10 Key Cyber Security Frameworks You Should Be Aware Of

Updated December 2024.

As cyber threats become more complex and frequent, and technology enhances, many governments, industries and regions have implemented cyber security frameworks for organisations to abide by to ensure they stay secure and compliant. 

Below we break down each key cyber security framework you should be aware of. 

1. GDPR

The General Data Protection Regulation (GDPR) was launched in 2018 by the European Union to protect data and individual rights. Regardless of whether you are based in or out of the EU, anyone must comply with these rules if you handle data of people based within the EU. Despite leaving the EU, the UK still follows a similar regulation, UK GDPR. 

There are several security controls and processes you must put into place to comply with GDPR, including, but not limited to: 

• Risk Analysis: Undertake an analysis of the risks presented by your processing and use this to assess the appropriate level of security you need to put in place. 
• Information Security Policy: Have an information security policy (or equivalent) and take steps to make sure the policy is implemented. 
• Additional Policies and Controls: Where necessary, have additional policies and ensure that controls are in place to enforce them. 
• Regular Review and Improvement: Make sure that you regularly review your information security policies and measures and, where necessary, improve them. 
• Basic Technical Controls: Put in place basic technical controls such as those specified by established frameworks like Cyber Essentials (see below). 
• Encryption and/or Pseudonymisation: Use encryption and/or pseudonymisation where it is appropriate to do so. 
• Confidentiality, Integrity and Availability: Understand the requirements of confidentiality, integrity and availability for the personal data you process. 
• Backup Process: Make sure that you can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process. 
• Regular Testing and Reviews: Conduct regular testing and reviews of your measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement. 
• Data Protection Officer (DPO): Appoint a Data Protection Officer (DPO) to oversee data protection strategy and implementation to ensure compliance with GDPR requirements. 
• Privacy Impact Assessments: Conduct privacy impact assessments to identify and minimise the data protection risks of a project. 

• Data Protection Policies and Procedures: Implement data protection policies and procedures to manage personal data. 

Grey Matter has many of the solutions you need to enable you to comply with GDPR. From endpoint security, encryption, pen testing and health checks, to cyber security awareness training, password management and more. 

2. Cyber Essentials / Cyber Essentials Plus 

Cyber Essentials is a government-backed, industry-supported scheme in the UK designed to help organisations protect themselves against common online threats. It sets a strong security baseline and helps businesses operate securely online. 

There are two levels of certification: 

• Cyber Essentials: This self-assessment option protects a wide variety of the most common cyber-attacks. Certification reassures that your defences will protect against common cyber-attacks. 
• Cyber Essentials Plus: This level includes all the protections of Cyber Essentials but with a hands-on technical verification carried out. 

The scheme is suitable for all organisations, of any size, in any sector. It demonstrates your commitment to cyber security to your customers and suppliers. Some government contracts require Cyber Essentials certification. The National Cyber Security Centre (NCSC) oversees the scheme. 

Take a look at our Cyber Essentials guide for more information.

Grey Matter is partnered with CyberSmart who provide Cyber Essentials and Cyber Essentials Plus certifications (and a monitoring service to ensure you stay on track). On top of that, Grey Matter can support you with the cyber security solutions you need to have in place to comply. 

3. ISO 27001 

ISO 27001 is an international standard for managing information security. It provides a framework for establishing, implementing, maintaining, and improving your security management. 

Key aspects of ISO 27001 include: 

• Systematic examination of the organisation’s information security risks, considering threats, vulnerabilities, and impacts. 
• Design and implementation of a comprehensive suite of information security controls and/or other forms of risk treatment to address unacceptable risks. 
• Adoption of a management process to ensure that the information security controls continue to meet the organisation’s information security needs. 

Conformity with ISO 27001 means that an organisation has implemented a system to manage risks related to the security of data owned or handled by the company and that this system respects all the best practices and principles enshrined in this International Standard. 

Organisations that meet the standard’s requirements can choose to be certified by an accredited certification body following the successful completion of an audit. This certification is a testament to the organisation’s commitment to information security. 

ISO 27001 applies to organisations of any size in any industry. It promotes a holistic approach to information security, addressing people, policies, and technology. It is a tool for risk management, cyber-resilience, and operational excellence. 

Grey Matter is partnered with Secure Impact which provides an ISO 270001 Readiness Service that includes assessments, gap analysis, risk management and more to help your organisation prepare for the ISO 270001 certification. Plus, Grey Matter offers the cyber security solutions you need to achieve the certification. 

4. NIST 2.0

NIST 2 refers to the NIST Cybersecurity Framework (CSF) 2.0, which was released by the National Institute of Standards and Technology (NIST) in the United States. It guides industry, government agencies, and other organisations to manage cyber security risks. 

It is a guide that any organisation can use to improve its cyber security and helps them understand, assess, prioritise, and communicate their cyber security efforts. It doesn’t tell you how to achieve your goals, but it does link to online resources for extra guidance. 

NIST 2.0 is a big advancement in managing cyber security risks. It’s more comprehensive, has new features, and aligns with international standards. It provides a flexible plan for you to strengthen your cyber security. 

Grey Matter offers the cyber security solutions you need to meet the NIST 2 cyber security guidance. 

5. DORA 

The Digital Operational Resilience Act (DORA) is a new regulation created by the European Union (EU) that aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms. It entered into force on 16 January 2023 and will apply as of 17 January 2025. 

