Cybersecurity frameworks help align security efforts with business objectives, reduce risk, ensure regulatory compliance, and build trust with stakeholders. They enable consistent decision making, efficient resource allocation, and faster response to new threats; all critical for resilience and operational continuity.
Which framework is right for your organization? What are other organizations using?
When choosing the best cybersecurity framework for your business, it should be based on your industry, regulatory requirements, and organizational maturity. It's critical to evaluate your internal capabilities, risk tolerance, and overall business goals. You should also consider its scalability, ease of implementation, and alignment with existing processes / operations to help guide your decision. With that in mind, what are other organizations currently using?
NIST Ranked Most Valuable for 2025 – For The Second Year in Row
As part of the Cyber Security Tribe annual survey which had over 350 Cybersecurity practitioners respond for the 2025 State of the Industry Report, we asked: Which security framework(s) or standard(s) do you find most valuable for guiding your security practices?
For the second year in a row NIST was ranked as most valuable to cybersecurity practitioners. Respondents were able to select multiple frameworks / standards.
| Framework / Standard | % |
| NIST Cybersecurity Framework | 68% |
| OWASP Top Ten | 46% |
| ISO 27001/ISO 27002 | 41% |
| SOC2 | 35% |
| CIS Controls | 15% |
| HISTRUST | 14% |
| FISMC | 6% |
| Other | 9% |
We asked the Cyber Security Tribe Advisory Board - What security framework(s)/standards do you follow?
Dr. Vivian Lyon: combination of security frameworks including NIST Cybersecurity Framework, CIS Controls, and ISO/IEC 27001. These frameworks provide guidelines and best practices to manage information security risks and ensure compliance with relevant laws and regulations. However, a strong focus on the NIST Cybersecurity Framework due to its flexibility and adaptability while also adopting a Zero Trust framework gradually, as it is a journey, not a destination.
Jason Elrod: I follow a mix of frameworks but heavily base my program on NIST CSF for its flexibility. This framework provides a comprehensive approach to risk management, compliance, and resilience. It also provides direct alignment with the auditing bodies most often encountered in the healthcare sector.
Rizwan Jan: We must follow strict government regulations, including FedRAMP and the Cybersecurity Maturity Model Certification (CMMC), among others. These frameworks are essential for ensuring compliance, maintaining high security standards, and protecting sensitive data in line with government requirements.
Eric Harris: We follow the NIST Risk Management Framework (RMF) because it provides a structured, risk-based approach to managing cybersecurity threats, aligning security controls with organizational missions and business objectives. The RMF is particularly valuable for organizations handling sensitive data, ensuring compliance with federal mandates, and maintaining a strong security posture through continuous monitoring. Working in the federal sector, we are required to follow the Risk Management Framework.
Herman Brown: We adhere to NIST framework both as part of our broader organizational strategy while aligning seamlessly with our security posture.
Randall Frietzsche: We follow the NIST CSF because we are a US hospital and HIPAA advises us to use that framework to achieve HIPAA Security Rule requirements.
For more insights into current processes, frameworks and standards effecting organization's cybersecurity efforts download the full 2025 Annual Report today.
Share this
5 Key Cybersecurity Statistics for 2025
Navigating the Complexities of Cybersecurity Compliance
