Security Policy Frameworks

Overview

Security policy frameworks provide the structure and guidance needed to establish, implement, and maintain effective information security programs. This guide covers industry-standard frameworks commonly used in MSP and enterprise environments.

Why Security Frameworks Matter

Security frameworks help organizations:

Establish Baseline Security - Define minimum security requirements
Ensure Compliance - Meet regulatory and industry standards
Reduce Risk - Systematically address security vulnerabilities
Provide Consistency - Standardize security practices across the organization
Enable Auditing - Facilitate security assessments and audits
Support Business Goals - Align security with business objectives

Major Security Frameworks

NIST Cybersecurity Framework (CSF)

Best For: Organizations of all sizes seeking a flexible, risk-based approach

Website: nist.gov/cyberframework

The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks.

Core Functions

Identify - Understand organizational context and cybersecurity risks
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
Protect - Implement safeguards to limit cybersecurity incidents
- Access Control
- Awareness and Training
- Data Security
- Information Protection Processes
- Maintenance
- Protective Technology
Detect - Identify cybersecurity events
- Anomalies and Events
- Security Continuous Monitoring
- Detection Processes
Respond - Take action regarding detected cybersecurity incidents
- Response Planning
- Communications
- Analysis
- Mitigation
- Improvements
Recover - Restore capabilities impaired by cybersecurity incidents
- Recovery Planning
- Improvements
- Communications

Implementation Tiers

Tier 1: Partial - Ad hoc, reactive risk management
Tier 2: Risk Informed - Risk management practices approved but not policy-based
Tier 3: Repeatable - Formal policies, procedures updated regularly
Tier 4: Adaptive - Adaptive approach based on lessons learned

Use Cases:

General-purpose security program development
Risk assessment and management
Security posture evaluation
Vendor risk management

CIS Controls (Center for Internet Security)

Best For: Practical, prioritized security actions for immediate implementation

Website: cisecurity.org/controls

The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices to mitigate the most common cyber attacks.

CIS Controls v8 (18 Controls)

Basic CIS Controls (Must implement first):

Inventory and Control of Enterprise Assets
Inventory and Control of Software Assets
Data Protection
Secure Configuration of Enterprise Assets and Software
Account Management
Access Control Management

Foundational CIS Controls: 7. Continuous Vulnerability Management 8. Audit Log Management 9. Email and Web Browser Protections 10. Malware Defenses 11. Data Recovery 12. Network Infrastructure Management 13. Network Monitoring and Defense 14. Security Awareness and Skills Training 15. Service Provider Management 16. Application Software Security

Organizational CIS Controls: 17. Incident Response Management 18. Penetration Testing

Implementation Groups

IG1 - Basic cyber hygiene (small businesses, limited IT/security expertise)
IG2 - Increased security for sensitive data (medium-sized organizations)
IG3 - Advanced security programs (large organizations with security teams)

Use Cases:

Prioritizing security investments
Building security programs from scratch
MSP baseline security standards
Quick security wins

ISO/IEC 27001

Best For: Organizations requiring formal certification and international recognition

Website: iso.org/standard/27001

ISO 27001 is an international standard for information security management systems (ISMS). It provides requirements for establishing, implementing, maintaining, and continually improving an ISMS.

ISO 27001 Structure

Annex A Controls (93 controls across 4 themes):

Organizational Controls (37 controls)
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- Supplier relationships
People Controls (8 controls)
- Employment terms and conditions
- Information security awareness, education, and training
- Disciplinary process
Physical Controls (14 controls)
- Physical security perimeters
- Physical entry controls
- Securing offices, rooms, and facilities
- Equipment security
- Storage media security
Technological Controls (34 controls)
- User endpoint devices
- Access rights management
- Information access restriction
- Secure authentication
- Capacity management
- Malware protection
- Network security management
- Security of network services
- Segregation of networks
- Web filtering
- Secure coding
- Security testing
- Secure system architecture

