CHOOSE YOUR FRAMEWORK

Understand the frameworks. Find your company’s fit.

Structured ways to manage cyber risk, prepare for compliance conversations, and build a security program you can defend — compared side by side so you can pick the right starting point.

Referenced on this page

NIST CSF 2.0ISO/IEC 27001:2022CIS Controls v8.1SOC 2GDPRNIS2HIPAAPCI DSSNIST CSF 2.0ISO/IEC 27001:2022CIS Controls v8.1SOC 2GDPRNIS2HIPAAPCI DSS
WHY FRAMEWORKS

What a framework gives you

A framework is a shared blueprint for a security program — consistent practice, prepared evidence, and a common language with customers, insurers and auditors.

01

Consistency

Standardized practice across the organization instead of ad-hoc, person-dependent security.

02

Compliance readiness

Know which requirements and evidence your team will be asked for before the questionnaire arrives.

03

Risk reduction

A systematic way to find, prioritize and close the gaps that matter most.

04

Stakeholder trust

Demonstrable practice that builds confidence with customers, partners and regulators.

THE FRAMEWORKS

Understand each framework

What each one is, how it is structured, and the kind of company it fits. NIST CSF 2.0 powers the free assessment today; the others are reference guides with assessments on the roadmap.

Framework

Available now

NIST Cybersecurity Framework 2.0

A voluntary, risk-based framework from NIST that helps any organization manage and reduce cybersecurity risk.

At a glance

6 functions22 categories106 subcategoriesMedium complexity

Best for

Any size organization that wants a flexible, risk-based baseline to start from.

  • Six functions: Govern, Identify, Protect, Detect, Respond, Recover
  • 22 categories and 106 outcome subcategories
  • Four tiers: Partial, Risk Informed, Repeatable, Adaptive
  • Voluntary, risk-based and organization-agnostic

How you adopt it
Phased: current-state profile, target profile, then a prioritized gap analysis.

Helps you prepare for

FISMAHIPAASOXPCI DSS
Start free assessment

Standard

Assessment on roadmap

ISO/IEC 27001:2022

The international standard for an information security management system (ISMS), offering accredited certification and global recognition.

At a glance

93 Annex A controls4 themesISMS certificationHigh complexityCertifiable

Best for

Companies that need a globally recognized certificate for customers and partners.

  • 93 Annex A controls in four themes (37 organizational · 8 people · 14 physical · 34 technological)
  • Risk assessment and treatment at the core of the ISMS
  • Continual improvement via the ISO management-system (Annex SL) structure
  • Accredited certification with annual surveillance audits

How you adopt it
Formal ISMS: scope and risk treatment, documentation, internal audit, then certification audit.

Helps you prepare for

GDPRSOXHIPAAPCI DSS

Controls set

Assessment on roadmap

CIS Critical Security Controls v8.1

A prioritized, prescriptive set of 18 controls (v8.1, 2024) designed to defend against the most common attack patterns.

At a glance

18 controls153 safeguardsIG1 = 56Low complexity

Best for

Teams that want a prescriptive technical checklist — IG1 is an excellent SMB on-ramp.

  • 18 controls and 153 safeguards (v8.1, 2024)
  • Three Implementation Groups; IG1 = 56 safeguards for an SMB baseline
  • Prescriptive, technical and immediately actionable
  • Mapped to NIST CSF, ISO 27001 and PCI DSS

How you adopt it
Start with IG1 for essential cyber hygiene, then progress to IG2 and IG3 as maturity grows.

Helps you prepare for

NIST CSFISO 27001PCI DSS

Attestation

Assessment on roadmap

SOC 2

An AICPA attestation for service organizations that handle customer data — a report from an independent CPA firm, not a certification.

At a glance

5 TSC categoriesType I & IICPA attestationMedium complexityAttestation-based

Best for

B2B SaaS and service organizations proving trust in enterprise procurement.

  • Five Trust Services Categories; Security (common criteria) is required
  • Type I (design at a point in time) and Type II (operating effectiveness over a period)
  • Independent CPA-firm attestation — a report, not a certification
  • Maps to NIST CSF and ISO 27001 (AICPA TSC mappings)

How you adopt it
Readiness assessment, remediate gaps, a 3–12 month observation window, then the Type II examination.

