KNOWLEDGE CENTER

Metrics & Frameworks

Explore key cybersecurity frameworks, control references, maturity models, and security metrics used to assess, benchmark, and strengthen enterprise security programs.

FRAMEWORK LIBRARY

Security Frameworks and Measurement References

Browse commonly used cybersecurity frameworks, standards, and control references with practical context on where they apply and how they support security assessment, compliance, and improvement.

Framework Index

Browse security standards, control models, and measurement references

10 references
01
Security Controls Technical Security
Control Framework

CIS Critical Security Controls

A prioritized set of cybersecurity controls used to reduce common attack paths and improve practical security maturity.

Best Used For Security baseline and control maturity
Primary Audience Security, IT, infrastructure, and audit teams
Controls Security Baseline Maturity

Overview

CIS Controls provide a practical control set that helps organizations prioritize security activities based on common attack techniques and operational risk.

Where It Applies

Useful for infrastructure reviews, endpoint hardening, configuration audits, security maturity assessments, and internal security improvement programs.

Key Areas

Asset inventory, vulnerability management, secure configuration, access control, audit logging, malware defense, incident response, and data protection.

Castellum Labs Usage

Can be mapped into configuration audit, infrastructure security assessment, cloud review, and control maturity reporting.

Practical takeaway: CIS is best when the client needs actionable controls, not just high-level governance language.
Reference Link →
02
ISMS Standard Governance
Management Standard

ISO/IEC 27001

A globally recognized standard for establishing, maintaining, and improving an information security management system.

Best Used For ISMS, audit readiness, governance, and risk management
Primary Audience Leadership, risk, compliance, and security teams
ISMS Governance Compliance

Overview

ISO/IEC 27001 focuses on managing information security through policy, risk assessment, controls, responsibilities, and continual improvement.

Where It Applies

Best suited for organizations that need formal governance, certification readiness, customer assurance, and repeatable security management processes.

Key Areas

Security policy, risk treatment, access control, supplier security, incident management, asset protection, business continuity, and compliance.

Castellum Labs Usage

Can support gap assessments, audit preparation, security governance reviews, control mapping, and evidence readiness.

Practical takeaway: ISO 27001 is strongest when the client needs formal security governance and audit-ready structure.
Reference Link →
03
Cybersecurity Framework Governance
Risk Framework

NIST Cybersecurity Framework

A flexible cybersecurity risk framework built around identifying, protecting, detecting, responding, and recovering from cyber risk.

Best Used For Cybersecurity maturity and risk communication
Primary Audience Security leadership, risk teams, and executives
Identify Protect Detect Respond Recover

Overview

NIST CSF helps organizations understand cybersecurity posture in a business-readable way across core security functions.

Where It Applies

Useful for board reporting, maturity assessments, cybersecurity program planning, risk scoring, and improvement roadmaps.

Key Areas

Identify, Protect, Detect, Respond, Recover, governance, risk visibility, asset management, and incident readiness.

Castellum Labs Usage

Can be used to structure security maturity dashboards, executive summaries, gap reports, and roadmap recommendations.

Practical takeaway: NIST CSF is ideal for explaining security posture to management without drowning them in control-level detail.
Reference Link →
04
Control Catalog Compliance
Control Framework

NIST SP 800-53

A detailed catalog of security and privacy controls used for structured control assessment and compliance mapping.

Best Used For Detailed control mapping and security assessment
Primary Audience Security architects, auditors, and compliance teams
Security Controls Privacy Audit Mapping

Overview

NIST SP 800-53 provides a large catalog of controls covering governance, technical safeguards, monitoring, privacy, and system security.

Where It Applies

Useful when the client needs detailed control coverage, audit mapping, government-grade control references, or structured security assessment.

Key Areas

Access control, audit and accountability, configuration management, incident response, risk assessment, system integrity, and privacy controls.

Castellum Labs Usage

Can be mapped into control libraries, audit trackers, configuration audit checks, and enterprise security gap assessments.

Practical takeaway: Use NIST 800-53 when you need depth and control-level precision.
Reference Link →
05
Trust Criteria Compliance
Assurance Framework

SOC 2 Trust Services Criteria

A control assurance framework focused on security, availability, confidentiality, processing integrity, and privacy.

Best Used For Service organization control readiness
Primary Audience SaaS, compliance, audit, and risk teams
SOC 2 Trust Services Audit

Overview

SOC 2 evaluates controls around security and trust services criteria, commonly used by SaaS and service organizations.

Where It Applies

Useful for organizations that need customer assurance, vendor due diligence readiness, CPA audit preparation, and evidence mapping.

Key Areas

Security, availability, confidentiality, processing integrity, privacy, access management, monitoring, vendor risk, and change management.

Castellum Labs Usage

Can be used for SOC 2 readiness assessments, evidence review, control evaluation, gap tracking, and audit support reporting.