Certification Process

Gap Analysis - Assess current state vs. ISO 27001 requirements
Scoping - Define ISMS boundaries
Risk Assessment - Identify and assess information security risks
Statement of Applicability (SoA) - Document which controls apply
Implementation - Deploy controls and document procedures
Internal Audit - Verify ISMS effectiveness
Management Review - Leadership evaluates ISMS performance
Certification Audit - External auditor validates compliance
Surveillance Audits - Annual audits to maintain certification
Re-certification - Full audit every 3 years

Use Cases:

Organizations requiring formal certification
International business operations
Demonstrating security to customers/partners
Comprehensive ISMS implementation

NIST SP 800-53 (Security and Privacy Controls)

Best For: Federal agencies and contractors; organizations seeking comprehensive control catalog

Website: csrc.nist.gov/publications/sp800-53

NIST Special Publication 800-53 provides a comprehensive catalog of security and privacy controls for federal information systems and organizations.

Control Families

Access Control (AC) - Limit system access to authorized users
Awareness and Training (AT) - Security awareness and training
Audit and Accountability (AU) - Event logging and monitoring
Assessment, Authorization, and Monitoring (CA) - Security assessments
Configuration Management (CM) - Baseline configurations
Contingency Planning (CP) - Backup, disaster recovery, business continuity
Identification and Authentication (IA) - User identification and authentication
Incident Response (IR) - Incident handling procedures
Maintenance (MA) - System maintenance activities
Media Protection (MP) - Protection of information media
Physical and Environmental Protection (PE) - Physical security
Planning (PL) - Security and privacy planning
Program Management (PM) - Information security program management
Personnel Security (PS) - Personnel screening and termination
PII Processing and Transparency (PT) - Privacy protections
Risk Assessment (RA) - Risk assessment activities
System and Services Acquisition (SA) - System development lifecycle security
System and Communications Protection (SC) - Network and communications security
System and Information Integrity (SI) - System monitoring and malware protection
Supply Chain Risk Management (SR) - Supply chain security

Control Baselines

Low Impact - Minimal risk to operations, assets, or individuals
Moderate Impact - Serious adverse effects
High Impact - Severe or catastrophic adverse effects

Use Cases:

Federal contractors (FedRAMP, CMMC)
Organizations needing detailed control specifications
High-security environments
Aligning with federal security requirements

PCI DSS (Payment Card Industry Data Security Standard)

Best For: Organizations that handle credit card data

Website: pcisecuritystandards.org

PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

12 Requirements (PCI DSS v4.0)

Build and Maintain a Secure Network and Systems:

Install and maintain network security controls
Apply secure configurations to all system components

Protect Account Data: 3. Protect stored account data 4. Protect cardholder data with strong cryptography during transmission

Maintain a Vulnerability Management Program: 5. Protect all systems and networks from malicious software 6. Develop and maintain secure systems and software

Implement Strong Access Control Measures: 7. Restrict access to system components and cardholder data by business need to know 8. Identify users and authenticate access to system components 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks: 10. Log and monitor all access to system components and cardholder data 11. Test security of systems and networks regularly

Maintain an Information Security Policy: 12. Support information security with organizational policies and programs

Compliance Levels

Level 1: 6+ million transactions/year - Annual onsite audit
Level 2: 1-6 million transactions/year - Annual self-assessment questionnaire
Level 3: 20,000-1 million e-commerce transactions/year - Annual self-assessment
Level 4: <20,000 e-commerce transactions or <1 million transactions/year - Annual self-assessment

Use Cases:

E-commerce businesses
Retail organizations
Payment processors
Any organization handling credit cards

HIPAA Security Rule

Best For: Healthcare organizations and business associates handling PHI

Website: hhs.gov/hipaa

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information (ePHI).