Helps you prepare for

HIPAAGDPRPCI DSS
FIND YOUR FIT

Not sure where to start?

A quick guide from where you are today to the framework that fits.

You are an SMB wanting a baselineNIST CSF 2.0 · CIS IG1
You need a certificate customers recognizeISO/IEC 27001
You are B2B SaaS facing procurement reviewsSOC 2
You run industrial or OT systemsNIST CSF · IEC 62443
SIDE BY SIDE

Compare the four

These four map to each other — one gap assessment translates across them. The free flow starts with NIST CSF 2.0 today.

NIST CSF 2.0Available now
Type
Framework
Complexity
Medium complexity
Credential
Core structure
22 categories · 106 subcategories
Best for
Risk-based baseline
Helps prepare for
FISMA · HIPAA · SOX · PCI DSS
ISO/IEC 27001Assessment on roadmap
Type
Standard
Complexity
High complexity
Credential
Certifiable
Core structure
93 Annex A controls
Best for
Recognized certificate
Helps prepare for
GDPR · SOX · HIPAA · PCI DSS
CIS Controls v8.1Assessment on roadmap
Type
Controls set
Complexity
Low complexity
Credential
Core structure
18 controls · 153 safeguards
Best for
Technical checklist
Helps prepare for
NIST CSF · ISO 27001 · PCI DSS
SOC 2Assessment on roadmap
Type
Attestation
Complexity
Medium complexity
Credential
Attestation-based
Core structure
5 Trust Services Categories
Best for
Trust report
Helps prepare for
HIPAA · GDPR · PCI DSS
THE ASSESSMENT TODAY

What you get right now

The free assessment runs on NIST CSF 2.0. ISO 27001, CIS Controls and SOC 2 are reference guides while their assessment flows are built — but the learning here applies to all four.

  • Current quiz — the free NIST CSF 2.0 assessment.
  • Current output — score, weak categories, remediation priorities and evidence guidance.
  • Optional starter export — PDF and HTML files for free-assessment results.

Frameworks vs. regulations

GDPR and NIS2 are EU law (a regulation and a directive); HIPAA, SOX, FISMA and FERPA are US statutes; PCI DSS is an industry standard. They are not frameworks — but a framework-aligned program is how you prepare to meet them. The tags on each card show where that framework is commonly applied.

GDPRNIS2HIPAASOXFISMAFERPAPCI DSSIEC 62443
BY INDUSTRY

Industry applications

How different industries map common risks to framework-driven assessment priorities.

Healthcare

HIPAA compliance, patient-data protection, and medical-device security using NIST CSF and ISO 27001.

Key frameworks

HIPAANIST CSF

Common challenges

  • Patient-data protection across multiple systems
  • Medical-device cybersecurity compliance
  • Ransomware protection for critical systems
  • Third-party vendor risk management

Assessment focus

What the audit checks

  • Access control for clinical and administrative systems
  • Ransomware readiness across backups, endpoint controls and recovery
  • Vendor handling for patient data and connected medical devices

Typical roadmap priorities

  • Confirm MFA and least privilege on high-risk systems
  • Test recovery procedures for critical patient-facing services
  • Document supplier security responsibilities and evidence
GAP → PLAN

From framework to action plan

Three steps from framework to a prioritized roadmap.

01

Framework context

Start with NIST CSF 2.0 today while tracking ISO 27001 and CIS Controls as roadmap references.

NIST CSF 2.0
02

Gap analysis

Complete a guided 10–15 minute assessment that returns prioritized findings.

10–15 min
03

Action plan

Receive a concrete, framework-aligned remediation plan with effort estimates and priorities.

remediation plan
PLAN READY
FAQ

Common questions

Which framework should an SMB start with?

NIST CSF 2.0 is the most common starting point for SMBs because it is risk-based and organization-agnostic. CIS Controls IG1 is an excellent complement for concrete technical safeguards.

Do I have to pick only one framework?

No. Frameworks map to each other. A single gap assessment can produce guidance in NIST, ISO and CIS terms simultaneously.

Does CyberGapAudit certify my organization?

No. We are not an accredited certification body. We produce gap assessments and action plans that help you prepare for formal audits and attestations.

Ready to find your fit?

Start with the free assessment to understand your current posture and get a framework-aligned plan.