Cameron Hodson, CPA, CISA, is an Audit Manager with Larson & Company.  He specializes in audit and advisory services for a wide range of companies.


NIST vs ISO vs SOC vs PCI vs….

Which control framework is the best to use? Can I pick and choose from multiple frameworks? Who are the key stakeholders in this process?

As a CPA and SOC practitioner, I have been asked these questions many times. The answer is, of course, it depends. However, here are some thoughts to guide you in your research. At the end, I provide a table comparing some of the more common control frameworks/rulesets.

Which control framework is the best?

What have your customers have asked for? Unless you are very proactive, you are likely beginning this search because a key customer has asked you to be compliant with XYZ framework. Although they are not the end all be all for this decision, if a customer is asking for a particular framework, this is a strong sign that the customer identified framework is the correct one to use.

What does your industry focus on? If you are proactive and beginning this search on your own – good for you! Do you provide a platform as a service, software as a service, manage a government resource? Refer to the table below for industries and focus for each framework.

How much time and monetary resources could you budget for implementation? Some frameworks are more intensive than others. Most of the frameworks cited below are for entities planning a comprehensive response to risks they identify and potentially to achieve independent attestation or certification. Between preparation, implementation, and testing, these efforts could take up to a year to achieve. If you are just looking for best practices, consider a web search instead.

Can I pick and choose from multiple frameworks?

Probably not. If your goal is compliance attestation or certification, you will need to adhere to a particular framework. If your goal is general company health and risk management, start by identifying the best fit framework. If there are acceptable/justifiable gaps between your risk assessment and objectives/criteria addressed in the framework, you may refer to multiple frameworks.

Who are the key stakeholders in this process?

There are two main reasons to adopt a control framework: customer growth/retention and risk mitigation (arguably the same reason). In response to this, your key stakeholders will be a mix of external and internal parties. The following are the main stakeholders that will be important to development of your program:

  • B2B customers who use your service – you will likely begin this process by looking at SLAs to determine your key commitments or reasons you are in business and then determining risks of achieving those objectives.
  • Governmental organizations that use your service – laws or regulations may be very specific on what you will need to adopt.
  • Company management, primarily those responsible for security, technology, customer experience and finance – these individuals will have the most insight into what risks the company faces, what current processes look like, and how best to mitigate deficiencies.
  • Company governance – the board of directors or owners will have ultimate responsibility for the security program.

Hopefully these points will help in your research. See below for a table comparing some of the more common control frameworks/rulesets. Feel free to reach out to Larson and Company with any questions!

Framework Comparison