NIST CSF vs CIS Controls vs ISO 27001: How to Choose
A side-by-side comparison of the three dominant frameworks. Covers structure, cost, certification, regulatory alignment, and which fits your org's size and maturity.
Pillar · Governance, Risk & Compliance
Governance, Risk & Compliance
Without the consultant markup. Framework-aligned, practitioner-written resources for building and maintaining a GRC program that actually works.
5
Frameworks Covered
8
Templates
3
Interactive Tools
The Foundation
What Is GRC?
Governance, Risk, and Compliance is where security programs begin. Governance sets direction and accountability. Risk management identifies what matters and prioritizes action. Compliance proves you did what you said you would. Together, they form the structural backbone that everything else in security attaches to.
Without GRC, security becomes a collection of disconnected tools and reactive firefighting. With it, every policy, control, and investment traces back to a business objective and a documented risk decision.
Why governance is now top-tier
NIST CSF 2.0, released in February 2024, added Govern as a sixth core function, placing it at the center of the framework rather than treating it as an afterthought. This elevated governance from an implicit expectation to an explicit requirement: organizations must establish and monitor cybersecurity risk management strategy, expectations, and policy. The security industry's most influential framework now says governance comes first.
Who needs this
Governance answers "who decides, and how?" It establishes the organizational structure, roles, policies, and oversight mechanisms that ensure security isn't ad hoc. In practice, governance means a charter, a steering committee, defined risk appetite, and clear escalation paths.
Risk management answers "what should we worry about, and how much?" It's the process of identifying threats and vulnerabilities, calculating their potential impact, and deciding whether to mitigate, accept, transfer, or avoid each risk. Without risk management, every vulnerability looks equally urgent, and nothing gets prioritized.
The third pillar, compliance, closes the loop by proving the work was done. Auditors, regulators, customers, and leadership all need evidence that controls are actually implemented, monitored, and effective. Compliance without governance is paperwork. Governance without compliance is promises without proof.
Framework Navigator
Compare the Major Frameworks
Four frameworks dominate the GRC landscape. Each serves a different purpose, audience, and regulatory context. Click a framework to explore its structure.
Released February 2024
NIST Cybersecurity Framework 2.0
The most widely adopted voluntary cybersecurity framework in the United States. CSF 2.0 expanded its scope from critical infrastructure to all organizations and added Govern as a central function. It provides a common language for understanding, managing, and communicating cybersecurity risk.
Purpose
Risk-based cybersecurity outcomes framework
Best For
Any organization building or maturing a security program, especially U.S.-based
Structure
6 Functions (Govern, Identify, Protect, Detect, Respond, Recover), 22 Categories, 106 Subcategories
Cost to Implement
Free to access. Implementation costs vary by maturity level and scope.
Audit Required?
No formal certification. Self-assessment or third-party assessment optional.
Key Advantage
Outcome-based and framework-agnostic. Maps to ISO 27001, CIS, CMMC, and NIST 800-53.
Released September 2023
CIS Controls v8.1
A prioritized, prescriptive set of cybersecurity best practices maintained by the Center for Internet Security. Unlike outcome-based frameworks, CIS tells you exactly what to do and in what order. Its Implementation Groups (IGs) let organizations scale adoption based on size and risk profile.
Purpose
Prescriptive, prioritized defensive actions
Best For
Organizations wanting a clear, step-by-step security implementation plan
Structure
18 Controls, 153 Safeguards, 3 Implementation Groups (IG1: Essential, IG2: Expanded, IG3: Comprehensive)
Cost to Implement
Free to access. IG1 (56 safeguards) is designed for resource-limited organizations.
Audit Required?
No formal certification. CIS offers self-assessment tools (CIS CSAT).
Key Advantage
Actionable from day one. "Do this first" prioritization based on real-world attack data.
Published October 2022
ISO/IEC 27001:2022
The international standard for information security management systems (ISMS). ISO 27001 is the most widely recognized international standard with formal third-party certification. (SOC 2 Type II reports are issued by licensed CPA firms; FedRAMP assessments are conducted by authorized third parties.) It is the standard of choice for organizations that need to demonstrate security maturity to customers, partners, or regulators internationally.
