Do you conform with a specific industry standard security framework (e.g., NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)?
Explanation
Reviewers want to know whether your security practices are anchored to a recognized industry framework such as the NIST Cybersecurity Framework, CIS Controls, or ISO 27001. Security frameworks are standardized sets of guidelines, best practices, and recommendations that help organizations establish and maintain effective security controls.
Why it's being asked:
- Frameworks provide a common language for discussing security practices
- They demonstrate a structured approach to security rather than ad-hoc measures
- They help assessors understand the breadth and maturity of your security program
- Compliance with recognized frameworks suggests your organization is following industry best practices
- It helps the assessor understand what security standards you're measuring yourself against
The question specifically mentions examples like NIST Cybersecurity Framework (focused on identifying, protecting, detecting, responding to, and recovering from cyber threats), CIS Controls (a prioritized set of actions to protect against common attacks), and ISO 27001 (an international standard for information security management).
To best answer this question:
- Be specific about which framework(s) you follow
- Mention if you're formally certified (e.g., ISO 27001 certification) or if you use the framework as guidance
- If you follow multiple frameworks, explain how they complement each other
- If you've customized a framework, briefly explain your approach
- If you don't follow any standard framework, explain your alternative approach to security
Example Responses
Example Response 1
Yes, our organization is ISO 27001:2013 certified as of January 2023, with annual surveillance audits and recertification every three years We also align our security practices with the NIST Cybersecurity Framework (CSF) to ensure comprehensive coverage across the five core functions: Identify, Protect, Detect, Respond, and Recover Our most recent ISO 27001 audit was completed in February 2024 with zero non-conformities identified.
Example Response 2
We follow the CIS Controls v8 framework as our primary security standard While we are not formally certified, we conduct annual self-assessments against all 18 control categories, with quarterly reviews of our Implementation Group 1 controls We also incorporate elements of the NIST 800-53 controls for areas specific to our cloud infrastructure Our security team maps all our controls to these frameworks and tracks implementation progress through our GRC platform, with current implementation at approximately 92% of applicable controls.
Example Response 3
We do not currently conform to a specific industry standard security framework in a formal capacity Our security program has evolved organically based on our specific business needs and risk profile We have implemented various security controls based on industry best practices and requirements from our clients, but we haven't mapped these to a specific framework like NIST CSF, CIS Controls, or ISO 27001 We recognize this as a gap in our security program and have initiated a project to adopt the NIST Cybersecurity Framework over the next 12 months, with completion targeted for Q2 of next year.
Context
- Tab
- Organization
- Category
- Documentation
Related questions
- Do you have a well-documented business continuity plan (BCP), with a clear owner, that is tested annually?
- Do you have a well-documented disaster recovery plan (DRP), with a clear owner, that is tested annually?
- Have you undergone a SSAE 18/SOC 2 audit?
- Can you provide overall system and/or application architecture diagrams, including a full description of the data flow for all components of the system?
- Does your organization have a data privacy policy?
- Do you have a documented, and currently implemented, employee onboarding and offboarding policy?