Practical takeaway: SOC 2 is best for proving trust and operational control maturity to customers and auditors.
Reference Link →
06
Payment Security Compliance
Industry Standard

PCI DSS

A payment security standard focused on protecting cardholder data and securing payment processing environments.

Best Used For Cardholder data protection and payment security
Primary Audience Payment, compliance, infrastructure, and application teams
Payment Security Cardholder Data Compliance

Overview

PCI DSS defines security requirements for organizations that store, process, or transmit cardholder data.

Where It Applies

Relevant for payment gateways, e-commerce systems, card processing environments, payment applications, and supporting infrastructure.

Key Areas

Network security, access control, vulnerability management, logging, secure development, encryption, monitoring, and cardholder data protection.

Castellum Labs Usage

Can support payment application testing, infrastructure assessment, segmentation review, and compliance readiness evaluation.

Practical takeaway: PCI DSS is not just paperwork; it demands real technical controls around payment data.
Reference Link →
07
Privacy Regulation Privacy
Regulatory Framework

GDPR

A privacy regulation focused on personal data protection, lawful processing, data subject rights, and privacy governance.

Best Used For Privacy governance and personal data protection
Primary Audience Privacy, legal, compliance, and security teams
Privacy Personal Data Regulatory

Overview

GDPR defines privacy requirements for personal data processing, accountability, transparency, consent, security, and data subject rights.

Where It Applies

Relevant when organizations process personal data of EU residents or need privacy-aligned data governance and breach response.

Key Areas

Lawful processing, data minimization, privacy notices, breach notification, access rights, retention, processors, and security measures.

Castellum Labs Usage

Can support privacy control reviews, breach readiness, data protection gap assessments, and evidence mapping for privacy programs.

Practical takeaway: GDPR is strongest when privacy, security, and data governance must be connected clearly.
Reference Link →
08
Threat Knowledge Base Threat Modeling
Adversary Framework

MITRE ATT&CK

A knowledge base of adversary tactics and techniques used for threat modeling, detection engineering, and security testing.

Best Used For Threat mapping, detection coverage, and adversary simulation
Primary Audience SOC, red team, threat intelligence, and detection teams
Threat Intel Detection Adversary TTPs

Overview

MITRE ATT&CK organizes adversary behavior into tactics, techniques, and procedures that help teams understand real-world attack patterns.

Where It Applies

Useful for detection engineering, red teaming, purple teaming, SOC coverage mapping, incident analysis, and threat intelligence reporting.

Key Areas

Initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, and exfiltration.

Castellum Labs Usage

Can support attack simulation, detection coverage reviews, SOC maturity assessment, and threat-informed security testing.

Practical takeaway: MITRE ATT&CK helps convert threat intelligence into practical testing and detection logic.
Reference Link →
09
Application Security Application Security
Verification Standard

OWASP ASVS

An application security verification standard used to assess web and API security controls with structured requirements.

Best Used For AppSec testing depth and secure application requirements
Primary Audience Developers, AppSec teams, QA, and security testers
Web Security API Security Verification

Overview

OWASP ASVS provides detailed application security requirements that help standardize testing, verification, and secure design expectations.

Where It Applies

Useful for web application testing, API assessment, secure SDLC programs, application control reviews, and security acceptance criteria.

Key Areas

Authentication, session management, access control, validation, cryptography, error handling, data protection, API security, and configuration.

Castellum Labs Usage

Can strengthen AppSec test libraries, secure code review checklists, API testing methods, and application risk reporting.

Practical takeaway: OWASP ASVS is better than vague AppSec testing because it gives structured verification requirements.
Reference Link →
10
AppSec Maturity Application Security
Maturity Model

OWASP SAMM

A software assurance maturity model used to evaluate and improve secure software delivery practices over time.

Best Used For Secure SDLC maturity and AppSec program improvement
Primary Audience Engineering, AppSec, governance, and product teams
Secure SDLC Maturity AppSec Program

Overview

OWASP SAMM helps organizations measure and improve software assurance practices across governance, design, implementation, verification, and operations.

Where It Applies

Useful for secure SDLC assessments, AppSec maturity reviews, product security roadmap planning, and engineering security governance.

Key Areas

Governance, design, implementation, verification, operations, policy, threat assessment, secure build, testing, and defect management.

Castellum Labs Usage

Can support AppSec maturity assessments, secure SDLC consulting, engineering security reviews, and roadmap development.

Practical takeaway: OWASP SAMM is best when the client needs to improve the AppSec program, not just test one application.
Reference Link →

Get started today!

To know more and to setup an experiential demo 

Talk to us
Top
oh hello you
Award-winning
creative agency.
Delivering high-quality projects for international clients. Ask us about digital, branding and storytelling.

CONTACT ADDRESS
36 East 20th Street, 6th Floor

GENERAL INQUIRIES
borgholm@qodeinteractive.com

SOCIAL MEDIA

Contact Us

Fill in your details and we’ll get back within 24 hours.

