The Information Security Model and the guidance Pragmentum draws heavily on comes from three widely used methods to manage cyber security: – the ISACA Information Security Managment model
– the NIST Cyber Security Framework (CSF), and
– the CIS Controls.
Scroll down to find out more …
The ISACA Domains
for Information Security Management
Governance
Controlling your program
Establishes the cybersecurity strategy, policies, and accountability framework to align security with business objectives and regulatory requirements.
Risk Management
Managing your asset’s risk
Identifies, evaluates, and mitigates cybersecurity risks to protect assets, ensuring informed decision-making and resilience.
The Program
How you protect your business
Designs, implements, and maintains the cybersecurity program, integrating controls, resources, and best practices to safeguard the organization.
Incident Response and Recovery
How you respond and recover
Prepares for, detects, and responds to security incidents, ensuring swift containment, investigation, and recovery to minimize impact and cost.
The NIST CSF
National Institute of Standards and Technolgy
Cyber Security Framework – utilized globally.
Identify
Catalog your assets
Understand and manage cybersecurity risks by identifying assets, vulnerabilities, and business impacts.
Protect
Implement controls
Implement safeguards, such as access controls and encryption, to secure assets and maintain operations.
Detect
Monitor for activity
Continuously monitor systems to quickly identify cybersecurity events and anomalies.
Respond
Develop a response plan
Take action against detected threats, containing incidents and mitigating damage.
Recover
Build recovery capability
Restore systems, data, and services after an incident to ensure business continuity and resilience.
Govern
The right amount of control for the program
Ensures that the cyber security program aligns with business objectives, legal requirements, and risk management. It covers leadership accountability, policies, roles, and oversight to drive a strong security culture and informed decision-making.
Top 18 Controls
The CIS Top 18 Controls (formerly the Top 20) are a prioritized set of cyber security best practices developed by the Center for Internet Security (CIS) to help organizations improve their cyber security posture.
They are designed to be:
- Actionable — clear steps to reduce risk
- Prioritized — most impactful controls come first
- Vendor-neutral — applicable to all environments
They are grouped into three implementation groups (IGs) based on organizational size, resources, and risk:
- IG1 (basic): For small to medium-sized businesses
- IG2: For organizations with moderate complexity and resources
- IG3: For large or high-risk enterprises
The 18 controls are arranged in a logical order of implementation — from understanding assets, to protecting data, to detecting and responding to threats.