Updated 09/09/19

SOC 2, CIS, NIST, ISO27001, PCI and more. How do you choose?

Given the growing amount of information and data that businesses of all sizes are having to manage, great cybersecurity is increasingly the most critical element of IT. Accenture estimates there will be $5.2 trillion in losses to companies over the next five years due to cyber attacks. Because of that risk, IT teams are looking at different frameworks to help guide their cybersecurity programs. Unfortunately, there are so many frameworks that it’s hard to select, and implement the right one for your company.

The first step is to get a basic understanding of the many framework options available in order to determine which frameworks are the right choice for your business. Many organizations choose to blend multiple frameworks together into one program because they are required to do so by law or by their customers.

Below is a brief glossary of the most widely used security frameworks to help you understand the differences and who is using them. 


Created by the American Institute of Certified Public Accountants (AICPA), SOC 2 was created for service organizations that store customer data in the cloud. SOC 2 requirements are intended to cover policies and procedures, security, availability, processing, integrity, and confidentiality (privacy) of customer data. SOC 2 applies to SaaS organizations storing customer data in the cloud and also to cloud-computing providers or organizations that own infrastructure hosting other companies’ customer data. Learn more about SOC 2 here.

CIS v7

Created by the Center for Information Security (CIS), CIS v7 contains the prioritized, top 20 actionable security requirements for all organizations. These requirements are typically viewed as industry best-practices due to the reputation and credibility of CIS, and serve as a great baseline for any security program. Collectively, the 20 high-level controls in CIS v7 are organized into basic, foundational, and easy-to-organize recommendations and serves as a good first framework to use in building any cybersecurity program.


CMMC is a compliance standard for all organizations bidding on or renewing DoD contracts. This applies to all contractors and subcontractors. So, for example, if your company performs contract work for the DoD, you will be required to be certified as compliant with CMMC. If you utilize contractors and subcontractors for related services, those contractors must also be CMMC compliant at the appropriate level or you will not be eligible for a new or renewed DoD contracts. CMMC is derived from several of the industry’s most widely used frameworks including NIST 800-171, NIST 800-53, ISO 27031, ISO 27032, and others. CMMC has five certification levels from the most basic to the most mature cybersecurity processes and practices.


Created by the European Union (EU), the General Data Protection Regulation (GDPR) is one of the most comprehensive and recent security regulations in existence today, with many organizations potentially facing fines due to non-compliance. GDPR was designed to protect EU citizens from privacy and data breaches and contains 11 chapters and nearly 100 articles that outline privacy and security requirements. Companies that follow GDPR include controllers and processors of data established in the EU, regardless of whether the data processing takes place in the EU, and controllers and processors of data not established in the EU that offer goods or services within the EU.


Signed into US law in 1996, the Health Information Portability and Accountability Act (HIPAA) outlines how Protected Health Information (PHI) can be used and disclosed within the healthcare industry. HIPAA consists of five main safeguards that cover general, administrative, physical, technical, organizational and policies/procedures. Organizations who should follow HIPAA include healthcare providers such as hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists; health plan providers including health insurance providers, company health plans, and government healthcare programs; and healthcare clearinghouses that process or store health information.

ISO 27001

ISO 27001 was created by the International Standardization Organization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 serves as an international standard that outlines how organizations should manage information security. The ISO standard can be adopted by any organization and was written by a community of information security experts and serves as an industry best practice. Companies showing conformance can become ISO certified. This is one of the most popular baseline security frameworks organizations can follow, however, organizations typically add security requirements from other frameworks to supplement this. Any company interested in implementing a best-practice baseline security program to assess their program should consider (although it is not required) the ISO 27001 framework.

NIST Cybersecurity Framework Version (CSF) 1.1

Created by the National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework (CSF) was designed in response to the Cybersecurity Enhancement Act (CEA) of 2014, which called for a voluntary framework that organizations could adhere to in order to establish a prioritized, flexible, repeatable, performance-based and cost-effective approach to managing cyber threats. Version 1.1 was released in 2018, which includes more requirements on identity management and supply chain security. Generally considered a “lighter” version of the heavier NIST 800-53 framework (see below), CSF is an established best-practice framework for all organizations seeking a best-practice program to assess against and is often required of contractors of the US federal government.

NIST 800-53

Created by the National Institute of Standards and Technology (NIST), the NIST 800-53 framework is a set of highly granular information security guidelines designed for federal information systems and to help entities meet the requirements set by the Federal Information Security Management Act (FISMA). Containing over 900 requirements, NIST 800-53 is known as the “heaviest” cybersecurity framework that can be implemented. Organizations following NIST 800-53 include federal agencies that operate federal information systems, organizations that maintain systems connected to federal information systems, and organizations that are seeking to comply with FISMA.

NIST 800-171

Created by the National Institute of Standards and Technology (NIST), the NIST 800-171 framework is a set of information security guidelines specifically for the US Department of Defense (DoD) and their contractors to help entities meet the requirements set by the Defense Federal Acquisition Regulation Supplement (DFARS). Organizations following NIST-171 include all DoD contractors who process, store, or transmit Controlled Unclassified Information (CUI) along with the DFARS minimum security standards, which NIST 800-171 was designed for.


Created by the New York Department of Financial Services (NYDFS), the NYDFS Cybersecurity Regulation is designed to enforce security requirements on financial institutions to address the constant influx of security breaches in the financial services industry. NYDFS 500 applies to all organizations required to operate under DFS licensure, registration, or charter in addition to state-chartered banks, licensed lenders, private bankers, foreign banks licensed to operate in New York, mortgage companies, and insurance companies.


Created by the Payment Card Industry Security Standards Council (PCI SSC), the Payment Card Industry Data Security Standard (PCI) provides a comprehensive list of security requirements designed to reduce credit card fraud and increase the security posture of organizations that store, process, or transmit credit card data. PCI is a requirement for all merchants and service providers, and contains annual and quarterly certification requirements.


Created by the US Securities and Exchange Commission (SEC), the SEC has issued its own “Investigative Report on Cybersecurity.” which outlines specific security recommendations and guidance for firms that are registered with the SEC. The SEC has particularly increased its focus on cybersecurity, having established their first official Cyber Unit in 2017. Any organization that registers with the SEC should consider implementing the SEC security framework.

How Apptega Can Help

Understanding the difference between the many framework offerings is the first step towards increasing security at your organization. However, once you've chosen a framework, the integration process can quickly become complicated. Depending on the size of your organization, the platform you manage the framework in, and the budget and time you have to spend on the framework, you may find yourself in need of resources that can help expedite the process.

Apptega was created for cybersecurity professionals like you to help you easily build, manage and report your cybersecurity program. Using our platform, you can create, manage, and maintain your entire cybersecurity program with real-time compliance scoring, project life cycle, task management and alerts all in one place. With Apptega's user-friendly interface, your entire cybersecurity program is organized for simple implementation and reporting.

Want to learn more? Schedule a demo today.