Purpose
Certifiable information security management system
Best For
Organizations needing formal certification, international operations, or enterprise sales
Structure
ISMS management clauses (4-10) + Annex A: 93 controls across 4 themes (Organizational, People, Physical, Technological)
Cost to Implement
Standard purchase required (~$200). Certification audits: $15K-$50K+ depending on scope.
Audit Required?
Yes, for certification. Stage 1 (documentation review) + Stage 2 (implementation audit) by accredited CB.
Key Advantage
Internationally recognized certification. Trusted by enterprise buyers and regulators worldwide.
Final Rule December 2024
CMMC 2.0 (Cybersecurity Maturity Model Certification)
A mandatory framework for organizations in the U.S. defense industrial base (DIB). CMMC 2.0 simplified the original 5-level model to 3 levels and aligned directly with NIST SP 800-171. If you want to do business with the Department of Defense, CMMC compliance is not optional.
Purpose
Protect Controlled Unclassified Information (CUI) in the defense supply chain
Best For
Defense contractors, subcontractors, and any organization handling CUI for DoD
Structure
3 Levels: L1 (17 basic practices, self-assess), L2 (110 practices aligned to NIST 800-171's 14 security families, third-party assessed by C3PAO), L3 (same 110 practices, government-led assessment with additional NIST 800-172 requirements)
Cost to Implement
L1: minimal. L2: $50K-$500K+ for implementation and assessment. L3: significant investment.
Audit Required?
L1: annual self-assessment. L2: triennial third-party assessment (C3PAO). L3: government-led assessment.
Key Advantage
Required for DoD contracts. Directly aligns with NIST 800-171, reducing dual-compliance overhead.
Not sure which framework fits your organization? Our framework selection quiz (coming soon) will ask about your industry, size, regulatory environment, and maturity level to recommend a starting point.
Implementation Path
GRC Roadmap: 5 Steps to a Functioning Program
Every successful GRC program follows this sequence. The specifics vary by framework and org size, but the order is consistent across NIST, ISO, and CIS guidance.
1
Stakeholder Alignment
Get executive buy-in, define scope, and establish governance structure. Without this, every subsequent step lacks authority and funding.
+ Expand
2
Framework Selection
Choose your framework based on regulatory requirements, organizational maturity, and business objectives. Don't pick the biggest. Pick the one that fits.
+ Expand
3
Risk Assessment
Identify threats and vulnerabilities, calculate risk using likelihood and impact, and prioritize what to address first.
+ Expand
4
Policy Build
Write policies, standards, and procedures that translate framework controls into operational requirements your organization can follow.
+ Expand
5
Continuous Monitoring
Measure, audit, report, and improve. GRC is not a project. It's an operating model that must evolve with the threat landscape and business changes.
+ Expand
Right-Sized GRC
GRC by Organization Size
A 50-person startup and a 10,000-person enterprise don't need the same GRC program. Here's what matters at each stage.
Small Business GRC
< 100 employees
At this size, you probably don't have a dedicated security team, and that's fine. The goal isn't to build a GRC department. It's to establish security hygiene that scales. Start with CIS Controls Implementation Group 1 (IG1), which includes 56 safeguards designed specifically for organizations with limited IT resources. IG1 covers the essentials: asset inventory, access management, data protection, malware defense, secure configuration, and incident response basics.
Framework
CIS Controls v8.1: IG1 (56 safeguards)
Focus
Security hygiene: patching, MFA, backups, endpoint protection
Governance
Assign one person as security lead. Document 3-4 core policies.
Risk Management
Simple risk register (spreadsheet). Annual review cycle.
Mid-Market GRC
100 - 1,000 employees
This is where GRC formalizes. You likely have regulatory obligations (SOC 2, HIPAA, PCI DSS), customer security questionnaires to answer, and enough complexity that ad-hoc security creates gaps. NIST CSF 2.0 or ISO 27001:2022 provides the structure to scale. Choose NIST CSF if you want flexibility, ISO 27001 if customers or contracts require certification.
Framework
NIST CSF 2.0 (flexible) or ISO 27001 (certifiable)
Focus
Formalized risk management, policy framework, vendor assessments
Governance
Dedicated security manager or team. Steering committee. Board reporting.
Risk Management
Structured methodology (NIST SP 800-30 or ISO 27005). Quarterly risk reviews.
