The selection process for cybersecurity frameworks generally leads to adopting a "starting point" framework. These foundational frameworks are the NIST Cybersecurity Framework, ISO 27002, NIST 800-53 or the Secure Controls Framework (SCF). We call it the "cybersecurity Goldilocks dilemma" since it addresses the question: Which cybersecurity framework is "not too hard, not too soft, but just right!" for my organization? It comes down to first defining your "must have" and "nice to have" requirements, since that helps point you to the most appropriate framework to meet your specific needs: