The growing number of security standards out there, each with their own acronyms and jargon, can seem overwhelming—but they don't have to be. We want to help provide some clarity. Here's an overview of five of the most common security standards.
- ISO 27001
- NIST SP 800-171 and NIST SP 800-53
- NIST Cyber Security Framework (CSF)
- Cybersecurity Maturity Model Certification (CMMC)
- SOC 2
These standards aren’t targeted towards small organizations, but many provide a useful framework for a small business to transform its IT security policy into a robust security program, allowing it to swim in a bigger customer pool. Others apply to specific industries. Read on to get an understanding of each standard's purpose, structure, to whom it applies, and what it means to be "certified."
ISO 27001 is a set of processes and guidelines any organization can use to develop its information security management system (ISMS). It's broad and flexible enough to work for organizations of any size, industry, or stage of information security maturity. ISO 27001 helps organizations step through each phase of setting up an ISMS. ISO 27001 is widely used by companies with an international footprint and is desirable for U.S.-based companies looking to expand to the EU and beyond.
The ISO 27001 standard opens with eleven clauses, the first four of which provide the standard's foundation and definitions. The last seven specify the phases and policies required for certification—everything from initial assessment to implementation to continuous improvement.
The second part of ISO 27001 is Annex A. Annex A contains 114 controls divided into 14 categories. While each organization needs to implement only those controls that make sense for its specific threat model, it needs to document why it's made the choices it has. The ISO 27001's approach to its control list adds to its prescriptive yet adaptable nature, making it a good starting place for organizations that don't yet have a formal ISMS.
Certification isn't required. An organization can use the ISO 27001 guidelines to create an initial ISMS framework to build upon and improve its security maturity.
As with other security frameworks, there are specific steps to obtain validation to the standard (which requires an audit by an approved third-party). Obtaining the standard from the ISO governing body costs about $150. Preparing for and navigating the formal audit process can be complicated and time-consuming, as you need to address each control with supporting documentation and evidence. Obtaining an ISO 27001 certification requires engaging with an ISO-approved auditing firm.
In our experience, even with the ability to adapt the applicable controls, ISO 27001 audits require more specific preparation than other audits.
NIST SP 800-171 AND NIST 800-53
NIST 800-53 is a widely used standard that includes a base of about 200 controls across 18 control areas. It is publicly available and widely used by federal and state governments. Some states and agencies have developed their own audit processes around NIST 800-53, but there is no accredited body that can certify you with NIST 800-53 compliance.
NIST 800-171 is a closely related public standard, with many of the same controls, that applies to federal contractors or subcontractors organizations that handle or generate Controlled Unclassified Information (CUI). CUI is information that requires safeguarding or dissemination controls required by law, regulation, and/or policy but which is not regulated by more stringent requirements such that it is classified. NIST 800-171 is a companion standard to NIST 800-53, which defines a control library and baselines for federal agencies. NIST 800-171 doesn't require external certification. Contractors are expected to self-assess and attest that they meet its standards or report their assessment scores. If you're a contractor, it's also your responsibility to ensure that all your subcontractors with access to CUI comply with NIST 800-171. Usually, you will know if you need to meet NIST 800-171 requirements because your customer or parent vendor will tell you. The Department of Defense must periodically review a DoD contractor's compliance with the standard's security requirements.
NIST 800-171 covers 14 categories (or requirement families) of controls. As is the case with many security standards, these categories/families cover common security areas such as access control, personnel security, and risk assessment. A combined total of 110 security controls are prescribed.
An organization can start by implementing a set of baseline controls, as identified under the standard. From there, it can layer on enhanced controls to achieve a more robust level of security, as outlined in NIST SP 800-172.
While NIST 800-171 and 800-53 provide a helpful framework with which any organization can protect its own information. Like ISO 27001, the assessment and documentation standards published by NIST provide a solid foundation on which an organization can establish an information security program and mature it over time. The standards also provide detailed guidance and methodology for conducting self-assessments and creating action plans.
The NIST Cybersecurity Framework (CSF) can be used build a security program with an eye toward risk across several common security functions. NIST CSF defines the following functions:
Each of the functions includes a number of categories and subcategories. Something extremely useful about the NIST CSF structure is that you can use different standards in what it calls Informative References to get very specific about a particular risk area. NIST CSF also defines tiers which allow you to self-assess your maturity level within the controls and build a roadmap from your current state to your target. The tiers are:
- Risk Informed
NIST CSF is used by many states’ Departments of Education as a common standard. However, it isn’t exactly meaningful to audit against NIST CSF. It is more of a useful tool for self-assessing and building a roadmap.
CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
Introduced in 2020, the CMMC improves and standardizes the cybersecurity requirements for organizations in the Defense Industrial Base (DIB). An organization is part of the DIB if it contracts directly with the DoD or is in the supply chain for another DIB organization. By 2026, any organization that wants to be in the DIB sector must have some level of CMMC certification.
The CMMC model centralizes standards for federal contractors from various sources and then adds some new controls. Where the CMMC is especially interesting is its maturity-based certification model.
An organization can be certified at one of five levels, each requiring a higher level of cybersecurity maturity. CMMC describes each level based on the maturity of its processes and practices. Using CMMC language, a level 1 organization performs basic cyber hygiene. "Perform" describes a level 1 organization's degree of process maturity. "Basic cyber hygiene" represents the maturity level of its practices. The rest of the levels are as follows:
- Level 2 organizations document intermediate cyber hygiene.
- Level 3 organizations manage good cyber hygiene.
- Level 4 organizations review their processes for effectiveness and adopt proactive practices to detect and respond to threats.
- Level 5 organizations have optimized their processes to execute an advanced/progressive level of cybersecurity.
The CMMC includes 171 practices mapped across 17 domains and the five maturity levels. The domains include those found in NIST SP 800-171, plus three more:
- Asset Management
- Situational Management
Within each domain, the CMMC outlines a set of processes and capabilities required for certification at each maturity level. These are cumulative. Level 1 certification covers 17 practices, while organizations that want a level 5 CMMC compliance certification will need to cover all 171.
The CMMC Certification Accreditation Body (CMMC-AB) has begun certifying the third-party organizations approved to conduct CMMC certifications. Organizations that are or plan to be in the DIB should start preparing for certification now.
We generally recommend that you start with Level 1 and work up to Level 3 as a near-term practical use of CMMC. Level 3 demonstrates a strong but achievable level of security for most small and mid-sized firms. Levels 4 and 5 require dedicated security teams with very advanced capabilities.
SOC 2, TYPE 1 AND 2 (SYSTEM ORGANIZATION CONTROLS)
SOC 2 is a security auditing process defined by the American Institute of CPAs (AICPA) and applies to service organizations. Such organizations often store sensitive organizational and personal data about their customers, either on-premise or in the cloud. SOC 2 audits assess the organization's processes and systems to determine if it's meeting its obligation to keep client and customer data secure.
Certified external auditors conduct SOC 2 audits. The goal is to obtain a SOC 2 report that attests the organization's security program meets its standards for protecting the security, availability, processing integrity, confidentiality, and/or privacy of sensitive information. SOC 2 groups its controls into five Trust Service Criteria (TSCs), which each cover the following issues:
- Security: network security, access controls, intrusion detection
- Availability: performance recovery, security incident handling, and disaster recovery
- Process integrity: data error prevention, detection, and remediation; data storage and maintenance; timely and accurate delivery of the right data to the right person(s)
- Confidentiality: access control and encryption appropriate to the type of data
- Privacy: storage, disclosure, usage, and disposal of personally identifiable information (PII); access controls and disclosure statements
There are two types of audits to assess an organization's level of SOC 2 compliance. A SOC 2 Type 1 audit and report assess the processes in place on a given day. A SOC 2 Type 2 audit is conducted over a time interval, typically three to twelve months. The SOC 2 Type 2 report assesses whether the security systems and processes have been followed during the period under audit based on a review of evidence provided. If they are, the SOC 2 report "attests" that the organization's security program implements the controls that satisfy the TSC criteria for which it’s being audited. An organization doesn't need to request an audit of all Trusted Services Criteria. It can start with the TSCs that are most important to its customer base and build from there.
For a more detailed look, read our detailed guide to SOC 2 compliance requirements.
SOC 2 Type 2 compliance is extremely beneficial for smaller technology companies. Many larger firms (particularly in North America) have started requiring evidence of SOC 2 compliance as part of their vendor management process.
FINDING THE RIGHT SECURITY STANDARD FOR YOUR BUSINESS
The CMMC and NIST 800-171 standards are intended for specific types of companies. If you do business with federal agencies or DoD specifically—or if you subcontract with federal contractors—you need to comply with these standards. CMMC compliance can cover much of the NIST 800-171 compliance, depending on the level of CMMC certification you achieve.
If you're a SaaS company or other service provider that manages client data, you don't need to be SOC 2 compliant to operate. However, working from a SOC 2 compliance checklist will go a long way towards a security program that genuinely protects your customers. Since many potential vendors, customers, and partners want to see a level of SOC 2 compliance, getting a SOC 2 audit is almost always worthwhile.
ISO 27001 and NIST CSF both provide well-defined processes and controls to help a company build a security program from the ground up. They also both provide valuable roadmaps to maturing your security program over time.
With securityprogram.io, we build the base controls around NIST 800-53 and map to each of these other standards so that you can identify the work once and track alignment to the other standards automatically. While we will help you design, build, and prepare your program; you still need to have an independent auditor make sure you are prepared for their audit process and perform the audit.