Use this cheat sheet to quickly match popular cybersecurity frameworks and regulations to the industries that rely on them. Each entry includes a short description to help you pick the right control set for audits, assessments, or roadmap planning.
At a Glance
| Framework / Standard | Primary Industry / Sector | Brief Description |
|---|---|---|
| ISO 27001 | Finance, healthcare, IT, government | International standard for establishing, implementing, maintaining, and continually improving an ISMS (information security management system). |
| NIST Cybersecurity Framework (NIST CSF) | Critical infrastructure (energy, healthcare, finance, transportation) | Risk-based guidance organized around Identify, Protect, Detect, Respond, and Recover functions. |
| HIPAA | Healthcare providers, health plans, clearinghouses | U.S. regulation protecting the privacy and security of protected health information (PHI). |
| PCI DSS | Merchants, financial institutions, payment processors | Security standard for safeguarding cardholder data and reducing payment card fraud. |
| GDPR | Any organization handling EU residents’ personal data | EU regulation granting data privacy rights and setting obligations for data controllers and processors. |
| CIS Controls | Organizations of all sizes and sectors | Prioritized set of practical security controls to defend against common cyberattacks. |
| HITRUST CSF | Healthcare organizations and business associates | Certifiable framework that harmonizes requirements from HIPAA, NIST, ISO, and others. |
| COBIT | All industries | IT governance and management framework aligning technology with business objectives. |
| NERC CIP | Electric utilities, power generation companies | Standards for protecting the bulk electric system in North America. |
| FISMA | U.S. federal agencies and contractors | U.S. law requiring comprehensive information security programs for federal information and systems. |
| SOC 2 | SaaS providers, managed service providers, data centers, cloud platforms | Attestation report evaluating controls against Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. |
| CCPA | Businesses collecting personal information from California residents | California law providing consumer data privacy rights and business obligations. |
| CISA Telecoms Framework | U.S. telecommunications providers | Guidance and best practices for securing telecommunications infrastructure and services. |
| NIST SP 800-53 | U.S. federal agencies and organizations | Catalog of security and privacy controls for federal information systems and organizations. |
| NIST SP 800-171 | Non-federal organizations handling CUI | Requirements to protect controlled unclassified information (CUI) for the U.S. government. |
| UK Telecoms (Security) Act 2021 | Telecommunications companies operating in the United Kingdom | Legal obligations to strengthen security and resilience of UK telecom networks. |
How to Use This Cheat Sheet
- General maturity: Start with ISO 27001 or NIST CSF for a broad security program.
- Industry specifics: Apply HIPAA/HITRUST for healthcare, PCI DSS for payments, and NERC CIP for energy.
- Privacy: Map your data practices to GDPR and CCPA obligations.
- Cloud & services: Use SOC 2 to demonstrate assurance to customers and partners.
Notes & Caveats
- Frameworks are complementary—organizations often implement more than one.
- Scope and applicability depend on your data types, geography, and contractual obligations.
- Always consult current official documentation before audits or certifications.
Last updated: August 2025.
Techy Chalkboard in bits and pieces 