and beyond, there are many other different IT and cybersecurity frameworks for vendors to choose from when trying to collaborate with security-minded businesses. Of course, the fact will always remain that if a regulator keeps cybersecurity at the forefront of its priorities, compliance, while it will not necessarily be an afterthought, will be that much easier to achieve and maintain.