An information security framework is a series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment. These frameworks act as “blueprints” for building an information security program to manage risk and reduce vulnerabilities. Information security pros can utilize these frameworks to define and prioritize the tasks required to build security into an organization.
Frameworks are often customized to solve specific information security problems. There are frameworks that were developed for specific industries as well as different regulatory compliance goals. They also come in varying degrees of complexity and scale. You will find that there is a large amount of overlap in general security concepts as each one evolves.
NIST SP 800-*
The choice to use a particular IT security framework can be driven by multiple factors. The type of industry or compliance requirements will be the deciding factors. Publicly traded companies will probably would use COBIT in order to comply with Sarbanes Oxley. ISO 27000 series is the master of the information security frameworks applicable in any industry, however the implementation process can be long and involved. It is best used where the company needs to market information security capabilities through the ISO 27000 certification. NIST SP 800-53 is the standard required by U.S. federal agencies and can also be used by any company to build a technology-specific information security plan. Any of the identified frameworks will help organize and manage information security programs.