Contact Us

Assessing the right
cyber security
risk management
framework for
your organization

Author: Phil Muncaster

Managing risk is an essential part of any successful business. And given the critically important role IT plays in modern organizations, cyber security has become a top priority. This is where an established cyber security risk management framework can help. But with so many options out there, it can be difficult to know which is the right one for your organization.

Tackling cyber security risk

Cyber risk framework is everywhere today. While 70% of breaches last year were caused by malicious third parties, nearly a third (30%) came from inside the company, according to Verizon's 2020 Data Breach Investigations Report.

Fortunately, cyber risk frameworks are here to help. These proven programs provide a blueprint for enhancing your security strategy to minimize cyber risk and the financial and reputational damage that may result from a serious security breach.

Introducing four key cyber risk frameworks

Some of the most popular and best-established frameworks around today include the following four. 

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF)

One of the most mature frameworks around, NIST CSF has been evolving for the past two decades. It involves a wide range of cyber security best practices based on five key pillars: identify, protect, detect, respond and recover. There's plenty of granular detail for large organizations to dive into, but the simplified headline framework also makes it applicable for small and medium-sized businesses with fewer resources and know-how.

Department of Defense Risk Management Framework

Also developed by NIST, this cyber security risk management framework is particularly useful in helping organizations build cyber risk management early on into system design. It's mandated for Department of Defense (DoD) contractors but can also be useful for organizations operating outside of the public sector space.

ISO 27000

Developed by the International Standards Organization (ISO), this series of cyber risk frameworks provide a set of certifiable standards to help your organization systematically manage its cyber risk. Like NIST, it is well-established and well-regarded. Some argue it is best deployed if your organization needs to advertise its cyber security capabilities to the wider market. The certification process is a rigorous one, which may discourage smaller organizations.


Developed by the nonprofit FAIR Institute, this cyber security risk management framework is focused on understanding, managing and measuring cyber risk to improve decision-making. It can help to enhance existing risk frameworks, but its reliance on estimates has been known to discourage some and it is not appropriate for performing organization-wide risk assessments.

Choosing the right cyber security risk management framework

The above is just a small snapshot. There are countless frameworks on the market, including many specific to certain verticals. To better understand which is applicable to your organization, consider the following tips.

  • Understand your business objectives and compliance needs, including which regulatory bodies you are accountable to.
  • Identify any security frameworks already in use in your organization.
  • Determine whether existing frameworks are effective at meeting your objectives.
  • Bring in stakeholders from across the business to decide on the most appropriate frameworks going forward.
  • If using several security frameworks in tandem, ensure they will map to each other without leaving coverage gaps.
  • Continuously re-evaluate your security program's maturity and whether changes are needed.
  • Consider bringing in expert third-party help to manage the process of selecting a framework and assessing your program against it.

Find out how Verizon can help you evaluate your security program against industry frameworks.