    Download PDF →

    View LinkedIn Reference →

    Privacy Policy

    This Privacy Policy applies to the www.castellumlabs.com

    Castellum Labs recognises the importance of maintaining your privacy. We value your privacy and appreciate your trust in us. This Policy describes how we treat user information we collect on https://staging.castellumlabs.com and other offline sources. This Privacy Policy applies to current and former visitors to our website. By visiting and/or using our website, you agree to this Privacy Policy. Castellum Labs is a business unit of Raaga Technologies Private Limited and focuses on information technology and cyber security services and products.

    Castellumlabs.com is brand and is a property of Raaga Technologies Private Limited, an Indian Company registered under the Companies Act, 2013 having its registered office at Workyard, 337, Phase 2, Industrial Area, Phase 1, Chandigarh, India - 160002.

    Information we collect

    Contact information. We might collect your name, email, mobile number, phone number, employer company, your designation, street, city, state, pin-code, country and IP address.

    Payment and billing information. We do not conduct any online transaction and do not ask our website users for any kind of financial or payment information on our website.

    Information you post. We collect information you post in a public space on our website or on a third-party social media site or asset or page or account or wall belonging to Castellum Labs.

    Demographic information. We may collect demographic information about you or any other information provided by your during the use of our website with your consent and your approval. We might collect this as a part of a survey also.

    We collect information in different ways.

    We collect information directly from you. We collect information directly from you when you fill a query form or else when you drop a message to our number of else when you call our phone numbers. We also collect information if you post a comment on our websites or ask us a question through phone or email.

    We collect information from you passively. We may use tracking tools like Google Analytics, Google Webmaster, browser cookies and web beacons for collecting information about your usage of our website and any associate web sites of ours.

    We get information about you from third parties. For example, if you use an integrated social media feature on our websites. The third-party social media site will give us certain information about you. This could include your name and email address.

    Use of your personal information

    We use information to contact you: We might use the information you provide to contact you for confirmation of the answers for your queries posted on our website.

    We use information to respond to your requests or questions. We might use your information to confirm your registration for a webinar or an event or a course published by us.

    We use information to improve our products and services. We might use your information to customize your experience with us. This could include displaying content based upon your preferences.

    We use information to look at site trends and customer interests. We may use your information to make our website and products better. We may combine information we get from you with information about you we get from third parties.

    We use information for security purposes. We may use information to protect our company, our customers, our websites or our other digital assets on internet.

    We use information for marketing purposes. We might send you information about special promotions or offers. We might also tell you about new services, features, products, reports or other offerings. These might be our own offers or products, or third-party offers or products we think you might find interesting. Or, for example, if you submit a query, we might enroll you for our newsletter with your consent.

    We use information to send you transactional communications. We might send you emails or SMS about your account, registration or a query submitted by you.

    We use information as otherwise permitted by law.

    Sharing of information with third-parties

    We might share information with third parties who perform services on our behalf. We share information with vendors who help us manage our online registration process or query processors or transactional message processors. Some vendors may be located outside of India.

    We will share information with our business partners. This includes a third party who provide or sponsor an event, or who operates a venue where we hold events. Our partners use the information we give them as described in their privacy policies.

    We may share information if we think we have to in order to comply with the law or to protect ourselves. We will share information to respond to a court order or subpoena. We may also share it if a government agency or investigatory body requests. Or, we might also share information when we are investigating potential fraud.

    We may share information with any successor to all or part of our business. For example, if part of our business is sold we may give our customer list as part of that transaction.

    We may share your information for reasons not described in this policy. We will tell you before we do this.

    Email Opt-Out

    You can opt out of receiving our marketing emails. To stop receiving our promotional emails, please email unsubscriber@castellumlabs.com. It may take about ten days to process your request. Even if you opt out of getting marketing messages, we will still be sending you transactional messages through email and SMS about your queries.

    Third party sites

    If you click on one of the links to third party websites, you may be taken to websites we do not control. This policy does not apply to the privacy practices of those websites. Read the privacy policy of other websites carefully. We are not responsible for these third-party sites.

    Grievance Officer

    In accordance with Information Technology Act 2000 and rules made there under, the name and contact details of the Grievance Officer are provided below:

    Mrs. Rinky (Sukriti) Shukla

    Workyard, 337, Phase 2,
    Industrial Area, Phase 1,
    Chandigarh, India - 160002

    Phone: +91 - 86399 53505
    Email: sukriti.shukla@castellumlabs.com

    If you have any questions about this Policy or other privacy concerns, you can also email us at privacy@castellumlabs.com

    Updates to this policy

    This Privacy Policy was last updated on 20.12.2025. From time to time we may change our privacy practices. We will notify you of any material changes to this policy as required by law. We will also post an updated copy on our website. Please check our site periodically for updates.

    Jurisdiction

    If you choose to visit the website, your visit and any dispute over privacy is subject to this Policy and the website's terms of use. In addition to the foregoing, any disputes arising under this Policy shall be governed by the laws of India.

    Annual Summary Report

    Please provide your details to access the report.