Learn About Our CCSK X CCSP Training Week

CISSP Training Series – Frameworks

Frameworks According to ISC2 CISSP Training


Welcome to our inaugural entry in our new CISSP training series of blogs. Domain 1 of the CISSP deals with security and risk management. As you may be aware, the CISSP exam outline contains the domains and associated domain objectives. A key objective of the first domain is objective 7 which covers frameworks. In this entry, I’m going to cover the frameworks discussed. I’m also limiting this coverage to the content covered in the official courseware as part of preparing for your CISSP exam.


You’ll also notice that I try to include links to source documentation where possible. Material referred to in these links are not required study material! You won’t be tested on anything that a particular framework states. The exam is based on the CISSP material, not references that CISSP uses. CISSP covers a lot as it is. Don’t add to your study time if you don’t have to!


Different Types of Frameworks


The official CISSP textbook addresses privacy, cybersecurity, risk, and security control frameworks. Frameworks guide organizations in adapting their operational systems to address information security needs. These needs can be mandated by external regulations or arise from internal factors and market conditions. As organizations navigate the system’s life cycle, from analyzing requirements to deploying systems, they face an evolving threat landscape. Amidst these continuous changes, organizations implement security measures to remain compliant with the relevant frameworks and requirements.


The bottom line is that when it comes to frameworks, they serve as a starting point of data security (and privacy) requirements. They can also be used to assess the in-use system and its controls for compliance and security assessment purposes.


Privacy Frameworks


Privacy frameworks consist of a set of privacy principles, standards and or guidelines. As with everything else when it comes to standards, there is a variety of privacy frameworks. Privacy frameworks are usually designed for a certain jurisdiction or industry.


As an example of privacy frameworks, the CISSP text covers the Privacy Management Framework (PMF) by the AICPA. The only key element they highlight about the PMF is the addressing of GDPR and updated Trust Services Criteria (also by AICPA).


Cybersecurity Frameworks


A security framework is a “notional construct” (meaning something that can be used to draw from) outlining the organization’s approach to cybersecurity, including a list of specific security processes, policies, procedures and solutions that the organization can choose from.


The official courseware mentions that a cybersecurity professional (e.g. a CISSP) should have a working knowledge of the following cybersecurity frameworks:


ISO 27001

This certification is the global heavyweight when it comes to cybersecurity frameworks. If you’re American, you might think this statement is misguided, but if you check out the ISO survey, you’ll see the U.K. has roughly 3 times the amount of ISO 27001 certifications than the U.S..


ISO 27001 certification of an Information Security Management System (ISMS) is focused on governance and mainly focuses on policies. ISO 27001 has a companion document labelled ISO 27002. ISO 27002 is a document that gives expanded guidance regarding the controls found in ISO 27001. ISO 27002 itself is not a certification.


NIST Risk Management Framework

Next up, we have the National Institute of Science and Technology (NIST). Like ISO, there is myriad of documents NIST creates. The two cybersecurity frameworks that work together are the NIST Risk Management Framework (RMF) which is labelled 800-37 and the controls catalog (800-53). You can think of the relationship between the RMF and 800-53 much as the relationship between ISO 27001 and 27002.


Although NIST is pervasive throughout the U.S. Government, many large organizations use the NIST RMF as their cybersecurity framework. All NIST documentation is free of charge, but there is no certification available against the NIST RMF.



Often confused with HIPAA compliance (more on this later), HITRUST Alliance is a private organization that has created a cybersecurity framework called the Common Security and Privacy Framework (HITECH CSF) that works with other standards (such as HIPAA). The goal of the CSF is to have one framework, one certification and one assessment as a globally recognized standard for exchanging attestations of trust between organizations, public or private.


Basically, the HITRUST CSF maps to a bunch of different standards and certifications. Many companies that require HIPAA certification happen to use the HITRUST CSF. That’s the link between HIPAA and HITRUST. HIPAA is a U.S. federal law while HITRUST CSF is a cybersecurity framework developed by a for-profit company.


Although not needed at all for your CISSP exam, you can read more about the HITRUST CSF in an informative post here and the official HITRUST Alliance site itself


Cloud Security Alliance


The CISSP textbook also calls out the Security, Trust, Assurance and Risk (STAR) registry by the Cloud Security Alliance (CSA) as a cybersecurity framework. Personally, I can’t see there being questions on this, because quite frankly, I think this is a mistake. The STAR registry is a collection of Consensus Assessment Initiative Questionnaire (CAIQ) responses by Cloud Service Providers (CSPs).


I can see the Cloud Controls Matrix (CCM) being a cybersecurity framework (because that’s what it is called by the CSA itself), but I personally don’t see the STAR registry as a cybersecurity framework.


Risk Frameworks


Risk management frameworks are used to optimize the organization’s response to risk. In many large organizations, this effort defines the organization’s strategy in terms of balancing business risks and opportunities. This is often referred to as Enterprise Risk Management (ERM).


As with the cybersecurity frameworks covered before, ISC2 lists some leading risk frameworks. These are:




The CISSP textbook calls out both ISO 31000 for a holistic view of risk the organization faces and 27005 documents to address Information Technology (IT) risk.


Committee of Sponsoring Organizations (COSO)

The thing to note about COSO and risk management is the more recent document released called Enterprise Risk Management—Integrated Framework. They state this document is seen as a definitive guide to the topic, so it’s worth remembering even if your organization doesn’t use it.




ISACA created the RISK IT framework to address all aspects of risk associated with the use of IT in a company.




NIST 800-37 is the Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy to remember. Hopefully, you also remember this was addressed in the cybersecurity framework discussion.

Security Control Frameworks


Don’t mistake the cybersecurity controls covered earlier and security control frameworks. Security control frameworks (SCFs) provide minimum acceptable practices for implementation and operation of security controls. Think of the PCI DSS for example. PCI DSS isn’t a “notional construct”, rather it is a clear list of controls and processes that are minimal acceptable practices for implementation and operation of security controls. That’s the big difference.


Security Control Frameworks and Gap Analysis


The courseware also discusses the use of gap analysis with security control frameworks. As you can imagine, the gap analysis can be used by an organization as an evaluation and assessment tool to determine what security control gaps exist in an organization.




Of course, this information (and much more!) is part of our CISSP Training. We offer Official CISSP Training from the ISC2. Your options include On-Demand CISSP Training, Live Online CISSP Training and In-Person CISSP Training. If you are interested in team training, please contact us for a quote!



Posted under:

Graham Thompson is an Information Security professional with over 25 years of enterprise experience across engineering, architecture, assessment and training disciplines. He is the founder and CEO of Intrinsec Security, a leading training company that is solely focused on delivering leading authorized IT security training from partners such as the Cloud Security Alliance, ISC2, ISACA, EC-Council and CompTIA.

CCSK | CCSP: The Industry’s Leading Cloud Security Certifications - learn more

Upgrade your Skills. Secure your Potential.

Our experts provide hands-on and on-demand training that helps IT and data security professionals meet today's cyber security challenges and prepares you for a successful future.

Training Schedule Contact Us