Cybersecurity Frameworks im Vergleich: NIST CSF, ISO 27001, CIS Controls und BSI Grundschutz
Cybersecurity frameworks organize security measures and enable systematic risk reduction. The most important frameworks in the DACH region: NIST CSF 2.0 (function-based), ISO 27001 (certifiable), CIS Controls v8 (concrete and prioritized), BSI IT-Grundschutz (German, model-based). This comparison explains the strengths, weaknesses, and areas of application for each framework, as well as mapping possibilities between the standards.
Table of Contents (5 sections)
"Which framework should we use?" is one of the most common questions in cybersecurity projects. The honest answer: There is no one-size-fits-all answer. NIST CSF is suitable for strategic communication with the board. ISO 27001 is the right choice when customers or regulators require certification. CIS Controls v8 is ideal when an operational team needs to implement specific measures. BSI IT-Grundschutz is relevant for federal agencies and KRITIS. Many organizations use elements from all four.
NIST Cybersecurity Framework 2.0 (CSF)
NIST CSF 2.0 - published February 2024:
6 functions (new: Govern as the sixth function):
GOVERN (GV) - NEW in 2.0:
→ Cybersecurity risk management as an organizational function
→ Define roles, responsibilities, and policies
→ Cybersecurity strategy, expectations, and oversight
IDENTIFY (ID):
→ Asset management: what do we have?
→ Risk assessment: what threats exist?
→ Business environment: what is critical to operations?
PROTECT (PR):
→ Access control: Who is authorized to access what?
→ Awareness and training: Do employees know their duties?
→ Data security: Encryption, backup, DLP
DETECT (DE):
→ Detect anomalies and events
→ Continuous monitoring
→ Detection processes defined and tested
RESPOND (RS):
→ Response Planning: What to do in the event of an incident?
→ Communication: Internal and external
→ Analysis, containment, improvements
RECOVER (RC):
→ Recovery Planning: How do we restore operations?
→ Improvements: Incorporate lessons learned
→ Communication: Status of recovery
Usage:
→ Self-assessment: Current Profile → Target Profile → Gap
→ Communication: Executive Board understands functions (no technical details)
→ NOT certifiable: no audit, no certificate
→ Flexible: no prescriptive approach (what exactly to do)
Maturity Tiers (1–4):
Tier 1 (Partial): Reactive, ad hoc, little awareness
Tier 2 (Risk Informed): Risk awareness, informal
Tier 3 (Repeatable): Formalized, risk-informed, consistent
Tier 4 (Adaptive): Continuous improvement, lessons learned
Strengths/Weaknesses:
✓ Good communication foundation for C-level
✓ Flexible and industry-agnostic
✓ Free (NIST, no license fee)
✓ CSF 2.0: better for SMEs and non-profits
✗ No certification available
✗ Vague – few concrete instructions
✗ US-centric (BSI Basic Protection preferred for German authorities)ISO 27001:2022
ISO/IEC 27001:2022 - The international certification standard:
Core: ISMS (Information Security Management System)
→ Plan-Do-Check-Act cycle (PDCA)
→ Risk-based approach: not all controls apply to everyone
→ Certifiable by accredited bodies (e.g., TÜV, DQS, DNV)
Structure:
Chapters 1–3: Introduction, Normative References, Terms
Chapter 4: Organizational Context (Stakeholders, Scope)
Chapter 5: Leadership (Management Commitment, Policies)
Chapter 6: Planning (Risk Assessment, Risk Treatment)
Chapter 7: Support (Resources, Competence, Communication)
Chapter 8: Operation (Implementation, Change Management)
Chapter 9: Performance Evaluation (Audit, Management Review)
Chapter 10: Improvement (Nonconformities, Improvements)
Appendix A: 93 Controls in 4 Subject Areas:
A.5: Organizational Controls (37 Controls)
A.6: People Controls (8 controls)
A.7: Physical Controls (14 controls)
A.8: Technological Controls (34 controls)
Important new controls in 2022:
A.5.7: Threat Intelligence (new!)
A.5.23: Information Security in Cloud Usage (new!)
A.5.30: ICT Readiness for Business Continuity (new!)
A.8.9: Configuration Management (new!)
A.8.12: Data Leakage Prevention (new!)
A.8.23: Web Filtering (new!)
A.8.28: Secure Coding (new!)
Certification Process:
Stage 1 (Document Audit): Review policies and ISMS documentation
Stage 2 (Main Audit): On-site review of implementation
Certificate Valid: 3 years
Surveillance Audit: Annual (Year 1 and Year 2)
Recertification: Full re-audit after 3 years
Strengths/Weaknesses:
✓ Internationally recognized certificate
✓ Market requirement: Enterprise customers require ISO 27001
✓ Systematic, risk-based approach
✓ Clearly defined scope (Certificate applies to a specific scope)
✗ Time-consuming (6–18 months for implementation)
✗ Costs (Audit: €5,000–€50,000 depending on size)
✗ Significant documentation effort
✗ Controls relatively abstract (what exactly to implement?)CIS Controls v8
CIS Controls v8 - Center for Internet Security:
18 controls with 153 safeguards
Strengths: concrete, prioritized, free
Implementation Groups (Prioritization!):
IG1 (56 safeguards): Basic cyber hygiene - for EVERYONE!
→ Low resource requirements, high impact
→ "If you do nothing else, do IG1!"
Examples:
CIS.1.1: Inventory of all enterprise assets
CIS.2.1: Inventory of authorized software
CIS.4.1: Password length min. 14 characters (privileged) / 8 (standard)
CIS.6.3: MFA for all administrators
CIS.11.2: Secure data recovery (backup test!)
