Context
For the technical specialist transitioning into management, the governance landscape can appear broad and fragmented. However, distinguishing between mere security controls and broader resilience is a fundamental competency for the modern leader. This article outlines the primary frameworks available to the Cyber practitioner, helping you select the appropriate structure to support both operational stability and regulatory compliance.
It is no longer sufficient to focus solely on securing the organisation. The current operating environment requires a shift towards Cyber Resilience.
Traditional security focuses on prevention. Resilience, by contrast, acknowledges that prevention may fail. It concerns the organisation’s capacity to withstand, adapt to, respond, and recover from adverse conditions to ensure business operations continue.
Communicating this distinction to a board or an audit committee using purely technical language is rarely effective. Resilience frameworks provide the structure necessary to balance protection with continuity. They allow the manager to move from ad-hoc responses to a measurable, defensible position.
Security vs. Resilience: The Distinction
To select the right framework, you must distinguish between the objective of defending the system and the objective of sustaining the business.
-
Cyber Security (The Shield): Focuses on prevention and protection. It aims to harden systems to stop attacks from happening in the first place.
- Key Question: “How do we prevent unauthorized access or damage?”
- Focus: Identity management, patching, encryption, and firewalls.
-
Cyber Resilience (The Immune System): Focuses on response and recovery. It operates on the assumption that a breach will eventually occur and prioritizes maintaining operations during the crisis.
- Key Question: “How quickly can we bounce back when prevention fails?”
- Focus: Redundancy, disaster recovery, backups, and adaptability.
The Core Difference: Security tries to ensure you don’t get hit. Resilience ensures that if you do get hit, you don’t stay down.
Why Adopt a Framework?
Resilience frameworks provide a systematic method for managing risk. Rather than relying on intuition or fragmented controls, these structures offer a baseline against which an organisation’s maturity can be measured.
- Completeness: It acts as an check to ensure no aspect of the defensive estate — from identification to recovery — is overlooked.
- Standard of Care: In the event of an incident, the ability to demonstrate that controls were aligned with a recognised standard is a critical component of legal defensibility and regulatory compliance.
Key Frameworks
There is no single correct framework; the appropriate choice depends on industry, geography, and the specific regulatory pressures the organisation faces.
1. NIST Cybersecurity Framework (CSF) 2.0
This is widely regarded as the global standard. In 2024, NIST updated the framework to version 2.0. The significant development was the introduction of a sixth function: GOVERN. This places organisational context and strategy at the centre of the model, informing the original five functions: Identify, Protect, Detect, Respond, and Recover. It is excellent for building a programme from the ground up.
2. NCSC Cyber Assessment Framework (CAF)
Developed by the UK National Cyber Security Centre, this is distinct from NIST in its use of “Objective” based assessments rather than specific controls. It is the required standard for organisations managing Critical National Infrastructure (CNI) in the UK, and is increasingly relevant for those falling under NIS regulations.
3. ISO 27001
The international standard for Information Security Management Systems (ISMS). While broader than just resilience, it remains the primary benchmark for formal certification. If an organisation must prove its security posture to clients via an independent certificate, this is the standard typically used.
4. CIS Critical Security Controls
Previously known as the SANS Top 20, this is a prioritised set of actions designed to mitigate the most pervasive attacks. It is technical and operational, making it suitable for engineering teams determining “what to fix first,” though it is less effective for management conversations.
5. ISF Standards of Good Practice (SoGP)
A comprehensive, business-focused standard often utilised by larger enterprises. It is less common in the SME market but provides significant depth for complex governance structures.
Comparison: Which one should you choose?
For a new manager, selecting the framework is often a matter of aligning with business goals rather than technical preference.
| Framework | Primary Use Case | Certifiable? | Focus |
|---|---|---|---|
| NIST CSF 2.0 | General global adoption; Programme building. | No | Risk Management & Governance |
| ISO 27001 | B2B trust; Supply chain requirements. | Yes | Management Systems (ISMS) |
| NCSC CAF | UK Critical Infrastructure; Regulated sectors. | No | Outcomes & Indicators |
| CIS Controls | Technical defence; Prioritisation. | No | Operational Actions |
Further Reading
- NCSC CAF Guidance - Official UK government guidance.
- NIST Cybersecurity Framework - The official documentation for CSF 2.0.