Frameworks & Standards
Fluent in the standards that govern modern enterprise risk.
From control frameworks and zero-trust reference models to the converging EU regulatory landscape — applied across Banking, Aviation, Defence, Government, and Critical National Infrastructure.
Control & architecture frameworks
| Framework | Purpose | Where it applies |
|---|---|---|
| NIST CSF 2.0 | Risk-based cybersecurity outcomes across six functions: Govern, Identify, Protect, Detect, Respond, Recover (Feb 2024) | Enterprise-wide programme & board reporting |
| ISO/IEC 27001:2022 | Information security management system (ISMS) certification standard | Certification, audit, supplier assurance |
| NIST SP 800-207 | Zero Trust Architecture — identity-first, resource-centric security | Architecture & access design |
| CIS Controls | Prioritised, prescriptive technical safeguards | Hardening & baseline assurance |
| SABSA | Business-driven security architecture method | Security architecture & design authority |
| TOGAF | Enterprise architecture framework and method | Operating-model & enterprise design |
NIST CSF 2.0 added the Govern function and broadened scope to all organisations, not just critical infrastructure.
Regulatory & operational resilience
| Regulation | Scope | Status |
|---|---|---|
| DORA | Digital Operational Resilience Act — ICT risk, incident reporting, third-party oversight, resilience testing for EU financial entities | In force Jan 2025 |
| NIS2 Directive | Raised cybersecurity baseline & incident handling for essential/important entities and critical infrastructure | Transposing |
| GDPR | Personal data protection & breach notification | In force |
| ISO 27001:2022 | Shared risk-management foundation that DORA & NIS2 build on | Certifiable |
DORA builds on — not replaces — ISO 27001, NIS2, and GDPR; the disciplines converge for ICT risk and incident handling.
AI governance & emerging tech
| Standard | Purpose | Relevance |
|---|---|---|
| EU AI Act | Risk-tiered regulation of AI systems across the EU | AI adoption strategy & controls |
| ISO/IEC 42001 | AI management system (AIMS) — governance for responsible AI | Certifiable AI governance |
| NIST AI RMF | Voluntary framework to manage AI risk | AI risk identification & mitigation |
| Post-Quantum Readiness | Migration toward quantum-resistant cryptography | Forward-looking resilience |
CISOs increasingly manage the "regulatory collision" where NIS2, DORA, and the EU AI Act intersect on AI systems.
Applied outcomes
Standards in service of the business.
Frameworks are a means, not an end. Kai uses them to reduce risk, earn regulator trust, and unlock value.
Harmonised compliance
Consolidating overlapping obligations (DORA · NIS2 · ISO 27001) into a single, defensible control set.
Zero-trust resilience
Identity-first architectures aligned to NIST SP 800-207 that limit blast radius and lateral movement.
Responsible AI
Governance that lets the enterprise adopt AI with control — mapped to the EU AI Act and ISO 42001.
Put the frameworks to work.
Translate standards into a defensible, board-ready control posture.