Quiz Entry - updated: 2026.07.14
What's the difference between a standard and a framework?
A standard says "you must do X" with specific requirements; a framework says "here's how to think about the problem" with general practices.
| Standard | Framework | |
|---|---|---|
| Tone | Best practice, prescriptive | General good practice, descriptive |
| Specificity | Specific requirements | Allgemeine Prinzipien |
| Verification | Can be audited / certified | Hard to verify, often used as guidance |
| Example | ISO/IEC 27001 (you must do clause X) | NIST CSF (consider identifying, protecting, detecting, …) |
Why this matters in audits: You get certified against a standard; you measure maturity against a framework. NIST-CSF has no certification because it's a framework — but you can score yourself against its Tiers (1–4).
Tip: Mixing them up is a common mistake. "We're NIST-CSF compliant" is meaningless because there's nothing to be compliant with. "We're ISO 27001 certified" is meaningful because an accredited auditor verified clause-by-clause adherence.
Go deeper:
NIST Cybersecurity Framework (official) — the archetypal framework: descriptive outcomes with no certification, the opposite of a shall-based standard.
ISO/IEC 27001 (Wikipedia) — the archetypal certifiable standard you can be audited clause-by-clause against.