> For the complete documentation index, see [llms.txt](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/google-cybersecurity-professional-cert/2.-play-it-safe-manage-security-risks/the-relationship-between-frameworks-and-controls.md).

# The relationship between frameworks and controls

#### The Relationship Between Frameworks and Controls: An ADHD-Friendly Guide

Alright, let’s break this down in a way that’s easy to digest, kinda like snack-sized info bites! Imagine you’re building a security fortress for an organization. You’ve got the **blueprints** (frameworks) and the **actual defenses** (controls). The goal? Keep the treasure (your data) safe from thieves (cyber threats).

***

#### Frameworks vs. Controls: What’s the Deal?

Think of **security frameworks** as **guidelines**—they’re the master plan. They show you how to *design* your security defenses. On the other hand, **security controls** are the **actual defenses** you put in place to guard your treasure. These are the locks, gates, alarms, or the people guarding the doors. Let’s say you’re protecting your personal bank account; the framework tells you to secure your money, and the controls are things like **multi-factor authentication (MFA)** or **passwords** to keep bad guys out.

#### A Real-Life Example

In healthcare, there’s this law called **HIPAA** (Health Insurance Portability and Accountability Act), which is like a set of rules hospitals follow to make sure your medical data stays safe. A framework helps hospitals stick to those rules. One control they use? MFA—so when a doctor logs in to see your health records, they need a password *and* a second method of verification, like a fingerprint. That's a double layer of security!

***

#### Specific Frameworks and Controls

Now, let’s check out a few specific frameworks and controls—these are like different blueprints and security tools you can pick from.

***

**Cyber Threat Framework (CTF)**

CTF is like a **universal translator** for cybersecurity geeks! It was made by the U.S. government to help everyone describe cyber threats using the same language. Imagine you’re on a spaceship and need to explain to your crew the alien threat coming your way. The CTF helps everyone on the team understand what’s happening—no matter their background—so you can defend yourselves faster!

***

**ISO/IEC 27001**

This one’s like the **global playbook** for security. Companies all around the world use it to manage their valuable data, like secret recipes or employee records. It’s flexible too! It doesn’t force you to use specific tools, but it gives you a list of good options (controls) to protect your treasure. ISO/IEC 27001 is your international toolkit for staying safe.

***

#### What Are Controls?

Think of **controls** as the **defense mechanisms** that actually stop bad stuff from happening. These can be broken down into three categories:

1. **Physical Controls** (defend the *real world* places)
   * Gates, fences, and locks
   * Security guards
   * Surveillance cameras (CCTV)
   * Key cards to enter restricted areas
2. **Technical Controls** (defend the *digital* space)
   * Firewalls (like digital moats around your castle)
   * MFA (requiring two forms of ID)
   * Antivirus software (defender against bugs and viruses)
3. **Administrative Controls** (defend through *rules* and *policies*)
   * Separation of duties (making sure no one has *too* much power)
   * Authorization (deciding who gets access to what)
   * Asset classification (labeling your treasure—what’s top-secret vs. what’s not)

***

#### TL;DR (Too Long; Didn’t Read):

**Frameworks** are like the **blueprints** for your security strategy, and **controls** are the **tools** and **defenses** you use to make that strategy real. Together, they create a solid defense system to protect your organization’s most valuable assets from threats. It's kinda like using the perfect combo of an umbrella (control) and a weather app (framework) to stay dry in the rain!

***

#### Quick Quiz for You!

Before we move on, let me check your understanding:

1. Can you think of a security control you use in your daily life? (Hint: Maybe something on your phone or computer!)
2. How would you describe the difference between a **framework** and a **control** in one sentence?

Answer these, and we’ll make sure you’re all set before we dive deeper into how these frameworks and controls really work in the wild!