Safeguards

Administrative Safeguards (9 standards):

Security Management Process
Assigned Security Responsibility
Workforce Security
Information Access Management
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Evaluation
Business Associate Contracts

Physical Safeguards (4 standards):

Facility Access Controls
Workstation Use
Workstation Security
Device and Media Controls

Technical Safeguards (5 standards):

Access Control
Audit Controls
Integrity
Person or Entity Authentication
Transmission Security

Required vs. Addressable

Required - Must be implemented
Addressable - Must implement or document reasonable alternative

Use Cases:

Healthcare providers
Health plans
Healthcare clearinghouses
Business associates (IT vendors, MSPs serving healthcare)

SOC 2 (System and Organization Controls)

Best For: Service providers (SaaS, cloud, MSPs) demonstrating security to customers

Website: aicpa.org

SOC 2 is an auditing procedure that ensures service providers securely manage data to protect the interests and privacy of their clients.

Trust Services Criteria

Security (Required for all SOC 2 audits)
- Access controls
- Logical and physical security
- System operations
- Change management
- Risk mitigation
Availability (Optional)
- System uptime and performance
- Disaster recovery
- Incident management
Processing Integrity (Optional)
- Complete and accurate processing
- Error detection and correction
Confidentiality (Optional)
- Protection of confidential information
- Data classification
- Encryption
Privacy (Optional)
- Personal information handling
- Notice and consent
- Data subject rights

SOC 2 Types

Type I - Point-in-time assessment (controls are designed appropriately)
Type II - 3-12 month assessment (controls are operating effectively over time)

Use Cases:

SaaS providers
Cloud service providers
MSPs and IT service providers
Organizations with enterprise customers requiring attestation

CMMC (Cybersecurity Maturity Model Certification)

Best For: Department of Defense contractors

Website: dodcio.defense.gov/CMMC

CMMC is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB).

CMMC Levels (CMMC 2.0)

Level 1: Foundational

17 practices from NIST SP 800-171
Self-assessment
For Federal Contract Information (FCI)

Level 2: Advanced

110 practices from NIST SP 800-171
Third-party assessment (for priority programs)
Self-assessment (for most programs)
For Controlled Unclassified Information (CUI)

Level 3: Expert

110 practices from NIST SP 800-171 + subset of NIST SP 800-172 enhanced controls
Government-led assessment
For programs with highest priority CUI

NIST SP 800-171 Families

Access Control (AC)
Awareness and Training (AT)
Audit and Accountability (AU)
Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PE)
Risk Assessment (RA)
Security Assessment (CA)
System and Communications Protection (SC)
System and Information Integrity (SI)

Use Cases:

DoD prime contractors
DoD subcontractors
Defense supply chain organizations

Best For: Organizations processing EU residents’ personal data

Website: gdpr.eu

GDPR is a comprehensive data protection law in the EU that regulates how personal data is collected, processed, and stored.

Core Principles

Lawfulness, Fairness, and Transparency
- Legal basis for processing
- Transparent data practices
Purpose Limitation
- Data collected for specific purposes
- Not used for incompatible purposes
Data Minimization
- Collect only necessary data
- Adequate, relevant, limited
Accuracy
- Keep data accurate and up-to-date
- Ability to rectify inaccurate data
Storage Limitation
- Retain data only as long as necessary
- Defined retention periods
Integrity and Confidentiality
- Appropriate security measures
- Protection against unauthorized access
Accountability
- Demonstrate compliance
- Document data processing activities

Data Subject Rights

Right to Access - Obtain confirmation of data processing
Right to Rectification - Correct inaccurate personal data
Right to Erasure (“Right to be Forgotten”) - Request data deletion
Right to Restrict Processing - Limit data use
Right to Data Portability - Receive data in machine-readable format
Right to Object - Object to data processing
Rights Related to Automated Decision Making - Human review of automated decisions

Data Protection Officer (DPO) - Required for certain organizations
Data Protection Impact Assessment (DPIA) - For high-risk processing
Privacy by Design and Default - Build privacy into systems
Breach Notification - Report breaches within 72 hours
Consent - Clear, explicit consent when required
Cross-Border Data Transfers - Special protections for data leaving EU

Use Cases:

Organizations with EU customers/users
International businesses
Organizations processing EU residents’ data
Cloud service providers serving EU clients

Framework Comparison Matrix

Framework	Best For	Certification Available	Industry Focus	Complexity
NIST CSF	General security programs	No	All industries	Medium
CIS Controls	Quick wins, MSP baselines	No	All industries	Low-Medium
ISO 27001	International recognition	Yes	All industries	High
NIST SP 800-53	Federal contractors	No	Government	High
PCI DSS	Payment card processing	Yes	Retail, E-commerce	Medium-High
HIPAA	Healthcare data	No	Healthcare	Medium
SOC 2	Service providers	Yes (audit report)	SaaS, Cloud, MSP	Medium-High
CMMC	DoD contractors	Yes	Defense	High
GDPR	EU data processing	No	All (EU focus)	High

Choosing the Right Framework

By Organization Type

Small Business (1-50 employees):

Start with: CIS Controls IG1
Add: NIST CSF for risk management structure
If applicable: PCI DSS (e-commerce), HIPAA (healthcare)

Medium Business (50-500 employees):

Core: CIS Controls IG2 or NIST CSF
Consider: ISO 27001 for customer assurance
If applicable: SOC 2 (if service provider), GDPR (EU operations)

Large Enterprise (500+ employees):

Core: ISO 27001, NIST SP 800-53, or NIST CSF
Enhanced: CIS Controls IG3
If applicable: Industry-specific frameworks

Managed Service Provider (MSP):

Baseline: CIS Controls IG2 for client environments
Own operations: SOC 2 Type II
Consider: ISO 27001 for competitive advantage

Government Contractor:

Required: CMMC (DoD), NIST SP 800-53 (federal)
Baseline: NIST SP 800-171 (CUI)

By Industry

Industry	Primary Framework	Secondary Framework
Healthcare	HIPAA Security Rule	NIST CSF or ISO 27001
Finance	SOX, GLBA	NIST CSF, ISO 27001
Retail/E-commerce	PCI DSS	CIS Controls, NIST CSF
SaaS/Cloud	SOC 2	ISO 27001, CIS Controls
Manufacturing	NIST CSF	CIS Controls, ISO 27001
Government	NIST SP 800-53, CMMC	NIST CSF
Education	FERPA	NIST CSF, CIS Controls

Implementation Approach

Phase 1: Assessment (Weeks 1-4)

Select Framework(s)
- Identify regulatory requirements
- Consider customer expectations
- Assess organizational capabilities
Conduct Gap Analysis
- Document current security posture
- Identify framework requirements
- Map gaps between current and target state
Prioritize Controls
- Risk-based prioritization
- Quick wins vs. long-term projects
- Resource availability
Develop Roadmap
- Implementation timeline
- Resource allocation
- Milestones and deliverables

Phase 2: Planning (Weeks 5-8)

Define Scope
- Systems and data in scope
- Organizational boundaries
- Exclusions and justifications
Assign Responsibilities
- Control owners
- Implementation teams
- Management oversight
Document Policies
- Information security policy
- Acceptable use policy
- Access control policy
- Incident response policy
- Business continuity policy
Create Procedures
- Step-by-step implementation guides
- Configuration standards
- Operational runbooks

Phase 3: Implementation (Weeks 9-24+)

Technical Controls
- Access controls
- Encryption
- Network security
- Endpoint protection
- Security monitoring
Administrative Controls
- Security awareness training
- Background checks
- Vendor management
- Risk assessments
Physical Controls
- Physical access controls
- Environmental protections
- Media handling
Documentation
- Control implementation evidence
- Configuration baselines
- System inventories

Phase 4: Testing and Validation (Ongoing)

