Technical Security Frameworks
I am an independent consultant and most of my clients are in the small medium market.Their maturity isn't such that they can achieve big certifications such as ISO27001, and they are starting their security journey deploying technical controls.
My main challenge is to find a technical control framework that I can later scale up to achieve larger certifications such as ISO.
Any recommendations ?
If your customers are not ready for ISO or other advanced frameworks is likely that their security practices are not risk driven?
I would suggest to guide yourself and them with the CIS 20 critical controls.
This framework is a good blueprint for larger security programs such as ISO, NIST, PCI etc
Check the following link,
This framework as CIS 20 are top frameworks to scale up to NIST and ISO27001. Particularly I prefer ASD top35 but both of them will get you where you need to be with your clients.