security-frameworks

# Security Frameworks Planning

Comprehensive guidance for security framework alignment and control mapping before development begins.

## When to Use This Skill

- Preparing for ISO 27001 certification
- Planning SOC 2 Type I or Type II audits
- Implementing NIST Cybersecurity Framework 2.0
- Mapping CIS Controls to your environment
- Creating cross-framework control mappings

## Framework Comparison

### When to Use Which Framework

| Framework | Best For | Certification? | Geography |
|-----------|----------|---------------|-----------|
| **ISO 27001** | Enterprise ISMS, international recognition | Yes (3rd party) | Global |
| **SOC 2** | SaaS/Cloud providers, customer trust | Yes (CPA firm) | Primarily US |
| **NIST CSF** | Risk management, federal requirements | No | US-focused |
| **CIS Controls** | Tactical implementation, prioritization | No | Global |

### Framework Relationships

```text
                    ┌─────────────────┐
                    │   Regulations   │
                    │ (GDPR, HIPAA)   │
                    └────────┬────────┘
                             │ drives
                    ┌────────▼────────┐
                    │   Frameworks    │
                    │(ISO, NIST, CIS) │
                    └────────┬────────┘
                             │ implements
                    ┌────────▼────────┐
                    │    Controls     │
                    │ (specific tech) │
                    └────────┬────────┘
                             │ evidenced by
                    ┌────────▼────────┐
                    │    Audits       │
                    │ (SOC 2, ISO)    │
                    └─────────────────┘
```

## ISO 27001:2022

### Structure Overview

```text
Clauses 4-10: Management System Requirements
├── 4. Context of the organization
├── 5. Leadership
├── 6. Planning
├── 7. Support
├── 8. Operation
├── 9. Performance evaluation
└── 10. Improvement

Annex A: 93 Controls in 4 Themes
├── A.5 Organizational controls (37)
├─