Process Framework for Cybersecurity

Cybersecurity operates through structured, repeatable processes — not ad hoc responses — and the frameworks that govern those processes determine whether an organization can detect, contain, and recover from threats within operationally viable timeframes. This page maps the major process frameworks applied across US cybersecurity practice, including NIST CSF 2.0, ISO/IEC 27001, and CIS Controls v8, tracing their phases, entry conditions, handoff logic, and decision gates. Understanding framework mechanics is foundational to the conceptual overview of how cybersecurity works and connects directly to regulatory obligations enforced by federal agencies including CISA, FTC, and HHS. Readers unfamiliar with core terminology should consult the cybersecurity terminology and definitions reference before proceeding.

Phases and Sequence

Every major cybersecurity process framework organizes work into discrete, sequenced phases. The three frameworks most referenced in US regulatory guidance each define phase structure differently, creating meaningful classification boundaries.

NIST Cybersecurity Framework (CSF) 2.0, published by the National Institute of Standards and Technology in 2024, organizes activity into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. The addition of "Govern" in version 2.0 — absent from CSF 1.1 — elevated organizational risk management strategy to a first-class phase, placing policy accountability before technical controls.

ISO/IEC 27001:2022 structures its process through the Plan-Do-Check-Act (PDCA) cycle applied to an Information Security Management System (ISMS). The standard, maintained by the International Organization for Standardization, requires organizations to establish context, define scope, conduct risk assessment, select controls from Annex A (93 controls in the 2022 revision, reduced from 114 in the 2013 edition), implement those controls, monitor performance, and drive continual improvement.

CIS Controls v8, published by the Center for Internet Security, groups 18 control categories into three Implementation Groups (IG1, IG2, IG3) based on organizational risk profile. IG1 covers 56 safeguards considered essential hygiene for all organizations; IG3 adds advanced controls applicable to high-risk environments.

The sequencing distinction matters practically: NIST CSF is function-based and non-prescriptive, suitable for framework mapping; ISO 27001 is audit-certifiable and prescriptive; CIS Controls are implementation-ordered and measurable. Organizations commonly use NIST CSF as a communication layer mapped to CIS Controls as implementation specifics.

National Cybersecurity Authority provides framework comparison resources that clarify which standards apply to specific sectors and organizational sizes. Information Security Authority covers the documentation and policy layer that underpins ISMS implementation across framework types.

For sector-specific phase structures, Cloud Compliance Authority addresses how NIST and ISO 27001 phases adapt for cloud-hosted infrastructure, where shared responsibility models alter control ownership at each phase. Cyber Compliance Authority maps compliance obligations — including FTC Safeguards Rule and state-level requirements — to specific framework phases.

The home page for this network provides the full member directory organized by specialty area.

Entry Requirements

No framework phase can begin without defined entry conditions. Entering a phase without satisfying prerequisites produces incomplete outputs that cascade into downstream failures.

For NIST CSF, the Govern function requires documented executive accountability — specifically, a named risk owner and an approved risk tolerance statement. Without those, the Identify function cannot produce a risk register that reflects actual organizational priorities.

For ISO 27001, the Context stage (Clause 4) requires identification of interested parties and applicable legal requirements before scope definition. Organizations operating in California must account for the California Consumer Privacy Act (CCPA); those handling health data must address HIPAA Security Rule requirements at 45 CFR Part 164. Entering the risk assessment phase without completing the legal requirements inventory produces an ISMS with unaddressed control gaps.

Entry requirements by phase type:

1. Asset inventory completion — required before any risk assessment phase in NIST CSF (Identify), ISO 27001 (Clause 8.1), and CIS Controls (Control 1 and 2 as foundational prerequisites to all others).
2. Threat intelligence baseline — required before Protect and Detect phases; CISA's Known Exploited Vulnerabilities Catalog provides a minimum threat reference baseline.
3. Stakeholder authorization — ISO 27001 Clause 5.1 requires demonstrable top management commitment before ISMS implementation begins.
4. Regulatory scope determination — organizations subject to NERC CIP (energy sector), CMMC (defense contractors), or PCI DSS (payment card) must map sector-specific requirements before selecting control frameworks.

