Introduction
There’s a common misconception in cybersecurity discussions: that ISO 27001, NIST CSF, and CIS Controls are competing standards, and organizations must “choose” one to adopt. This framing misses the point entirely.
These frameworks are not products to purchase or methodologies to implement wholesale. They represent accumulated knowledge—decades of collective thinking about what works in cybersecurity practice. A mature organization already has processes for managing risk, handling incidents, and controlling access. The question isn’t “which framework should we adopt?” but rather “what can we learn from each to refine what we already do?”
This perspective becomes particularly relevant with NIS2 (Directive EU 2022/2555) now in effect. The directive sets requirements that covered entities must satisfy, but it doesn’t prescribe how. Organizations need processes that meet these requirements—and the frameworks offer different angles on how to build them well.
What Each Framework Brings to the Table
Rather than comparing features to pick a winner, consider what distinct knowledge each framework offers.
ISO 27001/27002: The Management System Perspective
ISO 27001 emerged from the quality management tradition. Its core contribution isn’t a list of security controls—it’s a model for how to structure security work within an organization. The Plan-Do-Check-Act cycle, the emphasis on documented procedures, the concept of a Statement of Applicability, the formal management review—these represent refined thinking on how to make security systematic rather than ad hoc.
ISO 27002 complements this with implementation guidance for 93 controls across organizational, people, physical, and technological domains. The value isn’t in the controls themselves (most are common sense) but in the structured way they’re presented and the relationships between them.
What ISO brings: rigorous thinking about documentation, audit trails, and how security integrates with broader organizational management.
NIST CSF 2.0: The Communication Model
The NIST Cybersecurity Framework was designed to solve a different problem: how do you talk about cybersecurity across organizational levels? How does a CISO communicate risk to a board? How do different departments align their security efforts?
The six functions (Govern, Identify, Protect, Detect, Respond, Recover) provide a vocabulary that works from the boardroom to the SOC. The framework is deliberately outcomes-based—it describes what to achieve, not how to achieve it. This makes it flexible but also means it requires interpretation.
NIST CSF 2.0’s addition of the GOVERN function reflects modern thinking about cybersecurity governance. It explicitly addresses organizational context, risk management strategy, roles and responsibilities, policy, oversight, and supply chain risk management as governance concerns—not just technical ones.
What NIST brings: a communication framework for aligning security efforts across an organization and engaging leadership in cybersecurity decisions.
CIS Controls v8.1: The Threat-Informed Playbook
The CIS Controls take a fundamentally different approach. Rather than starting from management theory or communication needs, they start from attack data. What do adversaries actually exploit? What defenses actually work? The controls are prioritized based on effectiveness against real-world threats, mapped to the MITRE ATT&CK framework.
The Implementation Groups (IG1, IG2, IG3) provide a maturity model that helps organizations focus their efforts. IG1 represents essential cyber hygiene—the baseline every organization should achieve. IG2 and IG3 add sophistication appropriate for organizations with greater risk exposure or capability.
What CIS brings: practical, prioritized guidance on what to implement first, grounded in threat intelligence rather than theory.
Building Processes That Satisfy NIS2
NIS2 Article 21 specifies ten categories of cybersecurity risk-management measures that essential and important entities must implement. Rather than asking “which framework covers this?”, let’s examine what each framework contributes to building effective processes in each area.
Risk Analysis and Information System Security (Article 21a)
NIS2 requires policies on risk analysis and information system security. This is foundational—you can’t manage what you haven’t assessed.
From ISO: A documented risk assessment methodology is central to ISO 27001. Clause 6.1.2 requires organizations to define a risk assessment process, identify risks, analyze likelihood and consequences, and evaluate against risk criteria. The Statement of Applicability documents which controls apply based on this assessment.
From NIST: The IDENTIFY function places risk assessment (ID.RA) within organizational context. Risk isn’t abstract—it relates to business objectives, critical assets, and stakeholder expectations. The GOVERN function adds risk management strategy (GV.RM) at the leadership level.
From CIS: Controls 1 and 2 (Enterprise and Software Asset Inventory) provide the foundation—you can’t assess risk to assets you don’t know exist. The threat-informed approach ensures risk analysis considers actual attack patterns, not theoretical vulnerabilities.
Incident Handling (Article 21b)
NIS2 requires incident handling capability, complemented by Article 23’s reporting obligations (24-hour early warning, 72-hour notification, one-month final report).
From ISO: ISO 27001 Annex A controls 5.24-5.28 address incident management planning, assessment, response, learning from incidents, and evidence collection. The emphasis on documented procedures and post-incident review supports continuous improvement.
