微信扫一扫Security Frameworks Planning
Comprehensive guidance for security framework alignment and control mapping before development begins.
When to Use This Skill
- Preparing for ISO 27001 certification
- Planning SOC 2 Type I or Type II audits
- Implementing NIST Cybersecurity Framework 2.0
- Mapping CIS Controls to your environment
- Creating cross-framework control mappings
Framework Comparison
When to Use Which Framework
| Framework | Best For | Certification? | Geography | |-----------|----------|---------------|-----------| | ISO 27001 | Enterprise ISMS, international recognition | Yes (3rd party) | Global | | SOC 2 | SaaS/Cloud providers, customer trust | Yes (CPA firm) | Primarily US | | NIST CSF | Risk management, federal requirements | No | US-focused | | CIS Controls | Tactical implementation, prioritization | No | Global |
Framework Relationships
┌─────────────────┐
│ Regulations │
│ (GDPR, HIPAA) │
└────────┬────────┘
│ drives
┌────────▼────────┐
│ Frameworks │
│(ISO, NIST, CIS) │
└────────┬────────┘
│ implements
┌────────▼────────┐
│ Controls │
│ (specific tech) │
└────────┬────────┘
│ evidenced by
┌────────▼────────┐
│ Audits │
│ (SOC 2, ISO) │
└─────────────────┘
ISO 27001:2022
Structure Overview
Clauses 4-10: Management System Requirements
├── 4. Context of the organization
├── 5. Leadership
├── 6. Planning
├── 7. Support
├── 8. Operation
├── 9. Performance evaluation
└── 10. Improvement
Annex A: 93 Controls in 4 Themes
├── A.5 Organizational controls (37)
├── A.6 People controls (8)
├── A.7 Physical controls (14)
└── A.8 Technological controls (34)
Key Controls for Development
| Control | Title | Implementation | |---------|-------|----------------| | A.5.1 | Policies for information security | Document security policies | | A.5.15 | Access control | RBAC, least privilege | | A.5.23 | Information security for cloud services | Cloud security controls | | A.8.4 | Access to source code | Git access, code review | | A.8.8 | Management of technical vulnerabilities | Vulnerability scanning | | A.8.9 | Configuration management | IaC, hardening | | A.8.25 | Secure development lifecycle | SSDLC | | A.8.28 | Secure coding | OWASP, static analysis | | A.8.29 | Security testing | DAST, penetration testing | | A.8.31 | Separation of environments | Dev/Test/Prod isolation |
ISMS Implementation Approach
// Control implementation tracking
public class IsmsControlTracker
{
public record ControlStatus
{
public required string ControlId { get; init; } // e.g., "A.8.28"
public required string ControlTitle { get; init; }
public required ImplementationStatus Status { get; init; }
public required string Owner { get; init; }
public required List<string> Evidence { get; init; }
public required DateTimeOffset LastReviewDate { get; init; }
public required DateTimeOffset NextReviewDate { get; init; }
public string? GapDescription { get; init; }
public string? RemediationPlan { get; init; }
}
public enum ImplementationStatus
{
NotApplicable,
NotImplemented,
PartiallyImplemented,
FullyImplemented
}
public GapAnalysisReport GenerateGapAnalysis(
IEnumerable<ControlStatus> controls)
{
var gaps = controls
.Where(c => c.Status != ImplementationStatus.FullyImplemented
&& c.Status != ImplementationStatus.NotApplicable)
.OrderBy(c => c.ControlId);
return new GapAnalysisReport
{
TotalControls = controls.Count(),
FullyImplemented = controls.Count(c =>
c.Status == ImplementationStatus.FullyImplemented),
PartiallyImplemented = controls.Count(c =>
c.Status == ImplementationStatus.PartiallyImplemented),
NotImplemented = controls.Count(c =>
c.Status == ImplementationStatus.NotImplemented),
NotApplicable = controls.Count(c =>
c.Status == ImplementationStatus.NotApplicable),
Gaps = gaps.ToList()
};
}
}
SOC 2
Trust Services Criteria (TSC)
| Category | Description | Key Criteria | |----------|-------------|--------------| | Security (Required) | System protected against unauthorized access | CC6.x | | Availability | System available for operation | A1.x | | Processing Integrity | System processing is complete, accurate | PI1.x | | Confidentiality | Confidential information protected | C1.x | | Privacy | Personal information protected | P1.x-P8.x |
Common Criteria (Security)
CC1 - Control Environment
CC2 - Communication and Information
CC3 - Risk Assessment
CC4 - Monitoring Activities
CC5 - Control Activities
CC6 - Logical and Physical Access Controls
CC7 - System Operations
CC8 - Change Management
CC9 - Risk Mitigation
SOC 2 Control Examples
## CC6.1 - Logical Access Security
### Control Description
The entity implements logical access security software, infrastructure,
and architectures over protected information assets to protect them
from security events to meet the entity's objectives.
