[Beached]

they are popular because insurance, law, and regulations. it's hard to measure a corps security posture in a way that can apply to everyone and every thing. read them, know them, and if you are required to, meet them. but don't think for a second having all the boxes ticked gets you secure.

in fact I would suggest cis controls over nist and iso for pretty much everyone, but nothing beats knowing your environment inside and out, and striving for 100% visibility.

[tptacek]

One indicator of the intellectually bankruptcy of this article's summary is the equivalence it draws between NIST's framework (which is really just an index of other frameworks), ISO 27001 (a certification), and PCI (a domain-specific audit program). It's an incoherent way to think about frameworks, even if you think there's value in them (I think it's probably clear to everybody that I don't).