Fractional CISO working on laptop
Knowledge Hub

Cybersecurity Frameworks Explained

A plain-English guide to the standards and regulations that shape modern security programmes.

Which Framework Matters for Your Business?

Security frameworks can feel like an alphabet soup of acronyms. The reality is simpler: each one exists to help you identify risks, protect assets, and demonstrate trust to customers and regulators. Below is a quick-reference guide to the frameworks our fractional CISOs work with every day.

ISO 27001

The international standard for information security management.

ISO 27001 provides a systematic approach to managing sensitive company information through people, processes, and technology. Certification demonstrates to customers, regulators, and partners that you take information security seriously.

Best for

Organisations of any size seeking a globally recognised security certification.

  • Risk assessment and treatment process
  • Information Security Management System (ISMS)
  • Annex A controls covering 93 security measures
  • Requires external audit and annual surveillance

SOC 2

The trust standard for service organisations, especially in SaaS.

Developed by the AICPA, SOC 2 evaluates how well a service organisation manages data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Type II is the gold standard for B2B sales.

Best for

SaaS, cloud, and technology vendors selling to enterprise US customers.

  • Security (always required) + optional criteria
  • Requires third-party auditor assessment
  • Type I is a point-in-time assessment; Type II covers 3–12 months
  • Often a contractual requirement for US enterprise deals

NIS2

The EU-wide directive for network and information security.

The NIS2 Directive expands cybersecurity obligations across the EU, covering sectors from energy and transport to healthcare and digital services. It mandates risk management, incident reporting, supply chain security, and board accountability.

Best for

Essential and important entities operating in the EU and UK equivalents.

  • Applies to essential and important entities
  • Incident reporting within 24–72 hours
  • Management body liability for non-compliance
  • Fines up to €10 million or 2% of global turnover

Cyber Essentials

The UK government-backed baseline for cyber hygiene.

Cyber Essentials is a UK government scheme that helps organisations protect themselves against common cyber threats. It focuses on five technical controls and is increasingly required for public sector contracts.

Best for

UK SMEs, government suppliers, and organisations seeking an affordable baseline.

  • Firewall configuration
  • Secure configuration
  • User access control
  • Malware protection and patch management

NIST CSF

A flexible, risk-based framework for managing cyber risk.

The NIST Cybersecurity Framework organises security activities into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It is voluntary, widely adopted in the US, and increasingly used globally as a strategic planning tool.

Best for

Organisations looking for a pragmatic, non-certification approach to improving security.

  • Six core functions: Govern, Identify, Protect, Detect, Respond, Recover
  • Governance focus added in CSF 2.0
  • No certification body; self-assessment or third-party gap analysis
  • Highly flexible across industries and maturity levels

DORA

Digital Operational Resilience Act for financial services in the EU.

DORA sets uniform requirements for the security of network and information systems supporting financial entities in the EU. It introduces strict rules for ICT risk management, incident reporting, resilience testing, and third-party oversight.

Best for

Banks, insurers, investment firms, and their critical ICT third-party providers.

  • ICT risk management framework
  • Digital operational resilience testing
  • Third-party risk management for critical providers
  • Harmonised incident reporting to regulators

PCI DSS

The payment card industry data security standard.

PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Non-compliance can result in fines and loss of card processing privileges.

Best for

Any organisation that stores, processes, or transmits cardholder data.

  • Secure network and systems
  • Cardholder data protection
  • Access control measures
  • Regular monitoring and testing of networks

GDPR (Security Lens)

The data protection regulation with strict security implications.

While GDPR is primarily a privacy regulation, it imposes direct security obligations. Organisations must implement appropriate technical and organisational measures to protect personal data and report breaches within 72 hours.

Best for

Any organisation processing personal data of EU or UK residents.

  • Privacy by design and default
  • Appropriate technical and organisational security measures
  • 72-hour breach notification requirement
  • Potential fines up to 4% of global turnover

TISAX

The information security assessment standard for the automotive industry.

TISAX (Trusted Information Security Assessment Exchange) is the European automotive industry's standard for information security assessments. Based on ISO 27001 and ISO 27002, it includes VDA-specific requirements and is often mandatory for supplier relationships.

Best for

Automotive OEMs, Tier 1/2 suppliers, and service providers in the EU and UK.

  • Built on ISO 27001 and ISO 27002 standards
  • VDA ISA questionnaire with automotive-specific controls
  • Three assessment levels depending on data sensitivity
  • Widely required by OEMs and Tier 1 suppliers

UK FCA / PRA Operational Resilience

Operational resilience requirements for UK financial services.

The FCA and PRA require UK financial firms to identify important business services, set impact tolerances for disruption, and demonstrate they can remain within those tolerances during severe but plausible scenarios.

Best for

UK banks, insurers, asset managers, building societies, and critical fintechs.

  • Identify and map important business services
  • Set and test impact tolerances
  • Self-assessment and board attestation
  • Regular scenario testing and lessons-learned reporting

How to Choose

You sell B2B software to US enterprises

Start with SOC 2 Type II. It is the de facto trust credential for SaaS vendors. Many buyers will not sign a contract without it.

You operate in the UK and bid for government contracts

Cyber Essentials Plus is often mandatory. Add ISO 27001 if you want broader commercial credibility.

You are an EU-based critical infrastructure provider

NIS2 is now in force and carries personal liability for management. If you are in financial services, add DORA.

You want a strategic roadmap, not a certification

Use NIST CSF to baseline your maturity and prioritise gaps. It pairs well with any certification you pursue later.

You are in the automotive supply chain

TISAX is increasingly mandatory for OEM and Tier 1 supplier relationships in Europe. It demonstrates that your information security meets automotive industry expectations.

You are a UK financial services firm

The FCA and PRA Operational Resilience regime requires you to map important services, set impact tolerances, and prove you can recover within them. Board attestation is expected.

Not Sure Where to Start?

Our fractional CISOs help organisations cut through the framework maze, choose the right certifications, and build programmes that pass audit without slowing the business down.

Book a Call