From NIST: The RESPOND and RECOVER functions provide a lifecycle model: incident management, analysis, reporting, mitigation, followed by recovery planning and communication. This structures incident handling as a connected process, not isolated activities.
From CIS: Control 17 (Incident Response Management) provides specific capabilities: designated personnel, incident response plans, defined communication procedures, and regular exercises. The specificity helps translate policy into practice.
Business Continuity and Crisis Management (Article 21c)
NIS2 requires business continuity measures including backup management, disaster recovery, and crisis management.
From ISO: Controls 5.29 (ICT readiness for business continuity) and 5.30 (ICT readiness for business continuity) connect cybersecurity to broader organizational resilience. The requirement for testing and review ensures plans don’t become shelfware.
From NIST: The PROTECT function includes technology infrastructure resilience (PR.IR), while RECOVER addresses recovery plan execution (RC.RP) and communication (RC.CO). Resilience is positioned as a design principle, not just a recovery afterthought.
From CIS: Control 11 (Data Recovery) specifies backup scope, frequency, protection, and testing. The concrete requirements (automated backups, offline copies, regular restoration testing) turn policy into measurable implementation.
Supply Chain Security (Article 21d)
NIS2 explicitly requires security measures covering relationships with direct suppliers and service providers. Article 21(3) adds that organizations must consider supplier vulnerabilities and the quality of suppliers’ cybersecurity practices.
From ISO: Controls 5.19-5.23 address supplier relationships comprehensively: information security policy for suppliers, addressing security within agreements, managing the ICT supply chain, monitoring and review, and managing changes to supplier services.
From NIST: The GOVERN function includes Cybersecurity Supply Chain Risk Management (GV.SC) as a first-class governance concern. This elevates supply chain security from a procurement checklist to strategic risk management.
From CIS: Control 15 (Service Provider Management) addresses inventory of service providers, classification by data sensitivity, security assessments, and contractual requirements. The focus on third-party risk reflects modern attack patterns.
Vulnerability Management (Article 21e)
NIS2 requires security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.
From ISO: Control 8.8 (Management of technical vulnerabilities) requires timely identification of vulnerabilities, risk assessment, and appropriate remediation. Control 8.28 addresses secure coding practices for development.
From NIST: Vulnerability management integrates with asset management (ID.AM) and risk assessment (ID.RA). Platform security (PR.PS) addresses secure configuration and patch management as protective measures.
From CIS: Control 7 (Continuous Vulnerability Management) provides specific guidance: automated scanning, risk-based remediation prioritization, and timelines for addressing vulnerabilities. Control 16 (Application Software Security) addresses secure development practices.
Effectiveness Assessment (Article 21f)
NIS2 requires policies and procedures to assess the effectiveness of cybersecurity risk-management measures. This closes the loop—security isn’t just implemented but verified.
From ISO: Clause 9 (Performance evaluation) requires monitoring, measurement, analysis, evaluation, internal audit, and management review. The PDCA cycle ensures assessment drives improvement.
From NIST: The GOVERN function includes oversight (GV.OV), while IDENTIFY includes improvement (ID.IM). Organizational profiles enable measuring current state against target state over time.
From CIS: Implementation Groups provide maturity benchmarks. Progress from IG1 to IG2 to IG3 represents measurable security improvement. Individual safeguards include metrics for assessment.
Cyber Hygiene and Training (Article 21g)
NIS2 requires basic cyber hygiene practices and cybersecurity training. Article 20(2) adds that management body members must follow training, and organizations should offer training to employees regularly.
From ISO: Control 6.3 (Information security awareness, education and training) requires appropriate awareness and training programs. Clause 7.2 addresses competence requirements for personnel affecting security.
From NIST: The PROTECT function includes awareness and training (PR.AT) tied to roles and responsibilities. Training connects to organizational context—people understand not just what to do but why it matters.
From CIS: Control 14 (Security Awareness and Skills Training) provides curriculum specifics: recognizing social engineering, authentication best practices, data handling, reporting incidents. Phishing simulation exercises add practical validation.
Cryptography and Encryption (Article 21h)
NIS2 requires policies and procedures regarding the use of cryptography and, where appropriate, encryption.
From ISO: Control 8.24 (Use of cryptography) addresses cryptographic policy and key management. The lifecycle approach covers generation, storage, distribution, and destruction of keys.
From NIST: Data security (PR.DS) addresses protection of data at rest and in transit. Cryptography serves data protection outcomes rather than being an end in itself.
From CIS: Control 3 (Data Protection) includes specific encryption requirements for data at rest (3.11) and data in transit (3.10), plus asset-based encryption requirements for sensitive data.
Access Control and Asset Management (Article 21i)
NIS2 requires human resources security, access control policies, and asset management.