Internal Audits
- Quarterly control testing
- Vulnerability scanning
- Penetration testing
Management Review
- KPI tracking
- Incident review
- Continuous improvement
External Assessment
- Third-party audits
- Certification audits
- Penetration testing

Common Controls Across Frameworks

Most frameworks require these foundational controls:

Access Control

User account management
Multi-factor authentication
Least privilege principle
Access reviews

Asset Management

Hardware inventory
Software inventory
Data classification

Vulnerability Management

Patch management
Vulnerability scanning
Remediation tracking

Logging and Monitoring

Centralized log collection
Security monitoring
Log retention

Incident Response

Incident response plan
Incident detection and reporting
Forensics and recovery

Business Continuity

Backup procedures
Disaster recovery plan
Business continuity plan
Regular testing

Security Awareness

Annual security training
Phishing simulations
Security policies acknowledgment

Vendor Management

Third-party risk assessment
Vendor contracts with security terms
Vendor access controls

Mapping Between Frameworks

Many frameworks have significant overlap. Organizations can map controls to satisfy multiple frameworks simultaneously:

Example: Multi-Framework Control Mapping

Control: Multi-Factor Authentication (MFA)

Framework	Control Reference
NIST CSF	PR.AC-1: Identities and credentials are issued, managed, verified, revoked
CIS Controls	6.3: Require MFA for externally-exposed applications
ISO 27001	A.9.4.2: Secure log-on procedures
NIST SP 800-53	IA-2: Identification and Authentication
PCI DSS	Requirement 8.3: Secure user authentication
HIPAA	164.312(a)(2)(i): Unique user identification
SOC 2	CC6.1: Logical and physical access controls
CMMC	IA.L2-3.5.3: Use multifactor authentication

Implementation: Deploy MFA for all remote access and privileged accounts, document in a single procedure that references all applicable frameworks.

Tools and Resources

Assessment Tools

Free:

NIST CSF - NIST Cybersecurity Framework Self-Assessment
CIS Controls - CIS-CAT Lite
Microsoft - Microsoft Compliance Manager

Commercial:

OneTrust - GRC platform supporting multiple frameworks
ServiceNow GRC - Integrated risk and compliance management
RSA Archer - Enterprise GRC platform
Hyperproof - Compliance operations platform
Vanta - Automated compliance for SOC 2, ISO 27001, HIPAA
Drata - Security and compliance automation

Documentation Templates

NIST - Risk Management Framework Documentation
SANS Institute - Policy Templates
CIS - Implementation Groups Guides

Training and Certification

NIST CSF - NIST CSF Training
ISO 27001 - Lead Auditor/Implementer courses
CISSP - (ISC)² Certified Information Systems Security Professional
CISM - ISACA Certified Information Security Manager
CISA - ISACA Certified Information Systems Auditor

Maintaining Compliance

Continuous Monitoring

Automated Scanning
- Vulnerability scanning (weekly)
- Configuration compliance (daily)
- Asset inventory (continuous)
Manual Reviews
- Access reviews (quarterly)
- Policy reviews (annual)
- Vendor assessments (annual)
Metrics and KPIs
- Mean time to patch
- Security incidents per quarter
- Audit findings remediation time
- Security awareness training completion

Annual Cycle

Q1:

Management review
Budget planning
Risk assessment

Q2:

Internal audit
Security awareness training
Policy updates

Q3:

Third-party assessments
Penetration testing
Disaster recovery testing

Q4:

Vendor reviews
Control effectiveness review
Planning for next year

Common Pitfalls to Avoid

Choosing Wrong Framework
- Select frameworks based on actual requirements, not perceived prestige
- Don’t pursue ISO 27001 certification if customers don’t require it
Over-Engineering
- Start with basics (CIS Controls IG1) before advanced controls
- Implement controls appropriate to risk level
Documentation Overkill
- Balance documentation with operational efficiency
- Keep documentation concise and actionable
Set and Forget
- Compliance is continuous, not one-time
- Schedule regular reviews and updates
Ignoring People
- Security awareness training is critical
- Controls fail without user buy-in
Lack of Executive Support
- Security programs require leadership commitment
- Secure budget and resources upfront
Checkbox Mentality
- Focus on actual risk reduction, not just compliance
- Implement controls effectively, not just to check boxes