Code Compliance Authority covers software development entry requirements, including secure development lifecycle gates required under frameworks like NIST SP 800-218 (Secure Software Development Framework). Application Security Authority addresses pre-deployment security requirements at the application layer, including OWASP ASVS verification levels as entry criteria for production release.

State-level entry requirements differ by jurisdiction. California Security Authority documents CPPA and CCPA compliance prerequisites. New York Security Authority covers NYDFS Cybersecurity Regulation (23 NYCRR 500) entry requirements, including the certification obligation under Section 500.17. Texas Security Authority addresses Texas Identity Theft Enforcement and Protection Act provisions and their interaction with federal framework entry conditions.

Handoff Points

Handoff points are the formal transitions between phases where outputs from one phase become mandatory inputs to the next. Poorly defined handoffs are among the most common root causes of framework implementation failure.

NIST CSF handoff sequence:
- Govern → Identify: Risk tolerance statement authorizes risk register scope.
- Identify → Protect: Asset inventory and risk register authorize control selection.
- Protect → Detect: Implemented controls define the detection baseline (what deviations from protected state trigger alerts).
- Detect → Respond: Confirmed incidents trigger incident response plan activation.
- Respond → Recover: Containment completion authorizes recovery initiation.
- Recover → Govern/Identify: Post-incident lessons learned feed back into risk register updates.

ISO 27001 handoff:
The risk treatment plan (output of Clause 8.2) is the central handoff artifact. It connects risk assessment results to Statement of Applicability (SoA) selections, and the SoA then authorizes implementation activity. Auditors examine the SoA as the primary evidence artifact during certification audits.

Cyber Audit Authority provides structured guidance on audit evidence requirements at each handoff point, including what documentation survives external scrutiny. Network Audit Authority covers the specific handoff documentation required when network infrastructure controls transition between design and operational phases.

For cloud environments, handoff points require explicit shared responsibility mapping. Cloud Security Authority covers how handoffs work when the cloud service provider controls infrastructure layers and the customer controls application and data layers. Cloud Defense Authority addresses threat detection handoffs in multi-cloud architectures where alert aggregation crosses provider boundaries.

Encryption Authority addresses the handoff between key management lifecycle phases — generation, distribution, storage, rotation, and destruction — which must align with NIST SP 800-57 requirements for cryptographic key management. Data Security Authority covers data classification handoffs, where classification outputs from the Identify phase authorize data handling controls in the Protect phase.

Endpoint Security Authority maps handoff points in endpoint detection and response (EDR) workflows, where detection alerts must transfer to response teams within defined SLA windows. Network Security Authority covers network segmentation handoffs between architecture design and operational enforcement.

Decision Gates

Decision gates are binary checkpoints — pass or fail — that determine whether a phase can proceed, must iterate, or must escalate. Unlike phase transitions, decision gates involve explicit judgment: a named authority reviews defined criteria and makes a documented determination.

Gate Type 1: Risk Acceptance Gate
At the completion of risk assessment (ISO 27001 Clause 8.2 / NIST CSF Identify function), a risk owner must formally accept, transfer, mitigate, or avoid each identified risk above the defined risk tolerance threshold. Risks cannot proceed to treatment planning without a documented disposition. NIST SP 800-39 defines the four risk response categories used across US federal frameworks (NIST SP 800-39).

Gate Type 2: Control Effectiveness Gate
Before transitioning from Protect to Detect phases, implemented controls must be tested against defined effectiveness criteria. CIS Controls v8 Safeguard 18.1 requires the establishment of a penetration testing program to validate control effectiveness. Penetration Testing Authority covers the structured methodology for penetration testing as a decision gate mechanism, including scoping, rules of engagement, and pass/fail criteria.

**Gate Type