From ISO: Controls span identity management (5.16), authentication (5.17), access rights (5.18), and the broader people controls in Section 6. Asset management (5.9-5.13) ensures access control applies to known, classified assets.
From NIST: Identity management, authentication, and access control (PR.AA) form a core protective capability. Asset management (ID.AM) provides the foundation—you control access to identified, prioritized assets.
From CIS: Controls 1 and 2 establish asset inventory as the foundation. Controls 5 (Account Management) and 6 (Access Control Management) provide detailed requirements: centralized authentication, privileged access management, role-based access.
Multi-Factor Authentication and Secure Communications (Article 21j)
NIS2 requires the use of multi-factor authentication or continuous authentication solutions, and secured voice, video, and text communications where appropriate.
From ISO: Control 8.5 (Secure authentication) addresses authentication strength based on risk. The flexibility allows appropriate authentication for different contexts.
From NIST: Authentication appears within identity management (PR.AA). The outcomes-based approach considers authentication as part of broader identity architecture.
From CIS: Control 6 includes specific MFA requirements: for externally-exposed applications (6.3), for remote network access (6.4), and for administrative access (6.5). The specificity removes ambiguity about where MFA applies.
Governance: The NIS2 Accountability Requirement
Article 20 introduces governance requirements that may be new for many organizations:
- Management bodies must approve cybersecurity risk-management measures
- Management bodies must oversee implementation
- Management bodies can be held liable for infringements
- Management body members must follow training
This isn’t about technical controls—it’s about board-level engagement and accountability.
NIST CSF 2.0’s GOVERN function directly addresses this. Organizational context (GV.OC), risk management strategy (GV.RM), roles and responsibilities (GV.RR), policy (GV.PO), and oversight (GV.OV) provide a framework for governance that satisfies Article 20’s intent.
ISO 27001’s Clause 5 (Leadership) requires top management commitment, security policy establishment, and assignment of responsibilities. The management review process (Clause 9.3) ensures ongoing oversight.
CIS Controls are weaker here—they focus on technical implementation rather than governance. Organizations relying primarily on CIS guidance will need to supplement it for Article 20 compliance.
The Continuous Improvement Mindset
All three frameworks assume security isn’t a destination but a continuous process:
- ISO’s PDCA cycle builds improvement into the management system structure
- NIST’s organizational profiles enable measuring progress from current state to target state
- CIS’s Implementation Groups provide a maturity progression from essential hygiene to advanced capabilities
NIS2 Article 21(f) explicitly requires assessing effectiveness of measures—closing the feedback loop. This isn’t bureaucratic box-checking; it’s recognition that threats evolve, organizations change, and yesterday’s adequate security may be tomorrow’s vulnerability.
The frameworks offer different lenses on improvement: ISO emphasizes systematic review and audit, NIST emphasizes alignment with organizational objectives, CIS emphasizes threat-informed prioritization. Drawing from all three creates a richer improvement practice.
Practical Takeaways
Read the frameworks as literature, not as checklists. The value isn’t in ticking off requirements but in understanding the thinking behind them. Why does ISO emphasize documentation? Why does NIST separate governance from operations? Why does CIS prioritize certain controls? The reasoning transfers even when the specific guidance doesn’t apply.
Borrow terminology that works for your organization. NIST’s six functions might resonate with your leadership team. ISO’s control structure might fit your audit culture. CIS’s Implementation Groups might align with your maturity journey. Use language that enables communication rather than creating translation overhead.
Use mappings to find gaps. The frameworks overlap substantially but not completely. Cross-referencing your processes against multiple frameworks reveals blind spots. NIST’s governance emphasis might highlight a gap in board engagement. CIS’s specificity might reveal that your “access control policy” lacks implementation detail.
Certification is a business decision, not a security one. ISO 27001 certification demonstrates to external parties that an independent auditor verified your management system. That may matter for customer requirements, regulatory expectations, or competitive positioning. It doesn’t make you more secure than an organization with equivalent practices that chose not to certify. Make the certification decision based on business value, not security value.
Conclusion
NIS2 establishes what organizations must achieve. ISO 27001, NIST CSF, and CIS Controls offer accumulated wisdom on how to achieve it. None is complete alone; each brings a distinct perspective that enriches security practice.
The mature approach isn’t choosing a framework—it’s treating these bodies of knowledge as resources that inform your organization’s continuously improving processes. Draw from ISO when you need management system rigor. Draw from NIST when you need to communicate with leadership. Draw from CIS when you need threat-informed implementation guidance.
Your processes should satisfy NIS2 requirements not because a framework told you to implement specific controls, but because you’ve built security practices appropriate to your organization’s risks—informed by the collective knowledge these frameworks represent.