With acronyms inside of acronyms and hundreds of pages of documentation, choosing a framework for a security controls assessment seems like a daunting task. NuHarbor Security has years of experience working with different controls frameworks, and we have laid out the basics of some of the major controls assessments to help you get started. This is not intended to be a comprehensive list but is a jumping-off point into the wonderful world of security controls frameworks.

What is a Controls Assessment?

A security controls assessment is a review of an organization’s security controls and is conducted either voluntarily or as part of a certification. They’re great for identifying gaps in security policy, implementing, and verifying current controls. A controls assessment is not a risk assessment, and you can find out more about the differences between the two here.

What is the purpose of a framework?

The framework provides standardized criteria for an objective point-in-time evaluation of an organization’s security controls. It is a set of requirements that help ensure your organization has your bases covered. A framework also helps identify gaps in your security program.

NIST 800-53

The National Institute for Standards and Technology (NIST) 800-53 framework applies to all U.S. federal information systems, excluding those related to national security. NIST 800-53 is an implementation of the Federal Information Security Management Act. Federal agencies are expected to be compliant with NIST 800-53 as well as private companies with federal contracts. NIST 800-53 is also a good fit for larger private organizations and should not be seen as only applicable to federal entities.

There are Three Phases to a NIST 800-53 Evaluation:

Document Review

First, the assessor gets a general understanding of your organization. They review security policies, procedures, and standards. It’s important that the assessor understands the structure and components of your organization. The first phase also helps develop contextually relevant questions for the next phase.

Staff interviews and limited assurance testing

Based on information gathered in the first phase, the assessor focuses on specific questions about your policies, procedures, and standards that were not addressed in the first phase. Limited assurance testing is used to spot-check that policies are in place and effective. Both aspects help the assessor get a detailed understanding of how your organization implemented controls.


The third phase involves the assessor identifying control gaps and compliance issues, and suggesting improvements based on the information gathered in the previous two phases. This is compiled into a report and is reviewed with your organization, answering any questions that may arise. NuHarbor NIST 800-53 evaluations are compiled into two main deliverables, one detailing control-specific concerns and suggestion and a high-level overview of the findings across multiple controls and control groups with broader recommendations.

If you think that NIST 800-53 would be a good fit for your organization, check out our article overviewing the process of a NIST 800-53 Security Assessment.

NIST Cybersecurity Framework (NCF)

Executive Order 13636, issued in 2013, called for a flexible security framework that could be adapted to different industries. NIST created the NIST Cybersecurity Framework (NCF) in 2014 to address the order. NIST 800-53 influenced the creation of NCF heavily, and there are many similarities between the two. The NCF is industry-agnostic and intended to guide a company based on their priorities and business risk model. NCF is a voluntary framework, and there are no requirements or mandatory controls. Because you can approach this framework from many directions, it is a great choice for programs with limited scope or budget.

Core Categories

The framework uses five “Core Categories” that reflect the high-level functions of an organization’s security program:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Implementation Tiers

The NCF uses “Implementation Tiers” to guide your organization in identifying an appropriate rigor of security based on your organization’s strategic goals and objectives. This allows your organization to define exactly what aspects of security to focus on, as well as identifying the extent that the controls are feasible to implement. This is particularly useful for small organizations with limited resources. Additionally, NCF can help uncover areas where your organization may be over-allocating resources, allowing for redistribution to weaker areas and increasing efficiency across the entire security program.

Framework Profiles

You can use NCF to create “Framework Profiles” to define your organizational requirements, risk, and resources. It’s helpful to create multiple profiles and to set goals. For example, you might start with one framework profile while targeting a second. The second profile is your reach goal and where you want your security program to grow towards.

Since the NCF is highly adaptive, it is great for organizations that do not quite fit into the more rigid frameworks like NIST 800-53 or PCI DSS. Check out our NFC QuickStart Guide if you think the framework is a good fit for your organization.


American Express, Discover, JCB, MasterCard, and Visa came together to develop a common data security standard in 2006, which they released as the Payment Card Industry Data Security Standard (PCI DSS). The standard helps companies that accept, process, store, or transmit credit card info, to ensure that the credit card information they process is secure. The industry developed PCI DSS “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” If your organization interacts with credit card transactions, chances are good you should be PCI DSS compliant.

Control Groups

PCI DSS addresses the following 6 control groups:

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

Assessment methods

Depending on the merchant level and transaction volume of your organization, you may need to either submit a Report on Compliance (ROC) or a Self-Assessment Questionnaire (SAQ). If you are assessing PCI DSS voluntarily, you will most likely be using an SAQ. For determining which Self-Assessment Questionnaire to use, check out this article.

If your company deals with any aspect of credit card transactions, check out PCI DSS. You can find more information on PCI DSS on our PCI Compliance Services page.

The world of controls assessment frameworks can be confusing, but NuHarbor is here to guide you through the processes.

by: Hayley Froio

Information Assurance Team Member at NuHarbor Security

Follow us on Social Media for more information: