Cybersecurity pillar · Module 5 of 6

Frameworks and compliance

Frameworks give you a structure to follow. Compliance requirements give you a minimum bar. Neither is perfect, but both are useful—especially when you’re starting out or need to communicate with executives and auditors.

← Back to Cybersecurity Fundamentals Training

The frameworks you need to know

NIST Cybersecurity Framework

The most widely used framework. Organised around five functions: Identify, Protect, Detect, Respond, Recover. Flexible, practical, and free. Start here if you’re building a programme from scratch.

ISO 27001

International standard for information security management. Certifiable (auditors can verify compliance). Often required by enterprise customers. More prescriptive than NIST.

CIS Controls

Prioritised list of specific actions. Less comprehensive than NIST, but more actionable. Great for knowing “what do I do first?” Implementation Groups help scale to your size.

SOC 2

Not a framework, but an audit standard for service providers. If you sell SaaS or handle customer data, customers will ask for your SOC 2 report. Trust Services Criteria: security, availability, confidentiality, privacy, processing integrity.

Regulations that drive security

GDPR. European data protection. Applies if you have EU customers. Fines up to €20M or 4% of global revenue. Requires breach notification within 72 hours.
HIPAA. US healthcare data. If you touch patient data, you’re covered. Administrative, physical, and technical safeguards required.
PCI DSS. Credit card data. If you accept cards, you comply—or your payment processor does it for you.
NIS2 / DORA. New EU regulations for critical infrastructure and financial services. Coming into force 2024-2025.

💡 Compliance vs. security

Compliance is not security. You can be compliant and still get breached. But compliance frameworks often represent a good baseline, and they give you a common language to discuss security with stakeholders, regulators, and customers. Use them as a floor, not a ceiling.

Related training modules

Compliance Fundamentals — SOC 2, ISO 27001, audit preparation, and control evidence
Governance Fundamentals — Board-level cyber risk oversight and technology governance

Free resources to go deeper

NIST CSF: NIST CSF Official Site — Free downloads and implementation guides
CIS: CIS Controls — Free, prioritised, practical
Video: NIST CSF Explained (Simply Cyber) — Clear 30-minute overview

← Previous: Detection & response

Next: Security careers →