LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's the difference between a standard and a framework?

A standard says "you must do X" with specific requirements; a framework says "here's how to think about the problem" with general practices.

Standard Framework
Tone Best practice, prescriptive General good practice, descriptive
Specificity Specific requirements Allgemeine Prinzipien
Verification Can be audited / certified Hard to verify, often used as guidance
Example ISO/IEC 27001 (you must do clause X) NIST CSF (consider identifying, protecting, detecting, …)

Why this matters in audits: You get certified against a standard; you measure maturity against a framework. NIST-CSF has no certification because it's a framework — but you can score yourself against its Tiers (1–4).

Tip: Mixing them up is a common mistake. "We're NIST-CSF compliant" is meaningless because there's nothing to be compliant with. "We're ISO 27001 certified" is meaningful because an accredited auditor verified clause-by-clause adherence.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026