DORA’s main objectives are: 

• IT Risk Management: Establishing principles and requirements in the IT risk management framework. 
• IT-related Incident Management, Classification & Reporting: Setting general requirements for reporting major ICT-related incidents to competent authorities. 
• Digital Operational Resilience Testing: Implementing basic and advanced testing. 
• IT Third Party Risk Management: Monitoring third-party risk providers and key contractual provisions. 
• Information Sharing Arrangements: Facilitating the exchange of information and intelligence on cyber threats. 

DORA applies to over 22,000 financial entities and IT service providers operating within the EU and the IT infrastructure supporting them from outside the EU. It introduces a single consistent supervisory approach across a wide range of financial market participants. 

Learn more.

Grey Matter’s cyber security and IT solutions can help you meet these guidelines. 

6. HIPAA 

The Health Insurance Portability and Accountability Act (HIPAA) is a United States law enacted in 1996 designed with several key objectives, some of which relate to cyber security:  

Preventing Health Care Fraud and Abuse: Personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft.  

Privacy and Security Rules: HIPAA sets standards for handling, storing, and transmitting sensitive patient health information to ensure the privacy and security of medical records. It comprises two key rules: the Privacy Rule and the Security Rule. 

Our wide range of security solutions helps you maintain compliance with this regulation. 

7. NIS 2

Not to be confused with NIST 2.0 above, NIS 2 stands for Network and Information Security Directive 2 is a European Union directive aimed at strengthening cyber security across the Union. It replaces the original NIS directive and imposes stricter cyber security obligations on a wider range of entities, particularly those considered essential to the functioning of society.

Key Features of NIS 2:

• Expanded Scope: NIS 2 covers a broader range of sectors and entities, including those involved in energy, transport, water, healthcare, banking, finance, food, and digital infrastructure.
• Risk Assessment and Management: Organisations must conduct regular risk assessments and implement appropriate security measures to protect their networks and systems.
• Incident Reporting: Entities are required to report cyber security incidents to competent authorities within a specified timeframe.
• Supply Chain Security: Organisations must address cyber security risks in their supply chains, including third-party suppliers and service providers.
• Cooperation and Information Sharing: Member states are encouraged to cooperate and share information on cyber security threats and best practices.
• Penalties: Non-compliance with NIS2 can result in significant fines and other penalties.

We provide solutions for incident reporting, security awareness training and more.

8. Microsoft Zero-Trust Framework

The Microsoft Zero-Trust framework is a comprehensive security strategy designed to protect modern digital environments. Here are the key principles:

• Verify Explicitly: Always authenticate and authorise based on all available data points, such as user identity, location, device health, and anomalies.
• Use Least-Privilege Access: Limit user access with just-in-time (JIT) and just-enough-access (JEA) principles, adaptive policies, and data protection.
• Assume Breach: Minimise the impact of potential breaches by segmenting access, verifying end-to-end encryption, and using analytics for threat detection and defence improvement.

This approach ensures that every access request is treated as though it originates from an open network, emphasising the principle of "never trust, always verify".

Book a meeting with our Microsoft specialists to learn more about this framework and how we can help you.

9. PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was created to protect cardholder data and reduce credit card fraud.

The standard is enforced by the major credit card companies (Visa, MasterCard, American Express, Discover, and JCB), and compliance is necessary to maintain the ability to accept credit card payments.

To comply with PCI DSS, you need to have the following in place:

Build and Maintain a Secure Network and Systems:

• Firewalls: Install and maintain a firewall configuration to protect cardholder data.
• Secure Configurations: Ensure secure configurations for all system components.

Protect Cardholder Data:

• Encryption: Encrypt transmission of cardholder data across open, public networks.
• Data Masking: Mask primary account numbers (PAN) when displayed.

Maintain a Vulnerability Management Program:

• Anti-Virus Software: Use and regularly update anti-virus software or programs.
• Patch Management: Develop and maintain secure systems and applications by applying security patches.

Implement Strong Access Control Measures:

• Access Controls: Restrict access to cardholder data by business need to know.
• Authentication: Assign a unique ID to each person with computer access.

Regularly Monitor and Test Networks:

• Logging and Monitoring: Track and monitor all access to network resources and cardholder data.
• Testing: Regularly test security systems and processes.

Maintain an Information Security Policy:

Policy Development: Develop and maintain a policy that addresses information security for employees and contractors.

We provide solutions for network monitoring, anti-virus, encryption, patch management, firewalls, and more.

10. SOC 2

SOC 2 is a security framework designed to help organisations manage customer data based on five Trust Services Criteria (TSC). Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is particularly relevant for service organisations that store customer data in the cloud.

An independent auditor assesses the organisation's controls and processes to ensure they meet the SOC 2 requirements. This includes evaluating the effectiveness of security measures in place.

Achieving SOC 2 compliance demonstrates a commitment to data security, which can enhance customer trust and provide a competitive advantage.

The five criteria are:

• Security: Protecting information and systems against unauthorised access.
• Availability: Ensuring that systems are available for operation and use.
• Processing Integrity: Ensuring that system processing is complete, valid, accurate, timely, and authorised.
• Confidentiality: Protecting information designated as confidential.
• Privacy: Protecting personal information.

We provide an array of solutions that help you comply with SOC 2.

---

Get the security solutions you need to comply with these security frameworks

Grey Matter has an accredited cyber security team who can provide accurate and knowledgeable advice on security software licensing, services, and more. 

We have a wide catalogue of cyber security solutions that includes pen testing, health checks, endpoint security, encryption, password management, patch management and cyber security awareness training. Whatever you need to comply with the regulations above, we can source it for you. And by purchasing it all in one place, procurement is much easier. 

Fill out the contact form below to book a free security consultation with one of the team.