Global Cybersecurity Frameworks Reference

Global Cybersecurity Frameworks Reference

Comprehensive reference of 40 globally recognised cybersecurity frameworks — from foundational standards like NIST CSF and ISO 27001 to sector-specific requirements like CMMC (US Federal), NIS2 (EU), and APRA CPS 234 (Australia).

• NIST CSF 2.0 — Identify, Protect, Detect, Respond, Recover, and the new Govern function
• ISO 27001:2022 — international ISMS standard with 93 Annex A controls updated for cloud and privacy
• MITRE ATT&CK — adversary tactics, techniques, and procedures mapped to detection and response
• CIS Controls v8 — 18 prioritised safeguards organised into Implementation Groups IG1–IG3
• CMMC 2.0 — US Department of Defense cybersecurity maturity model for defense contractors
• NIS2 Directive — EU network and information systems security requirements for critical infrastructure

NIST CSF 2.0: The Universal Cybersecurity Risk Management Framework

The NIST Cybersecurity Framework version 2.0, published in February 2024, is the most widely adopted cybersecurity risk management framework globally — used by government agencies, enterprises, and SMBs across all sectors and geographies. Version 2.0 added a sixth function — Govern — to the original five (Identify, Protect, Detect, Respond, Recover), reflecting the elevated role of executive leadership and board oversight in cybersecurity risk management. The Govern function covers organisational context, risk management strategy, cybersecurity supply chain risk management, and roles, responsibilities, and authorities. NIST CSF 2.0 also introduced Community Profiles and Implementation Examples to make the framework more accessible to smaller organisations.

• Govern function — new in v2.0: cybersecurity risk governance, strategy, supply chain, and roles and responsibilities
• Identify function — asset management, risk assessment, improvement, and business environment understanding
• Protect function — identity management, awareness, data security, platform security, and technology infrastructure
• Detect function — continuous monitoring, adverse event analysis, and detection process improvement
• Respond and Recover — incident response management, communication, mitigation, and recovery planning

MITRE ATT&CK: The Adversary Behaviour Knowledge Base

MITRE ATT&CK (Adversary Tactics, Techniques, and Common Knowledge) is not a compliance framework — it is a curated knowledge base of real-world adversary behaviour that security teams use for threat modelling, detection engineering, and security assessment. ATT&CK organises observed attacker behaviours into a matrix of 14 tactical categories (the stages of an attack) and over 600 specific techniques and sub-techniques observed in real campaigns. Security teams use ATT&CK to evaluate detection rule coverage (which techniques have detection rules?), design tabletop exercises based on specific threat actor profiles, and communicate about threat scenarios in a standardised language across security functions.

• 14 tactic categories — Initial Access, Execution, Persistence, Privilege Escalation, Defence Evasion, and nine more
• 600+ techniques — specific adversary behaviours observed in real campaigns with mitigation and detection guidance
• Threat actor profiles — documented TTPs for 130+ named threat groups mapped to ATT&CK techniques
• Detection coverage evaluation — ATT&CK matrix heatmap showing which techniques current rules cover vs blind spots
• ATT&CK Navigator — publicly available tool for visualising coverage and annotating the ATT&CK matrix

CIS Controls v8 and Implementation Group Prioritisation

The CIS Critical Security Controls version 8 provides 18 prioritised security controls that are organised into three Implementation Groups based on the sophistication and resources of the implementing organisation. IG1 — the essential cyber hygiene controls — consists of 56 Safeguards that every organisation should implement regardless of size or maturity. IG2 adds 74 additional Safeguards for organisations with dedicated security staff and moderate risk profiles. IG3 adds the final 23 Safeguards for sophisticated organisations facing advanced persistent threats. The Implementation Group structure makes CIS Controls an accessible starting point for security programmes at any maturity level.

• CIS Control 1–2 — enterprise asset and software inventory as the foundation for all subsequent controls
• CIS Control 3–4 — data protection and secure configuration for enterprise assets and software
• CIS Control 5–6 — account management and access control management for enterprise accounts
• IG1 essentials — 56 Safeguards across 18 controls representing the minimum viable security programme
• IG2 additions — 74 additional Safeguards for organisations with dedicated IT/security staff

EU NIS2 and CMMC 2.0: Regional and Sector-Specific Requirements

Beyond universal frameworks like NIST CSF and ISO 27001, organisations in regulated sectors or geographies must comply with sector-specific requirements. NIS2 (EU Network and Information Systems Directive 2) entered into force in January 2023 and required member state transposition by October 2024 — expanding the scope of cybersecurity obligations to cover essential and important entities across 18 sectors including energy, transport, banking, healthcare, and digital infrastructure. CMMC 2.0 (Cybersecurity Maturity Model Certification) is the US Department of Defense's mandatory certification programme for defense contractors — requiring Level 1 self-assessment for all DoD prime and subcontractors handling Federal Contract Information.

• NIS2 scope — 18 sectors covered across essential and important entity categories with proportional obligations
• NIS2 incident reporting — significant incidents reported to national CSIRT within 24 hours (early warning) and 72 hours
• CMMC 2.0 levels — Level 1 (17 practices, self-assessment), Level 2 (110 practices, third-party), Level 3 (advanced)
• CMMC certification timeline — phased implementation with certification requirements in DoD contracts from 2025
• Sector overlap — NIS2 and sector regulators (DORA for finance, NIS2+CRA for digital products) creating layered obligations