Every year, a new cybersecurity or privacy framework is released – or an existing one gets updated. This month it’s ISO/IEC 27018:2025: the global standard for protecting personally identifiable information (PII) in public cloud environments. Important? Yes. And, like many new frameworks, it immediately sparks a recurrent set of questions:

• “Are we legally or contractually required to adopt this?”
• “Does this overlap with what we already do, and does it introduce administrative work?”
• “Will customers, partners, and/or investors care if we adopt it?”

In most cases, the answer is: you don’t need to switch – you need to apply what you already have.

ISO 27001, NIST CSF, ISO 31000 – they overlap more than they differ. At their core, they all say the same thing: know your assets, understand your risks, manage them systematically, and keep improving.

The problem isn’t in adding the wrong framework. It’s that too many organizations stop at certificates and documents, without translating those fundamentals into daily practice.

We see this often: companies show an ISO 27001 certificate, a neatly formatted Statement of Applicability, and a risk register. Yet in reality, controls aren’t linked to actual threats, and risk-based decision-making is absent.

The usual response? Reach for another framework.

It’s tempting to bolt on NIST CSF, experiment with FAIR, or start a 31000-inspired risk process on top of ISO 27001. But without embedding any of them into your daily decision-making, you’re just piling frameworks on top of frameworks.

A framework doesn’t lead to security, nor resilience. How you apply it does.

It’s not that these frameworks are wrong. They’re useful, if used properly. Simply adopting more frameworks will not fix a lack of clarity, accountability, or execution.

Using a framework properly means it doesn’t just live in our organization’s “share”. It shows up in how teams work. Controls align with how systems are built and maintained. Decisions about risk aren’t theoretical – they’re linked to real operations, data, systems, and consequences.

In a well-applied framework, the inventory isn’t a static spreadsheet, it’s something dynamic and validated. Risk isn’t meant to be abstract; it’s used to drive actual prioritization. For instance, when a new cloud system is deployed, someone checks whether it falls within the documented responsibilities under ISO 27018. When AI tooling is added, someone asks: who approved this, what data is it using, and what access does it have?

Most importantly, people across the organization understand the framework – not in technical terms, but in practice. They know where their responsibilities begin and end.

Up to this point, we’ve explained our thoughts on why adding new frameworks doesn’t solve the real issue: most organizations don’t apply the ones they already have. Certificates and policies may exist on paper, but without real enforcement, accountability, and integration into daily work, they add little value.

So where do you start fixing that? By asking a few questions about your current implementation – questions that expose whether it’s embedded in practice or just living in documents:

• Are your ideas about governance aligned with the organization’s direction, and are they adding business value?
• Are our policies actively enforced – and can we prove it through audits or evidence?
• Do business owners contribute to risk assessments, or is it only a security exercise?
• Are findings, follow-ups, and exceptions logged, tracked, and closed – or do they fade away?

If the answers aren’t clear, we can assure you it’s not a framework problem. It’s an application problem – and addressing that is the first step forward.

If you’ve spotted gaps while reading this, you don’t have to tackle them alone. We work alongside organizations as consultants, analysts, and virtual CISOs – but those are just the roles. The real outcome is what matters: becoming not only compliant, but secure, resilient, and ideally anti-fragile – stronger every time you’re tested.

Want to find out more? Drop us a message via Skuridat.com, we’re happy to assist.