NIS2: 3.Establish a cybersecurity framework

We wrote here that the 3rd  step in implementing the requirements of the directive is to establish a cybersecurity framework.

If you haven’t read what a cybersecurity framework means, then you should read article: .


Establishing a cybersecurity framework is critically important for organizations of all sizes and types because it is the basis on which you build your cybersecurity. The cybersecurity framework is the basis of the ISMS, which represents the plan of your cybersecurity strategy.


Why it is essential to have a cybersecurity framework

In case you still wonder if you need a cybersecurity framework, here are several key reasons why it is essential:

Protection against Cyber Threats
Cyber threats are constantly evolving and becoming more sophisticated. A cybersecurity framework provides a structured approach to identifying and mitigating these threats, reducing the risk of data breaches, cyberattacks, and other security incidents.
Risk Management
Cybersecurity frameworks help organizations assess their cybersecurity risks and prioritize their efforts to address the most critical vulnerabilities. This risk-based approach ensures that resources are allocated where they are needed most.
Compliance and Legal Requirements
Many industries and regions have specific cybersecurity regulations and legal requirements that organizations must adhere to. A cybersecurity framework provides a roadmap for meeting these compliance obligations, reducing the risk of fines and legal repercussions.
Business Continuity
Cybersecurity incidents can disrupt business operations, leading to downtime, financial losses, and damage to reputation. A well-structured cybersecurity framework helps organizations prepare for and respond to incidents, minimizing their impact and ensuring business continuity.
Protection of Sensitive Data
Organizations store vast amounts of sensitive and confidential data, including customer information, financial records, and intellectual property. A cybersecurity framework helps safeguard this data from unauthorized access or theft.
Preservation of Reputation
A security breach can seriously damage an organization’s reputation and erode customer trust. Implementing a cybersecurity framework demonstrates a commitment to security, which can enhance the organization’s reputation and instill confidence among customers, partners, and stakeholders.
Cost Savings
Proactively addressing cybersecurity through a framework can ultimately save an organization money. Preventing security incidents is more cost-effective than dealing with the aftermath of a breach, which can involve significant financial and legal expenses.
Consistency and Standardization
Cybersecurity frameworks promote consistency and standardization of security practices across an organization. This is especially important in larger enterprises with multiple locations, business units, or teams, ensuring that security measures are applied uniformly.
Continuous Improvement
Cyber threats and technology evolve rapidly. A cybersecurity framework emphasizes the importance of ongoing monitoring, assessment, and improvement, helping organizations stay ahead of emerging threats and vulnerabilities.
Competitive Advantage
Having a robust cybersecurity framework can be a competitive advantage. It can differentiate an organization in the eyes of customers, partners, and investors who prioritize security when choosing business partners.

Steps to Choose or Create a Cybersecurity Framework

Choosing a cybersecurity framework is a tedious process and potentially long. If you want to succeed, then you need to plan for it. In order to create a project plan, follow these milestones:

Assess Organizational Needs and Objectives
Begin by understanding your organization’s specific cybersecurity needs, objectives, and goals. Consider the industry you operate in, the types of data you handle, and your organization’s size and complexity.
Identify Relevant Regulations and Standards
Determine which cybersecurity regulations, standards, and compliance requirements are applicable to your organization. These may include GDPR, HIPAA, ISO 27001, NIST, CIS Controls, TISAX, ISO 21434 and industry-specific regulations.
Conduct a Risk Assessment
Perform a comprehensive risk assessment to identify potential cybersecurity threats, vulnerabilities, and the potential impact of security incidents. This assessment will help you prioritize security measures.
Define Your Scope
Clearly define the scope of your cybersecurity efforts. Consider which systems, data, and assets are in scope for protection and compliance efforts. Document this scope in detail.
Research Existing Frameworks
Investigate existing cybersecurity frameworks and standards that align with your organization’s needs and objectives. Consider well-established frameworks like NIST Cybersecurity Framework, ISO 27001, CIS Controls, and others.
Have a look here to view a comparison. Consider country-specific frameworks like the recommendations or requirements from your country’s information security agency.
Evaluate Framework Alignment
Evaluate how closely each candidate framework aligns with your organization’s requirements, risk assessment findings, and compliance obligations. Consider factors like ease of implementation and ongoing maintenance.
Customization vs. Adoption
Decide whether to adopt an existing framework as-is or customize it to fit your organization’s specific needs. Customization may be necessary to address unique risks or industry-specific requirements.
Engage Stakeholders
Involve key stakeholders, including senior leadership, IT teams, compliance experts, and legal advisors, in the decision-making process. Ensure their input and buy-in throughout the framework selection or development process.
Develop Framework Documentation
If you choose to customize or create a framework, develop comprehensive documentation that outlines the framework’s policies, procedures, controls, and guidelines. This documentation serves as a roadmap for the implementation of the ISMS.
Implement and Test
Begin implementing the selected or customized framework within your organization. Test its effectiveness in addressing cybersecurity risks and compliance requirements.
Training and Awareness
Train employees and raise awareness about the cybersecurity framework, its policies, and best practices. Ensure that everyone in the organization understands their role in maintaining security.
Continuous Monitoring and Improvement
Establish ongoing monitoring and assessment processes to ensure the framework’s effectiveness. Regularly review and update the framework to adapt to evolving threats and technology.


Key Considerations When Choosing or Creating a Cybersecurity Framework

There are some things to keep in mind when implementing the project plan for choosing the cybersecurity framework. The project can easily go out of scope because of the security landscape continuously changing.

Please review regularly these considerations and make sure you go through the list before taking any big decisions.

Alignment with Objectives: Ensure that the chosen framework aligns with your organization’s cybersecurity objectives, risk profile, and compliance requirements.
Applicability: Consider the framework’s applicability to your industry and specific business needs.
Resource Requirements: Assess the resources (financial, human, and technological) required for framework implementation and maintenance.
Scalability: Determine whether the framework can scale with your organization’s growth and evolving cybersecurity needs.
Integration: Ensure that the framework can integrate with existing security technologies and processes within your organization.
Cost vs. Benefit: Evaluate the cost-effectiveness of implementing and maintaining the framework relative to the expected security benefits and risk reduction.
Accessibility of Expertise: Consider the availability of expertise and training resources related to the chosen framework.
Audit and Certification: If compliance or certification is a goal, verify that the framework is recognized and accepted by relevant certification bodies or authorities.
Legal and Privacy Considerations: Ensure that the framework supports compliance with relevant data protection and privacy laws.
Flexibility: Assess the framework’s flexibility to adapt to changing threat landscapes and emerging technologies.



Having a robust cybersecurity framework can be a competitive advantage. It can differentiate an organization in the eyes of customers, partners, and investors who prioritize security when choosing business partners.

Remember that selecting or creating a cybersecurity framework is not a one-size-fits-all process. It should be a thoughtful and strategic decision that aligns with your organization’s unique needs and circumstances.

Establishing a cybersecurity framework is essential to protect an organization’s digital assets, manage risks effectively, comply with legal requirements, and maintain the trust of stakeholders.


The post NIS2: 3.Establish a cybersecurity framework first appeared on Sorin Mustaca on Cybersecurity.