Compliance, Risk & Information Security Landscape.

Framework cross-walk

• ISO 27001 (ISMS). Process-oriented. Annex A (2022 revision) has 93 controls in 4 themes (Organizational, People, Physical, Technological). Certifiable. Strong in Europe.
• SOC 2 Type II. AICPA-driven. Trust Services Criteria: Security (CC), Availability, Confidentiality, Processing Integrity, Privacy. Attestation report, not a certification. Required by US enterprise customers.
• NIST CSF 2.0 (2024). Six functions: Govern, Identify, Protect, Detect, Respond, Recover. Voluntary framework; widely adopted as common language.
• NIST SP 800-53 rev 5. Detailed control catalog underlying CSF; required for US federal systems.
• BSI IT-Grundschutz. German federal standard. "Bausteine" map to compliance modules. Maps to ISO 27001 with cross-reference.
• PCI DSS 4.0. Cardholder data overlay. Twelve requirements; tight on segmentation, encryption, logging. Mandatory for processors / merchants depending on transaction volume.
• HIPAA / HITECH. US healthcare. Administrative + Physical + Technical Safeguards. Sector overlay, not a complete program.
• DORA (Digital Operational Resilience Act, EU, in force 2025). Financial sector. ICT risk management, incident reporting, resilience testing, third-party risk.
• NIS2 (EU). Sectoral cyber-resilience baseline; member-state transposition varies.
• GDPR. Privacy, not security — but Article 32 mandates appropriate technical/organizational measures, and breach notification under Article 33-34 drives security investment.

Where frameworks speak past each other

• "Risk assessment." ISO = formal asset-threat-vuln methodology with risk register. SOC 2 = identification of risks relevant to objectives. NIST CSF = ongoing function. Implementations diverge; the same artifact rarely satisfies all three without adaptation.
• "Access review." SOX = quarterly with sign-off. ISO = periodic. SOC 2 = "regular" with auditor judgment. Operational team builds one process satisfying the strictest.
• "Vulnerability management." PCI = quarterly external scan + annual pentest with strict timelines. ISO = process exists. NIST = continuous. Frequency and rigor differ.
• "Incident response." Notification timelines: GDPR 72h, NIS2 24h initial / 72h detailed, PCI immediately, SEC 4 days for material, DORA 4h. Map your notification matrix once.
• "Encryption in transit." All frameworks require it. None specify which TLS version. Internal standard = TLS 1.2+ minimum, TLS 1.3 preferred; document and reference.

Risk-control platform architecture

• Layer 1 — Signal ingest.
  • Sources: SIEM alerts, EDR detections, vulnerability scanners, cloud-config drift, IAM events, ticketing system.
  • Normalize to canonical risk-event schema (asset, control, observation, severity, source, timestamp).
  • Deduplicate at ingest.
• Layer 2 — Rule layer.
  • Map raw signals → risks. "Three failed-auth events from same user within 5 min" → "credential-stuffing-suspected" risk.
  • Map risks → controls (via framework mapping). One risk may impact multiple controls across frameworks.
  • Severity scoring: likelihood × impact, calibrated against historic incidents.
• Layer 3 — Decision loop.
  • Triage queue per business unit / owner.
  • SLA per severity (P1: 24h, P2: 7 days, P3: 30 days).
  • Decisions: mitigate / accept / transfer / avoid, with documented rationale.
  • Escalation when SLA-breached.
• Layer 4 — Audit trail.
  • Append-only event log: who saw what, who decided what, what changed.
  • Evidence linkage: every closed risk has artifact (ticket, config snapshot, test result).
  • Auditor read-only access scoped to evidence period.
• Integrations per layer.
  • Identity (Okta, Azure AD, Google Workspace) — who owns this asset, who can approve.
  • Asset/CMDB (ServiceNow, custom) — what is the asset, criticality, owner team.
  • Ticketing (Jira, ServiceNow) — risk → ticket auto-create, status sync, closure evidence.
  • Cloud-config (AWS Config, Azure Policy, GCP SCC, Wiz / Prisma) — drift signal source.

Information-security field map

• Product security. SDLC, code review, threat modeling, SAST/DAST/SCA, security champions.
• Infrastructure security. Network, endpoint, cloud config, hardening, patching.
• Identity & access. SSO, MFA, lifecycle, privileged access, secrets management.
• Governance, risk, compliance. Frameworks, audits, policy, third-party risk, vendor due diligence.
• Detection & response. SIEM, EDR, SOAR, SOC operations, incident response, forensics.
• Threat intelligence. IOC ingest, actor tracking, attribution, intel-driven hunting.
• Offensive security. Pentest, red team, bug bounty, exploit research.
• Security engineering. Platform tooling, automation, IaC for security, internal SDK.
• Awareness & training. Phishing exercises, role-based training, executive briefings.
• Leadership (CISO function). Strategy, board reporting, budget, headcount, vendor selection, risk acceptance.

Practical CISO orientation

1. Pick one primary framework for governance (ISO 27001 if European, NIST CSF if hybrid).
2. Add overlays only as required (PCI if you process cards, HIPAA if healthcare, DORA/NIS2 if applicable).
3. Map controls once, source evidence once, satisfy all framework reports from the same evidence base.
4. Outcome-based metrics over activity-based: "mean time to patch critical CVE" beats "% of policies reviewed".
5. Board-level reporting: risk register top 10 with owner, status, trend — not raw vulnerability counts.