### Implementation
- Authentication via Azure AD with MFA required
- RBAC with least privilege principle
- Service accounts with managed identities
- API access via OAuth 2.0 tokens
### Evidence
- Azure AD configuration export
- Role assignment documentation
- Access review reports (quarterly)
- MFA enforcement policy
Type I vs Type II
| Aspect | Type I | Type II | |--------|--------|---------| | Scope | Point in time | Period of time (6-12 months) | | Focus | Design of controls | Design AND operating effectiveness | | Evidence | Policies, configurations | Logs, samples, testing | | Use Case | First audit, quick report | Customer assurance, ongoing |
NIST Cybersecurity Framework 2.0
Core Functions
┌────────────────────────────────────────────────────┐
│ GOVERN │
│ Organizational context, strategy, oversight │
├────────────┬────────────┬────────────┬─────────────┤
│ IDENTIFY │ PROTECT │ DETECT │ RESPOND │
│ Assets & │ Safeguards │ Continuous │ Incident │
│ Risks │ │ Monitoring │ Response │
├────────────┴────────────┴────────────┴─────────────┤
│ RECOVER │
│ Resilience & Recovery │
└────────────────────────────────────────────────────┘
Function Breakdown
| Function | Category | Key Activities | |----------|----------|---------------| | GOVERN | Organizational Context | Establish risk management strategy | | | Risk Management Strategy | Define risk tolerance | | | Roles & Responsibilities | Assign accountability | | | Policy | Document policies | | | Oversight | Board/executive involvement | | IDENTIFY | Asset Management | Inventory systems and data | | | Risk Assessment | Identify and assess risks | | | Improvement | Continuous improvement | | PROTECT | Identity Management | Access control, authentication | | | Awareness & Training | Security training | | | Data Security | Encryption, classification | | | Platform Security | Secure configurations | | | Technology Infrastructure | Secure architecture | | DETECT | Continuous Monitoring | Security monitoring | | | Adverse Event Analysis | Threat detection | | RESPOND | Incident Management | Incident response | | | Incident Analysis | Root cause analysis | | | Incident Response | Containment, eradication | | | Incident Mitigation | Limit impact | | RECOVER | Incident Recovery | Restore operations | | | Improvements | Post-incident learning |
Implementation Tiers
| Tier | Name | Description | |------|------|-------------| | 1 | Partial | Ad hoc, reactive | | 2 | Risk Informed | Risk aware but informal | | 3 | Repeatable | Formal policies, consistent | | 4 | Adaptive | Continuous improvement, predictive |
CIS Controls v8
Control Categories
Implementation Groups (IG):
IG1 - Essential Cyber Hygiene (56 safeguards)
IG2 - IG1 + Enhanced (130 safeguards)
IG3 - IG1 + IG2 + Advanced (153 safeguards)
18 Control Areas
| # | Control | IG1 | Key Safeguards | |---|---------|-----|----------------| | 1 | Inventory of Enterprise Assets | ✓ | Asset discovery, inventory | | 2 | Inventory of Software Assets | ✓ | Software inventory | | 3 | Data Protection | ✓ | Classification, encryption | | 4 | Secure Configuration | ✓ | Hardening, baselines | | 5 | Account Management | ✓ | Centralized auth, MFA | | 6 | Access Control Management | ✓ | Least privilege, RBAC | | 7 | Continuous Vulnerability Management | ✓ | Scanning, patching | | 8 | Audit Log Management | ✓ | Centralized logging | | 9 | Email and Web Browser Protections | ✓ | Filtering, sandboxing | | 10 | Malware Defenses | ✓ | Anti-malware, EDR | | 11 | Data Recovery | ✓ | Backups, testing | | 12 | Network Infrastructure Management | | Segmentation, hardening | | 13 | Network Monitoring and Defense | | IDS/IPS, NDR | | 14 | Security Awareness and Skills Training | ✓ | Training program | | 15 | Service Provider Management | | Vendor assessment | | 16 | Application Software Security | | SSDLC, testing | | 17 | Incident Response Management | | IR plan, testing | | 18 | Penetration Testing | | Annual pen test |
Priority Implementation
