Phase 1 · Compliance Frameworks Landscape · Lesson 3 of 3
Framework One-Pager: SOC 2, ISO, NIST, CIS Side-by-Side
Reference
·
5 min
·
+5 pts
Framework One-Pager
This page is a reference you will come back to. It puts the four frameworks you just learned side by side so you can see how they compare across the dimensions that matter most: what they are, who requires them, and how they handle the same security concepts.
Save this page
Bookmark this or keep it open in a tab. You will reference it every time you need to map a control, answer an auditor's question about framework differences, or explain to an engineer why their work satisfies multiple standards simultaneously.
At a glance
┌──────────────────┬──────────────────┬──────────────────┬──────────────────┬──────────────────┐ │ │ SOC 2 │ ISO 27001 │ NIST CSF │ CIS Controls v8 │ ├──────────────────┼──────────────────┼──────────────────┼──────────────────┼──────────────────┤ │ Full name │ System and Org │ ISO/IEC │ Cybersecurity │ CIS Critical │ │ │ Controls 2 │ 27001:2022 │ Framework 2.0 │ Security Controls│ ├──────────────────┼──────────────────┼──────────────────┼──────────────────┼──────────────────┤ │ Origin │ AICPA (US) │ ISO/IEC │ NIST (US Gov) │ CIS (non-profit) │ ├──────────────────┼──────────────────┼──────────────────┼──────────────────┼──────────────────┤ │ Type │ Attestation │ Certification │ Voluntary │ Prescriptive │ │ │ report │ │ framework │ controls list │ ├──────────────────┼──────────────────┼──────────────────┼──────────────────┼──────────────────┤ │ Structure │ 5 Trust Services │ Clauses 4-10 + │ 6 Functions, │ 18 Control │ │ │ Criteria, CC1-9 │ 93 Annex A │ Categories, │ Families, │ │ │ │ controls │ Subcategories │ 153 Safeguards │ ├──────────────────┼──────────────────┼──────────────────┼──────────────────┼──────────────────┤ │ Audit type │ Type I (point │ Stage 1 + Stage │ Self-assessment │ Self-assessment │ │ │ in time) or │ 2 certification │ (no formal │ (no formal │ │ │ Type II (period) │ audit │ audit required) │ audit required) │ ├──────────────────┼──────────────────┼──────────────────┼──────────────────┼──────────────────┤ │ Audit frequency │ Annual │ 3-year cycle │ N/A │ N/A │ │ │ │ (annual surveil.)│ │ │ ├──────────────────┼──────────────────┼──────────────────┼──────────────────┼──────────────────┤ │ Who requires it │ US SaaS buyers, │ EU enterprise, │ US government, │ Organizations │ │ │ enterprise │ global corps, │ critical infra, │ wanting │ │ │ procurement │ government │ used as taxonomy │ prioritized list │ ├──────────────────┼──────────────────┼──────────────────┼──────────────────┼──────────────────┤ │ Cost estimate │ $30K-$150K/yr │ $20K-$80K/yr │ Free │ Free │ │ │ (audit fees) │ (cert fees) │ │ │ └──────────────────┴──────────────────┴──────────────────┴──────────────────┴──────────────────┘
Framework comparison: the four you will use most
Access control across frameworks
┌──────────────────┬──────────────────────────────────────────────────────────┐ │ Framework │ Access Control Requirements │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ SOC 2 │ CC6.1 — Logical and physical access controls │ │ │ CC6.2 — Access credentials management │ │ │ CC6.3 — Access removal upon termination │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ ISO 27001 │ A.8.2 — Privileged access rights │ │ │ A.8.3 — Information access restriction │ │ │ A.8.5 — Secure authentication (incl. MFA) │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ NIST CSF │ PR.AA — Identity Management, Authentication, │ │ │ and Access Control (CSF 2.0) │ │ │ PR.AC — Access Control (CSF 1.1 legacy) │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ CIS Controls │ Control 5 — Account Management │ │ │ Control 6 — Access Control Management │ │ │ 6.3 — Require MFA for externally-exposed apps │ │ │ 6.4 — Require MFA for remote network access │ │ │ 6.5 — Require MFA for administrative access │ └──────────────────┴──────────────────────────────────────────────────────────┘
The same security concept — access control — as expressed in each framework
Data protection across frameworks
┌──────────────────┬──────────────────────────────────────────────────────────┐ │ Framework │ Data Protection / Encryption │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ SOC 2 │ CC6.1 — Encryption of data at rest and in transit │ │ │ CC6.7 — Restriction of data transmission │ │ │ C1.1 — Confidentiality commitments │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ ISO 27001 │ A.8.10 — Information deletion │ │ │ A.8.11 — Data masking │ │ │ A.8.24 — Use of cryptography │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ NIST CSF │ PR.DS — Data Security │ │ │ PR.DS-1 — Data at rest is protected │ │ │ PR.DS-2 — Data in transit is protected │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ CIS Controls │ Control 3 — Data Protection │ │ │ 3.6 — Encrypt data on end-user devices │ │ │ 3.9 — Encrypt data on removable media │ │ │ 3.10 — Encrypt sensitive data in transit │ │ │ 3.11 — Encrypt sensitive data at rest │ └──────────────────┴──────────────────────────────────────────────────────────┘
Data protection and encryption controls across frameworks
Incident response across frameworks
┌──────────────────┬──────────────────────────────────────────────────────────┐ │ Framework │ Incident Response │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ SOC 2 │ CC7.3 — Evaluate security events │ │ │ CC7.4 — Respond to identified security incidents │ │ │ CC7.5 — Communicate security incidents │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ ISO 27001 │ A.5.24 — Incident management planning │ │ │ A.5.25 — Assessment and decision on events │ │ │ A.5.26 — Response to incidents │ │ │ A.6.8 — Information security event reporting │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ NIST CSF │ RS.AN — Incident Analysis │ │ │ RS.CO — Incident Reporting and Communication │ │ │ RS.MI — Incident Mitigation │ │ │ RC.RP — Incident Recovery Plan Execution │ ├──────────────────┼──────────────────────────────────────────────────────────┤ │ CIS Controls │ Control 17 — Incident Response Management │ │ │ 17.1 — Designate personnel for incident handling │ │ │ 17.2 — Establish process for reporting incidents │ │ │ 17.3 — Establish and maintain an IR process │ └──────────────────┴──────────────────────────────────────────────────────────┘
Incident response requirements across frameworks
The mapping principle
The tables above demonstrate the core idea: the same technical control — enforcing MFA, encrypting data at rest, running an incident response process — satisfies requirements in multiple frameworks simultaneously. You do not build separate controls for each framework. You build the control once, then map it to every framework that requires it.
This is the foundation of framework mapping, and it is the reason a single GRC Engineer can manage SOC 2, ISO 27001, and NIST CSF compliance without tripling the workload.