Frameworks vs. Regulations — Know the Difference
This distinction trips up many Security+ candidates. A framework is a structured set of guidelines and best practices that organizations voluntarily adopt to improve their security posture. A regulation (or law) is a legal requirement that mandates specific controls, with penalties for non-compliance.
| Type | Example | Mandatory? | Who Enforces? |
|---|---|---|---|
| Framework | NIST CSF, ISO 27001, CIS Controls | No (unless contractually required) | No government enforcer — industry or client pressure |
| Regulation / Law | HIPAA, GDPR, PCI-DSS, SOX | Yes — legally required | Government agencies, regulators, card brands |
| Hybrid | CMMC, FedRAMP | Yes — for specific contracts | US DoD, US federal agencies |
An organization can use NIST CSF to structure its security program without any legal obligation to do so. But HIPAA compliance is required by US law for covered healthcare entities — there's no opting out. CMMC sits in a middle category: it's not universal law, but it's a contractual requirement to work with the US Department of Defense.
NIST Cybersecurity Framework (CSF)
The NIST CSF was originally published in 2014 in response to a Presidential Executive Order and updated to version 2.0 in 2024. It provides a common language for managing and communicating cybersecurity risk. While originally aimed at critical infrastructure, it's now used across all sectors and is the most referenced framework on the Security+ exam.
The CSF is organized around five core functions. Think of them as the lifecycle of how an organization manages a cyber risk:
Remember the sequence: Identify → Protect → Detect → Respond → Recover. A common exam trap is to put "Detect" before "Protect" or to confuse "Respond" with "Recover." Respond = actions taken during/immediately after an incident. Recover = getting systems back to normal operation and learning from the event.
NIST CSF version 2.0 added a sixth function — Govern — which sits above all five and covers organizational cybersecurity strategy, roles, policies, and oversight. CSF 2.0 also expanded its applicability beyond critical infrastructure and added supply chain risk management guidance. The exam currently focuses on the five original functions, but be aware version 2.0 exists.
ISO 27001
ISO 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Published by the International Organization for Standardization (ISO), it's a certifiable standard — an organization can hire an accredited third-party auditor and receive official ISO 27001 certification, demonstrating to customers and partners that their ISMS meets the standard.
| Concept | What It Means |
|---|---|
| ISMS | Information Security Management System — the overall framework of policies, procedures, and controls for managing information security risk |
| Annex A | ISO 27001's reference set of 93 controls organized into 4 themes: Organizational, People, Physical, and Technological |
| Certification | Third-party audit confirms compliance — organizations can become officially "ISO 27001 certified" |
| ISO 27002 | Companion document that provides implementation guidance for the Annex A controls |
| Risk-based | Organizations define their own risk appetite and select controls appropriate to their specific context |
The key thing to know about ISO 27001 for the exam: it's a management system standard, not a technical checklist. It focuses on establishing the right processes, policies, and oversight — and then continuously improving them. This makes it different from NIST CSF, which provides a more tactical framework of functions and categories.
SOC 2
SOC 2 (System and Organization Controls 2) is a third-party audit standard developed by the American Institute of CPAs (AICPA). It's specifically designed for service organizations — companies that store, process, or transmit customer data on behalf of other businesses (think cloud providers, SaaS companies, managed service providers).
SOC 2 audits assess controls against five Trust Service Criteria (TSC): Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. The Security criterion is always included; organizations choose which additional criteria are relevant.
SOC 2 Type 1: Auditor assesses whether controls are designed appropriately at a specific point in time. Think: "do these controls look good on paper today?"
SOC 2 Type 2: Auditor assesses whether controls are operating effectively over a period of time (typically 6–12 months). Think: "did these controls actually work consistently?" Type 2 is more rigorous and more meaningful to customers.
SOC 2 reports are commonly requested by enterprise customers as part of vendor due diligence. When a company asks a SaaS vendor for their SOC 2 report, they want evidence of security controls — particularly a Type 2 report, which shows the controls actually worked over time rather than just being in place on audit day.
CMMC — Cybersecurity Maturity Model Certification
CMMC is a US Department of Defense framework that sets cybersecurity requirements for organizations in the Defense Industrial Base (DIB) — any company or contractor working with the DoD. Unlike NIST CSF, CMMC compliance is mandatory for DoD contracts.
FCI = Federal Contract Information — information provided by or generated for the government under contract. CUI = Controlled Unclassified Information — sensitive government information that isn't classified but still needs protection. CMMC Level 2 is primarily about protecting CUI. C3PAO = CMMC Third Party Assessment Organization — accredited organizations that perform CMMC assessments.
CIS Controls
The Center for Internet Security (CIS) publishes the CIS Controls — currently version 8 — a prioritized set of 18 controls that represent the most effective defensive actions organizations can take. Unlike ISO 27001's risk-based selection approach, CIS Controls are ranked by impact: implementing the first few controls stops a large percentage of real-world attacks.
| Controls | Implementation Group | Target Organization |
|---|---|---|
| IG1 (Controls 1–6 emphasis) | Basic Cyber Hygiene | Small organizations with limited IT/security resources — the essential minimum |
| IG2 (IG1 + more) | Foundational | Medium organizations with some dedicated IT staff — handles sensitive data |
| IG3 (IG1 + IG2 + more) | Organizational | Large or mature organizations with dedicated security teams facing sophisticated threats |
The top 6 CIS Controls — often called "basic cyber hygiene" — cover: inventory of enterprise assets, inventory of software assets, data protection, secure configuration of assets, account management, and access control management. Research from CIS suggests that fully implementing just these six controls can prevent the majority of common attacks.
Key Regulations to Know
These aren't frameworks — they're laws and regulatory requirements. The Security+ exam expects you to recognize each one and understand what it protects.
| Regulation | Full Name | What It Protects | Who It Applies To |
|---|---|---|---|
| HIPAA | Health Insurance Portability and Accountability Act | Protected Health Information (PHI) | US healthcare providers, insurers, and their business associates |
| GDPR | General Data Protection Regulation | Personal data of EU residents | Any organization that processes EU residents' data — regardless of where the org is based |
| PCI-DSS | Payment Card Industry Data Security Standard | Cardholder data | Any entity that stores, processes, or transmits credit/debit card data |
| SOX | Sarbanes-Oxley Act | Financial reporting integrity | US publicly traded companies and their auditors |
| GLBA | Gramm-Leach-Bliley Act | Financial information of consumers | US financial institutions (banks, insurance companies) |
| FERPA | Family Educational Rights and Privacy Act | Student education records | US educational institutions receiving federal funding |
Data breach notification: GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. Right to be forgotten: individuals can request deletion of their personal data. Data Protection Officer (DPO): certain organizations must appoint a DPO. Data Processing Agreement (DPA): required when sharing data with third-party processors. GDPR applies to EU residents' data even if the processing company is in the US.