MSP-Specific Considerations

Client Security Baselines

Establish Baseline Security Standards:

Use CIS Controls IG1 as minimum for all clients
Document exceptions and risk acceptance
Regular compliance monitoring

Multi-Tenant Security

Isolate Client Environments:

Separate logical or physical networks
Separate credentials and access controls
Separate backup environments

Supply Chain Risk

MSP as Business Associate/Service Provider:

SOC 2 Type II for service assurance
Liability insurance (E&O, cyber)
Clear service level agreements
Security addendums in contracts

Documentation Requirements

Per-Client Documentation:

Network documentation
Asset inventory
Security configurations
Incident response contacts
Business continuity plans

Next Steps

Assess Current State
- Inventory existing security controls
- Document policies and procedures
- Identify regulatory requirements
Select Framework(s)
- Review framework comparison matrix
- Consider organizational context
- Align with business goals
Conduct Gap Analysis
- Compare current state to framework requirements
- Prioritize gaps by risk and effort
Develop Roadmap
- Create implementation plan
- Assign responsibilities
- Establish timeline and milestones
Begin Implementation
- Start with quick wins
- Build momentum with visible progress
- Communicate progress to leadership

Additional Resources

Official Framework Documentation

Industry Organizations

SANS Institute - Security training and resources
(ISC)² - CISSP and security certifications
ISACA - CISM, CISA certifications
Cloud Security Alliance - Cloud security guidance
National Cyber Security Centre (NCSC) - UK government cyber security

Last Updated: November 3, 2025

This guide provides a foundation for understanding and implementing security policy frameworks. Always consult official framework documentation and qualified security professionals for implementation guidance.

Table of Contents

Overview

Why Security Frameworks Matter

Major Security Frameworks

NIST Cybersecurity Framework (CSF)

Core Functions

Implementation Tiers

CIS Controls (Center for Internet Security)

CIS Controls v8 (18 Controls)

Implementation Groups

ISO/IEC 27001

ISO 27001 Structure

Certification Process

NIST SP 800-53 (Security and Privacy Controls)

Control Families

Control Baselines

PCI DSS (Payment Card Industry Data Security Standard)

12 Requirements (PCI DSS v4.0)

Compliance Levels

HIPAA Security Rule

Safeguards

Required vs. Addressable

SOC 2 (System and Organization Controls)

Trust Services Criteria

SOC 2 Types

CMMC (Cybersecurity Maturity Model Certification)

CMMC Levels (CMMC 2.0)

NIST SP 800-171 Families

GDPR (General Data Protection Regulation)

Core Principles

Data Subject Rights

GDPR Requirements

Framework Comparison Matrix

Choosing the Right Framework

By Organization Type

By Industry

Implementation Approach

Phase 1: Assessment (Weeks 1-4)

Phase 2: Planning (Weeks 5-8)

Phase 3: Implementation (Weeks 9-24+)

Phase 4: Testing and Validation (Ongoing)

Common Controls Across Frameworks

Access Control

Asset Management

Vulnerability Management

Logging and Monitoring

Incident Response

Business Continuity

Security Awareness

Vendor Management

Mapping Between Frameworks

Example: Multi-Framework Control Mapping

Tools and Resources

Assessment Tools

Documentation Templates

Training and Certification

Maintaining Compliance

Continuous Monitoring

Annual Cycle

Common Pitfalls to Avoid

MSP-Specific Considerations

Client Security Baselines

Multi-Tenant Security

Supply Chain Risk

Documentation Requirements

Next Steps

Additional Resources

Official Framework Documentation

Industry Organizations

Related Documentation