Security Frameworks

2026 Edition

The 2026 edition of the Baseline Cyber assessment covers 10 security frameworks, including NIST CSF 2.0, EU DORA, EU NIS2, and NIST AI RMF.

Our cybersecurity assessment tool is built upon leading industry frameworks to provide a comprehensive evaluation of your security posture. Each framework offers unique perspectives and controls that, when combined, provide a holistic view of your security program.

CIS Controls

The Center for Internet Security (CIS) Controls are a prioritized set of actions that collectively form a defense-in-depth approach to cybersecurity.

Key Features:

  • Implementation Groups (IG1, IG2, IG3) for organizations of different sizes
  • Focus on practical, actionable controls
  • Regularly updated based on evolving threats
  • Mapped to other frameworks including NIST CSF and ISO 27001
Learn more about CIS Controls

NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a policy framework of computer security guidance for organizations to assess and improve their ability to prevent, detect, and respond to cyber attacks.

Key Features:

  • Five core functions: Identify, Protect, Detect, Respond, Recover
  • Flexible implementation approach
  • Used by organizations of all sizes across industries
  • Regular updates to address emerging risks and technologies
Learn more about NIST Cybersecurity Framework

ISO 27001

ISO/IEC 27001 is an international standard for managing information security. It specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

Key Features:

  • Risk-based approach to information security
  • Comprehensive control set covering multiple domains
  • Internationally recognized certification
  • Process-oriented framework for ongoing security management
Learn more about ISO 27001

OWASP Top 10

The Open Web Application Security Project (OWASP) Top 10 is a standard awareness document for developers and web application security practitioners that represents a broad consensus about the most critical security risks to web applications.

Key Features:

  • Focus on web application security risks
  • Updated every few years to address changing threat landscape
  • Practical guidance for developers and security professionals
  • Free and open community-driven project
Learn more about OWASP Top 10

MITRE ATT&CK

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It provides a common language for describing attacker behaviors.

Key Features:

  • Comprehensive matrix of attack techniques
  • Based on real-world observations
  • Regularly updated with new threat information
  • Used for threat modeling, red teaming, and defense planning
Learn more about MITRE ATT&CK

NIST CSF 2.0

Released in February 2024, NIST Cybersecurity Framework 2.0 adds a sixth core function — Govern — to the original five, placing greater emphasis on enterprise risk management, supply chain risk, and cybersecurity governance at the board level.

Key Features:

  • Six core functions: Govern, Identify, Protect, Detect, Respond, Recover
  • New Govern function covers policies, roles, and organizational cybersecurity strategy
  • Expanded supply chain risk management guidance
  • Applicable to all organizations, not just critical infrastructure
Learn more about NIST CSF 2.0

EU Digital Operational Resilience Act (DORA)

DORA is an EU regulation effective January 17, 2025 that establishes mandatory ICT risk management and operational resilience requirements for financial entities including banks, insurance companies, investment firms, and their critical ICT third-party providers.

Key Features:

  • Mandatory ICT risk management framework requirements
  • Strict incident reporting timelines (4-hour initial notification, 24-hour report, 1-month final report)
  • Digital operational resilience testing including TLPT (threat-led penetration testing)
  • ICT third-party risk oversight with mandatory contract clauses
Learn more about EU Digital Operational Resilience Act (DORA)

EU NIS2 Directive

The NIS2 Directive expanded mandatory cybersecurity requirements to cover essential and important entities across 18 sectors in the EU, with national transposition deadlines passed in October 2024.

Key Features:

  • Covers 18 sectors including energy, transport, health, digital infrastructure, and public administration
  • Mandatory security measures: risk management, incident handling, business continuity, supply chain security
  • 24-hour early warning and 72-hour incident notification requirements
  • Personal liability for management bodies for significant violations
Learn more about EU NIS2 Directive

NIST AI Risk Management Framework (AI RMF)

Published in 2023 and gaining significant adoption in 2025–2026, the NIST AI RMF provides a voluntary framework for managing risks to individuals, organizations, and society associated with the design, development, deployment, and use of AI systems.

Key Features:

  • Four core functions: Govern, Map, Measure, Manage
  • Addresses trustworthiness characteristics including accuracy, explainability, fairness, privacy, and security
  • AI-specific risk identification including prompt injection, model poisoning, and data leakage
  • Widely referenced in emerging AI regulations and procurement requirements
Learn more about NIST AI Risk Management Framework (AI RMF)

How Our Assessment Uses These Frameworks

Our 2026 assessment combines elements from all 10 frameworks above to deliver a practical, actionable evaluation across 9 security domains — including the new AI Security and Supply Chain domains critical for 2025–2026. Rather than requiring compliance with any single framework, we focus on the technical controls that deliver real risk reduction regardless of which regulatory requirement you face.

Assessment results map your current security posture to these frameworks, helping you understand both your overall maturity and your alignment with specific regulations — including mandatory EU requirements (DORA, NIS2) and emerging AI governance standards.

Compliance and Security Ecosystem

Compliance Hub Wiki

Your go-to resource for global privacy laws and compliance frameworks

Global Compliance Map

Interactive global privacy law navigator

Security Careers Help

Guidance for security professionals seeking career advancement

CISO Marketplace

Products and services for information security leaders

IR Maturity Assessment

Evaluate your incident response readiness

Cyber Insurance Calculator

Estimate your cyber insurance requirements

Fine My Data

Data privacy rights management platform

Data Breach Cost Calculator

Estimate potential costs of a data breach

IR Cost Calculator

Calculate the true cost of an incident response engagement

Breached

Breach intelligence, IR tools, and resources for security teams