The world of IT security and compliance is simply too big and too complex to keep all the requirements straight in your head.  It is too easy to overlook something important.  That’s where frameworks come in (note: I’m purposely conflating the terms framework and standards here).  Frameworks help you ensure that you have covered all the bases.

There are several popular security frameworks:  NIST, COBIT, and my favorite ISO 27002.  Some security practitioners get into heated arguments about which framework is best.  I look at these frameworks as more of a Rorschach test – people see in these frameworks what they want to see – some prefer an emphasis on governance, others on operations. TomAto vs TomAHto.

Using a framework (any framework) forces you to reason about each of the required controls (135 controls in the case of ISO 27002).  One of our clients once said, “Going through the compliance exercise helped us to understand what we were doing well, what we needed to improve, and what we weren’t doing at all, but should be doing.”

While appetites/tolerance for lightweight versus heavyweight processes vary by company and industry and that may steer you to one framework versus another, my overarching advice is to choose one and really master it – know it inside and out, know where it is black and white and where it is more nuanced.