Enterprise GRC
1,000+ employees
Enterprise GRC means integrated risk management across business units, multi-framework compliance, automated control monitoring, and board-level reporting. Full ISO 27001 certification, NIST SP 800-53 controls, and a dedicated GRC team are the baseline. Most enterprises maintain compliance with multiple frameworks simultaneously: ISO 27001, SOC 2, CMMC, and industry-specific regulations (HIPAA, PCI DSS, GLBA).
Framework
ISO 27001 + NIST 800-53 + regulatory-specific (HIPAA, PCI, CMMC)
Focus
Integrated risk management, automated compliance, third-party risk
Governance
CISO with board reporting. GRC team. Cross-functional risk committee.
Risk Management
GRC platform (ServiceNow, Archer, OneTrust). Continuous monitoring. Quantitative risk analysis (FAIR).
Template Toolkit
GRC Templates & Downloads
Practitioner-built templates to accelerate your GRC program. No email gate, no sales pitch. Just the documents you need.
Framework Selection Guide
Decision matrix comparing NIST CSF, CIS, ISO 27001, and CMMC across 12 criteria. Includes scoring worksheet.
Security Policy Template Pack
8 core policies: Information Security, Acceptable Use, Access Control, Data Classification, Incident Response, Change Management, Vendor Management, Password Policy.
Risk Register Template
Pre-formatted risk register with likelihood/impact scoring, risk treatment tracking, owner assignment, and review scheduling.
90-Day GRC Checklist
Week-by-week implementation plan for the first 90 days of a GRC program. Covers stakeholder alignment through first risk assessment.
Vendor Risk Assessment Template
Standardized questionnaire for evaluating third-party security posture. Covers data handling, access controls, incident response, and compliance status.
Control Mapping Worksheet
Crosswalk template for mapping controls across NIST CSF, CIS v8.1, ISO 27001, and CMMC 2.0. Pre-populated with common mappings.
Mockup Note
Download buttons are non-functional in this mockup. In production, these will link to gated downloads via the TJS content delivery system.
GRC Articles
Practitioner-Written GRC Guides
Deep-dive articles written for people who actually do GRC work, not executive summaries or vendor whitepapers.
How to Write a Security Policy That People Actually Follow
Most security policies fail because they're written for auditors. This guide covers structure, language, approval workflows, and the difference between policies, standards, and procedures.
Risk Assessment from Zero: A Practitioner's Method
Step-by-step risk assessment methodology using NIST SP 800-30 and ISO 27005. Includes asset identification, threat modeling, risk scoring, and treatment planning with real examples.
Certification Alignment
Which Certs Map to GRC?
Four certifications align directly with GRC competencies. Each validates a different slice of the discipline.
ISACA
CRISC: Certified in Risk and Information Systems Control
The only certification focused specifically on IT risk management. Covers risk identification, assessment, response, and monitoring. Ideal for risk analysts and managers who own the risk register.
ISACA
CISM: Certified Information Security Manager
Validates security management and governance expertise. Covers information security governance, risk management, program development, and incident management. Built for security leaders, not technicians.
ISC2
CISSP Domain 1: Security and Risk Management
Domain 1 of the CISSP is the most heavily weighted (16%) and covers security governance, risk management, compliance, legal/regulatory requirements, and professional ethics. While CISSP spans all 8 domains, Domain 1 is the GRC core.
ISACA
CISA: Certified Information Systems Auditor
The gold standard for IT audit and assurance. Covers audit processes, IT governance, information systems acquisition and development, and protection of information assets. Essential for GRC professionals who do audit work.
Featured Series
Building a Security Program
A 10-module practitioner series. Modules 1-3 live in GRC, covering your charter definition, assessing your current state, and selecting your framework.
01
Define Your Security Charter
Establish mission, scope, authority, and reporting structure. Get executive sponsorship and define risk appetite.
Coming Soon
02
Assess Your Current State
Conduct a gap analysis against your target framework. Identify what exists, what's missing, and what needs improvement.
Coming Soon
03
Select and Map Your Framework
Choose the right framework, map it to your regulatory requirements, and build your control implementation plan.
Coming Soon
Sources Informing This Page
NIST CSF 2.0
ISO 27001:2022
CIS Controls v8.1
CMMC Model Overview v2.13
NIST SP 800-53r5
Related Pillars
Continue Your Journey
GRC connects to every other security discipline. These pillars complement what you've learned here.
More from TJS