1. Taxonomies, Framework Alignment, and the Importance of Catalog Properties

Baseline Taxonomies

Our catalogues are designed to support a variety of taxonomies derived from well-established industry standards and frameworks, ensuring consistency and interoperability across cybersecurity and risk management practices.

These include:

---

ENISA (European Union Agency for Cybersecurity)

ENISA provides cybersecurity guidance tailored to European regulatory and operational contexts. It develops taxonomies for cyber threats, attack techniques, risk management methodologies, and incident classification (e.g., the ENISA Threat Taxonomy). These resources help organisations align with EU policies such as NIS2 Directive and GDPR.

---

NIST (National Institute of Standards and Technology)

NIST publishes cybersecurity frameworks and guidelines, widely adopted for risk management and compliance. The NIST Cybersecurity Framework (CSF) and NIST Special Publications (SP), such as 800-53 (Security and Privacy Controls) and 800-30 (Risk Management Guide), define structured taxonomies for threats, vulnerabilities, risk impacts, and mitigation strategies.

---

ISO (International Organization for Standardization)

ISO develops globally recognized standards to support various industries, including cybersecurity. Key frameworks such as ISO/IEC 27001 (for information security management systems) and ISO/IEC 31000 (for risk management) provide structured taxonomies for classifying security controls, risk categories, and governance practices.

---

SABSA (Sherwood Applied Business Security Architecture)

SABSA is a security architecture and risk management framework that aligns security decisions with business objectives. It provides structured taxonomies for security domains, risk categories, governance models, and control objectives, helping organizations build security architectures that integrate with enterprise business processes.

---

VERIS (Vocabulary for Event Recording and Incident Sharing)

VERIS is a structured framework designed to categorize cybersecurity incidents consistently. Developed by Verizon, it supports the VERIS Community Database (VCDB) and underpins the Verizon Data Breach Investigations Report (DBIR). VERIS defines taxonomies for threat actors, attack actions, impact categories, and incident attributes, making it a valuable tool for cybersecurity analytics and reporting.

---

These taxonomies provide the foundation for aligning catalogues with industry best practices and regulatory requirements. You have the flexibility to:

• Display or hide specific taxonomies.
• Modify, maintain, and reorder them to suit your organisation's priorities and strategic focus.

This flexibility is crucial for several reasons:

• Customisation: Tailor catalogues to reflect your organisation's unique needs, processes, and goals.
• Scalability: Adapt catalogues seamlessly as your organisation grows or evolves.
• Alignment: Maintain consistency with industry standards and meet regulatory requirements.
• Efficiency: Streamline workflows by centralising essential parameters in one unified system.

Framing catalogues

By aligning taxonomies and catalogue properties with your organization's strategy, business objectives, and operational processes, the CSFaaS framework ensures an optimal fit for your unique requirements. This approach not only supports compliance and efficiency but also empowers you to drive strategic outcomes effectively.

To manage your catalogues and align them with your business goals and objectives, navigate to the "Properties" menu and edit each one individually by clicking the "Edit" button.