Why a Framework
Minimum Viable Security keeps the business out of immediate danger. But MVS is deliberately incomplete — it covers the floor, not the ceiling. The question that follows is: what comes next, and in what order?
Evidence-based frameworks answer that question. Models like NIST CSF, CIS Controls, and ISO 27001 represent decades of collective learning from thousands of organizations across every industry. They define what a comprehensive security program looks like, organized into domains that can be assessed, measured, and improved over time.
Adopting a framework does three things for your organization. It provides a growth roadmap that extends beyond MVS into the full spectrum of security capabilities. It gives you a common language for discussing security maturity — internally, with auditors, with the board, and with customers. And it creates a measurement system that tracks real progress rather than relying on subjective assessments of whether the program is “good enough.”
Choosing the Right Framework
There is no universally correct framework. The right choice depends on your business, your market, and your regulatory environment.
NIST Cybersecurity Framework (CSF) is the most widely adopted in the United States, particularly among technology companies and organizations that want a flexible, risk-based model. NIST CSF 2.0 organizes security into six functions — Govern, Identify, Protect, Detect, Respond, and Recover — and is designed to be adapted to any organization’s size and complexity.
CIS Controls provide a more prescriptive, prioritized list of specific security actions. They are well-suited to organizations that want concrete technical guidance and a clear implementation sequence.
ISO 27001 is the international standard and carries certification weight. It is common in organizations with global operations or those operating in markets where ISO certification is a customer or regulatory expectation.
Other frameworks exist — COBIT, SOC 2 Trust Services Criteria, industry-specific models — and your organization may adopt more than one. The important thing is that you pick one as your primary lens for measuring maturity and driving investment, and you commit to it.
Enterprise vs. Product Maturity
For many organizations — particularly technology companies — a single maturity assessment across the entire business does not tell the full story. The security posture of your enterprise IT environment (corporate systems, employee endpoints, internal infrastructure) may be at a very different maturity level than your product environment (customer-facing applications, SaaS platforms, APIs).
This is not a failure. It is a structural reality of how technology businesses are built. The framework should accommodate this. Assess and rate maturity separately where the business structure demands it, and set improvement targets that reflect the actual risk and investment priorities for each track. The framework itself remains the common language — but the maturity scores and roadmaps may diverge.
The Framework Builds on MVS
Everything in Minimum Viable Security maps to controls within your chosen framework. MVS is a subset — the prioritized starting point that addresses the most urgent gaps. The framework is the complete picture.
As MVS stabilizes, the framework takes over as the primary driver of security investment and improvement. It defines the domains you have not yet addressed (application security, incident response, data protection, supply chain risk, and others), provides the structure for assessing where you stand in each, and produces the roadmap for closing the gaps — prioritized by your risk program.
Measuring Progress
A framework without measurement is just a document. The value of adopting an evidence-based model is that it gives you a structured way to track maturity over time.
Maturity assessments should be conducted at a regular cadence — annually at minimum, with interim assessments for domains undergoing active investment. The results should be reportable: a board director should be able to see where the program was 12 months ago, where it is today, and where it is headed.
Be honest in your assessments. Inflated maturity scores protect no one. The goal is an accurate picture of where you stand, so that investment decisions are made against reality.
The Evidence-Based Framework is the second pillar of the Security Operating Model. Need help selecting a framework or assessing your current maturity? Contact us.