## CIS IG1 Priority Controls
### Start Here (Quick Wins)
1. **Control 1.1**: Maintain accurate asset inventory
2. **Control 4.1**: Establish secure configuration process
3. **Control 5.1**: Establish centralized account management
4. **Control 6.1**: Establish access granting process
### Next Priority
5. **Control 7.1**: Establish vulnerability management process
6. **Control 8.1**: Establish audit logging
7. **Control 11.1**: Establish data recovery practices
8. **Control 14.1**: Establish security awareness program
### Then
9. **Control 3.1**: Establish data management process
10. **Control 10.1**: Deploy anti-malware
Cross-Framework Mapping
Control Mapping Matrix
| Capability | ISO 27001 | SOC 2 TSC | NIST CSF 2.0 | CIS v8 | |------------|-----------|-----------|--------------|--------| | Access Control | A.5.15, A.8.2-8.5 | CC6.1-6.3 | PR.AA | 5, 6 | | Asset Management | A.5.9-5.11 | CC6.1 | ID.AM | 1, 2 | | Encryption | A.8.24 | CC6.1, CC6.7 | PR.DS | 3.6, 3.9 | | Logging | A.8.15 | CC7.2 | DE.AE | 8 | | Vulnerability Mgmt | A.8.8 | CC7.1 | ID.RA | 7 | | Incident Response | A.5.24-5.28 | CC7.4, CC7.5 | RS | 17 | | Change Management | A.8.32 | CC8.1 | PR.IP | 4.2 | | Secure Development | A.8.25-8.31 | CC8.1 | PR.IP | 16 |
.NET Control Implementation Examples
// Access Control implementation (multiple frameworks)
// ISO 27001 A.5.15 / SOC 2 CC6.1 / NIST PR.AA / CIS 5,6
public class AccessControlService
{
private readonly IAuthorizationService _authService;
private readonly IAuditLogger _auditLogger;
public async Task<AuthorizationResult> Authorize(
ClaimsPrincipal user,
string resource,
string action,
CancellationToken ct)
{
// Log access attempt (CIS 8 / NIST DE.AE)
var accessAttempt = new AccessAttempt
{
UserId = user.GetUserId(),
Resource = resource,
Action = action,
Timestamp = DateTimeOffset.UtcNow
};
var result = await _authService.AuthorizeAsync(user, resource, action);
accessAttempt.Success = result.Succeeded;
accessAttempt.Reason = result.Failure?.FailureReasons
.FirstOrDefault()?.Message;
await _auditLogger.Log(accessAttempt, ct);
return result;
}
}
// Secure configuration (ISO A.8.9 / NIST PR.IP / CIS 4)
public class SecureConfigurationValidator
{
public ValidationResult ValidateConfiguration(IConfiguration config)
{
var issues = new List<ConfigurationIssue>();
// Check for secure defaults
if (config["AllowHttp"] == "true")
{
issues.Add(new ConfigurationIssue
{
Setting = "AllowHttp",
Issue = "HTTP should be disabled in production",
Severity = Severity.High,
Remediation = "Set AllowHttp=false"
});
}
// Check TLS configuration
var tlsVersion = config["MinTlsVersion"];
if (tlsVersion != "1.2" && tlsVersion != "1.3")
{
issues.Add(new ConfigurationIssue
{
Setting = "MinTlsVersion",
Issue = "TLS 1.2 or higher required",
Severity = Severity.Critical,
Remediation = "Set MinTlsVersion=1.2"
});
}
return new ValidationResult { Issues = issues };
}
}
Framework Selection Guide
Decision Tree
What is your primary driver?
├─ Customer requirement for audit report?
│ ├─ US customers → SOC 2
│ └─ International customers → ISO 27001
│
├─ Regulatory requirement?
│ ├─ US Federal → NIST CSF + FedRAMP
│ └─ Healthcare → HIPAA (use NIST CSF)
│
├─ Starting security program?
│ └─ CIS Controls IG1 (practical starting point)
│
└─ Enterprise-wide ISMS?
└─ ISO 27001 (comprehensive management system)
Security Framework Checklist
Pre-Assessment
- [ ] Identify applicable frameworks
- [ ] Determine scope boundaries
- [ ] Inventory systems in scope
- [ ] Document current controls
- [ ] Conduct gap analysis
Control Implementation
- [ ] Prioritize gaps by risk
- [ ] Create remediation roadmap
- [ ] Implement missing controls
- [ ] Document evidence
- [ ] Test control effectiveness
Audit Preparation
- [ ] Collect evidence artifacts
- [ ] Prepare control narratives
- [ ] Test samples (Type II)
- [ ] Address known gaps
- [ ] Brief stakeholders
Cross-References
- Data Privacy:
gdpr-compliance,hipaa-compliancefor data protection - PCI:
pci-dss-compliancefor payment security - AI:
ai-governancefor AI-specific controls