The Difference Between ISO/IEC 27001 and NIST CSF
Two of the most well-known cybersecurity frameworks are the International Organisation for Standardisation’s ISO/IEC 27001 and the National Institute of Standards and Technology’s Cyber Security Framework (NIST CSF). Both ISO/IEC 27001 and NIST CSF involve establishing a risk management framework and implementing information security controls. However, the benefits derived from the different standards vary in terms of how they approach information security. In this article, we’ll compare the two in order to help you decide which one is more suitable for your company.
ISO/IEC 27001 and NIST CSF
ISO/IEC 27001 and NIST CSF are cybersecurity frameworks that offer similar control measures to tackle information security and risk management. They are reasonably easy to implement either separately or in conjunction with each other, especially as they share a number of common principles which are mapped across. However, while they both deliver a continual improvement process and use a risk-based approach, they tackle information security from different angles.
ISO/IEC 27001:
The primary aim of the ISO/IEC 27001 framework is to give guidance to businesses on how to establish, implement, maintain and improve their Information Security Management System (ISMS). The framework is less technical than the NIST CSF framework with an emphasis on providing best practice recommendations for risk-based management. There are ten clauses that guide organisations through their Management System, risk assessment, and risk treatment plan to ensure adequate controls are in place. Furthermore, there is a catalogue of 114 security controls grouped in 14 domains which business are advised to implement based on their risk assessment. These controls are more expanded in the ISO/IEC 27002 which complements the ISO/IEC 27001.
One of the biggest advantages of ISO/IEC 27001 is its verifiability by an independent third-party organisation, also known as a Certification Body. The fact that businesses are awarded a certificate of compliance that is internationally recognised is a massive bonus.
NIST CSF:
The NIST cybersecurity framework was initially created to help US federal agencies to manage risk. Although it was developed for critical infrastructure sectors, it has since been adapted for organisations across all industries and outside the US. The framework is ideally suited to any company that is heavily reliant on technology, although the flexible framework can accommodate anything from standard information systems to the Internet of Things. The framework is governed by five overarching functions: Identify, Protect, Detect, Respond, and Recover. Each of these functions is graded on a scale of 0-4, which helps organisations to build their cybersecurity maturity. This rating system and the well-defined flow of security functions are beneficial as it helps board directors and senior management to understand and appreciate positive developments in a risk improvement program. However, the downside of the framework is that it is difficult to prove compliance, as there is no formal certification for NIST CSF.
ISO/IEC 27002 and NIST 800-53 Rev. 5
The ISO/IEC 27002 and NIST 800-53 Rev. 5 standards are the next level of security best practices that offer more robust coverage on the security controls than the cybersecurity frameworks we’ve covered so far. These two standards offer a comprehensive catalogue of controls that an organisation can choose from. Whilst ISO/IEC 27001 and 27002 work hand in hand, a lot of organisations rely on their service providers and technology partners to meet the intent and rigour of the controls. Comparably, whilst, NIST CSF cross-references to controls found in both ISO 27001 and NIST 800-53 Rev. 5, organisations tend to hinge on their vendors to satisfy the intent and rigour of the controls. These two frameworks cover the same fundamental information security controls framework but differ in content and layout.
ISO/IEC 27002:
ISO/IEC 27002 contains 14 subsections of security controls that work as supporting documentation to aid the implementation of ISO/IEC 27001. Ultimately, as the framework provides the specifications for controls required to implement ISO/IEC 27001, it is vital in order to achieve certification. ISO/IEC 27002 contains the finer details and best practices required to build a comprehensive IT security system. Its key benefit is its international recognition and the fact that it provides coverage for many common requirements and compliance regulations. However, it’s worth noting that ISO charges for its publication.
NIST 800-53 Rev 5:
NIST 800-53 Rev. 5 contains twenty groups of security controls, which overlaps with the 14 domains of controls found in ISO/IEC 27002. As mentioned for NIST CSF, the framework was designed to protect the US federal government. However, it can be applied to many industries and is commonly used in financial, medical and government contracting industries. One of the benefits of NIST 800-53 Rev. 5 is that it is a superset of ISO/IEC 27002 containing all its components as well as other requirements. It’s also worth noting that, in contrast to ISO, all documentation is freely available.
Which Framework is Right for Your Business?
To be able to choose which framework will be best for your business, you need to consider your business environment (i.e. the risk landscape) and your business requirements (i.e. the risk appetite). The best framework for your organisation will depend on which industry you are in, your customers’ requirement, applicable regulatory obligations, available resources, and organisational priorities. Moreover, there might be an overriding outside pressure from clients and governing or regulatory bodies to comply with a specific standard. Both ISO and NIST standards are well-designed and established ways to uplift your level of cybersecurity maturity and manage risk. However, as they tackle information security and risk management from different angles, one may be more suitable than another. At InfoTrust, we have helped guide many companies through both the ISO and NIST frameworks and can help you to decide which standard you should comply with. To find out more about the security consulting services we offer, download our datasheet.
This completes our 3-part blog series on cybersecurity frameworks. We hope you have a better understanding of the two cybersecurity frameworks and which one is more appropriate for your business. If you’d like to know more information on NIST CSF, click here. If you’d like to read why you should be ISO certified, click here.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help