Reference
Frameworks
Reference

Frameworks

Every major framework you'll encounter in an entry-level GRC role, taught in plain English first and then in professional terms.

NIST CSF 2.0
Voluntary framework

Think of CSF as the table of contents for a cybersecurity program. It does not tell you exactly how to do anything — it tells you the outcomes you should be able to demonstrate, grouped into six themes.

NIST RMF
Mandatory (federal)

RMF is the recipe a federal system follows to legally turn on. Each step produces a document. The whole package proves that someone with authority looked at the risk and accepted it.

ISO 27001
Certification standard

ISO 27001 cares as much about how you manage security as what controls you have. The ISMS is the engine; Annex A is the parts list you choose from.

SOC 2
Attestation report

SOC 2 is not certification — it is an opinion letter from an auditor. The audit is mostly about producing evidence that you actually do what your policies say.

PCI DSS
Industry mandate

PCI DSS is a long checklist that protects credit card numbers. The smartest thing you can do is keep card data out of your systems entirely — that shrinks your audit dramatically.

HIPAA
U.S. regulation

HIPAA Security Rule is about protecting health data in electronic form. It is principles-based — there is no checklist of 'these 50 controls' — so risk analysis is the centerpiece.

GDPR
EU regulation

GDPR is about respecting individuals' control over their own personal data. Every processing activity needs a documented reason, and individuals have rights you must honor.

CMMC
DoD requirement

CMMC is the DoD's way of making sure its suppliers actually do the security they claim to do. It rides on NIST SP 800-171.

COBIT
IT governance framework

COBIT zooms out further than CSF — it covers IT as a whole (cost, value, performance), not just cybersecurity. You will see it more in audit and board-level work.