CIS.17.1: Documented incident response process
IG2 (+74 safeguards): For organizations with IT staff
→ Configuration management, vulnerability scanning, logs
Examples:
CIS.4.7: Multi-factor authentication for remote access
CIS.7.3: Automated patch management for operating systems
CIS.8.2: Centralized log collection (SIEM)
CIS.13.1: Centralized email security monitoring
IG3 (+23 safeguards): For organizations with security experts
→ Penetration testing, red teaming, advanced threat detection
Examples:
CIS.18.5: Penetration testing for internet-facing systems
CIS.16.1: Application security testing in the SDLC
CIS.10.5: Enabling anti-exploitation features
The 18 CIS Controls:
1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protection
10. Malware Defense
11. Data Recovery
12. Network Infrastructure Management
13. Network Monitoring and Defense
14. Security Awareness and Skills Training
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing
Strengths/Weaknesses:
✓ Very concrete and actionable (exactly what needs to be done)
✓ Prioritization via IG1/2/3 (not everything at once)
✓ Free, regularly updated
✓ Useful for audit evidence
✓ CIS Benchmarks: concrete configuration recommendations (OS, cloud, etc.)
✗ No certificate
✗ US perspective (less integration of EU regulations)
✗ Less strategic than NIST CSF or ISO 27001BSI IT-Grundschutz
BSI IT-Grundschutz – the German standard:
Developed by: Federal Office for Information Security (BSI)
Applicability: Mandatory for federal agencies; recommended for all German companies
Costs: Basic Protection Compendium available free of charge at bsi.bund.de
Structure: Building blocks + Threats + Measures
Building blocks (as of 2023, 100+ building blocks):
ISMS: ISMS.1 (Security Management)
ORP: Organizational Processes (ORP.1-5: Org, Personnel, etc.)
CON: Concepts (CON.3 Data Backup, CON.10 Development)
OPS: Operations (OPS.1.1 General IT Operations, OPS.1.2 Admin)
DER: Detection and Response (DER.1 Monitoring, DER.2 IR)
APP: Applications (APP.3.1 Web Applications, APP.4.4 Kubernetes!)
SYS: IT Systems (SYS.1.1 Servers, SYS.2.2 Windows Clients)
IND: Industrial IT (IND.1-2 OT/ICS Security)
NET: Networks (NET.1.1 Network Architecture, NET.3.2 Firewall)
INF: Infrastructure (INF.1 Buildings, INF.2 Data Center)
Security Concept:
Basic Security: Minimum standard for all (quick to implement)
Standard Protection: Full IT-Grundschutz implementation
Core Protection: Focus on most critical assets (quick, risk-based)
IT-Grundschutz Audit (GP-Check):
Target/Actual Comparison: Which requirements are met?
Status per module: Yes / No / Optional / Not applicable
ISO 27001 based on IT-Grundschutz:
→ BSI certification possible: "ISO 27001 based on IT-Grundschutz"
→ Simplified: IT-Grundschutz recognized as a risk assessment method
→ Popular among federal agencies requiring ISO 27001 certification
Strengths/Weaknesses:
✓ Very detailed and concrete (includes sample documents)
✓ German → ideal for German regulations and authorities
✓ Regularly updated (cloud, OT, Kubernetes modules!)
✓ Certifiable (ISO 27001 based on IT-Grundschutz)
✓ Free (Grundschutz Compendium)
✗ Very extensive → high learning curve
✗ Little international recognition (BSI C5 for cloud, otherwise an insider standard)
✗ Too heavy for small businessesFramework Mapping and Combination
Mappings between frameworks:
NIST CSF ↔ ISO 27001:
Govern → Ch. 5 (Leadership), Ch. 6 (Planning), A.5.x (Organizational)
Identify → Ch. 4 (Context), A.5.9 (Asset Inventory), A.8.8 (Vulnerabilities)
Protect → A.5–A.8 (Controls)
Detect → A.8.16 (Monitoring), DER (IT-Grundschutz)
Respond → A.5.26 (IR), A.5.24 (IR Planning)
Recover → A.5.29 (BCM), A.5.30 (ICT Continuity)
CIS Controls ↔ ISO 27001 Mapping:
CIS 1 (Asset Inventory) → A.5.9, A.5.10
CIS 4 (Configuration) → A.8.9
CIS 6 (Access Control) → A.8.2, A.8.3, A.5.18
CIS 7 (Vulnerability Management) → A.8.8
CIS 8 (Audit Logs) → A.8.15, A.8.16
CIS 18 (Penetration Testing) → A.8.8, A.5.8
Recommended Combination (DACH Companies):
SMEs without certification requirements:
Foundation: CIS Controls IG1 (immediately operational)
Governance: NIST CSF (for C-level communication)
Supplement: GDPR measures
Enterprises facing customer pressure:
Certification: ISO 27001 (as a market requirement)
Operational: CIS Controls (concrete measures)
Strategy: NIST CSF (management communication)
DACH: BSI IT-Grundschutz modules where relevant
Federal authorities / KRITIS:
Mandatory: BSI IT-Grundschutz
Optional: ISO 27001 based on IT-Grundschutz
Cloud: BSI C5 for cloud providers
Supplement: NIST CSF as a maturity framework
Multi-framework tooling:
GRC tools: ServiceNow GRC, MetricStream, OneTrust
→ Import ISO 27001, NIST CSF, CIS, BSI controls
→ Link evidence to multiple frameworks simultaneously
→ Implement once → demonstrate compliance multiple times!
Open Source Alternative:
ERAMBA: Open Source GRC (eramba.org)
→ CIS, ISO 27001, NIST CSF integrated
→ Control mapping between frameworksQuestions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.
3 Publikationen
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Self-promotion with a Chance of Warnings: Exploring Cybersecurity Communication Among Government Institutions on LinkedIn (2024)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
