The Difference Between ISO/IEC 27001 and NIST CSF
Two of the most well-known cybersecurity frameworks are the International Organisation for Standardisation’s ISO/IEC 27001 and the National Institute of Standards and Technology’s Cyber Security Framework (NIST CSF). Both ISO/IEC 27001 and NIST CSF involve establishing a risk management framework and implementing information security controls. However, the benefits derived from the different standards vary in terms of how they approach information security. In this article, we’ll compare the two in order to help you decide which one is more suitable for your company.
ISO/IEC 27001 and NIST CSF
ISO/IEC 27001 and NIST CSF are cybersecurity frameworks that offer similar control measures to tackle information security and risk management. They are reasonably easy to implement either separately or in conjunction with each other, especially as they share a number of common principles which are mapped across. However, while they both deliver a continual improvement process and use a risk-based approach, they tackle information security from different angles.
ISO/IEC 27001:
The primary aim of the ISO/IEC 27001 framework is to give guidance to businesses on how to establish, implement, maintain and improve their Information Security Management System (ISMS). The framework is less technical than the NIST CSF framework with an emphasis on providing best practice recommendations for risk-based management. There are ten clauses that guide organisations through their Management System, risk assessment, and risk treatment plan to ensure adequate controls are in place. Furthermore, there is a catalogue of 114 security controls grouped in 14 domains which business are advised to implement based on their risk assessment. These controls are more expanded in the ISO/IEC 27002 which complements the ISO/IEC 27001.
One of the biggest advantages of ISO/IEC 27001 is its verifiability by an independent third-party organisation, also known as a Certification Body. The fact that businesses are awarded a certificate of compliance that is internationally recognised is a massive bonus.
NIST CSF:
The NIST cybersecurity framework was initially created to help US federal agencies to manage risk. Although it was developed for critical infrastructure sectors, it has since been adapted for organisations across all industries and outside the US. The framework is ideally suited to any company that is heavily reliant on technology, although the flexible framework can accommodate anything from standard information systems to the Internet of Things. The framework is governed by five overarching functions: Identify, Protect, Detect, Respond, and Recover. Each of these functions is graded on a scale of 0-4, which helps organisations to build their cybersecurity maturity. This rating system and the well-defined flow of security functions are beneficial as it helps board directors and senior management to understand and appreciate positive developments in a risk improvement program. However, the downside of the framework is that it is difficult to prove compliance, as there is no formal certification for NIST CSF.
ISO/IEC 27002 and NIST 800-53 Rev. 5
The ISO/IEC 27002 and NIST 800-53 Rev. 5 standards are the next level of security best practices that offer more robust coverage on the security controls than the cybersecurity frameworks we’ve covered so far. These two standards offer a comprehensive catalogue of controls that an organisation can choose from. Whilst ISO/IEC 27001 and 27002 work hand in hand, a lot of organisations rely on their service providers and technology partners to meet the intent and rigour of the controls. Comparably, whilst, NIST CSF cross-references to controls found in both ISO 27001 and NIST 800-53 Rev. 5, organisations tend to hinge on their vendors to satisfy the intent and rigour of the controls. These two frameworks cover the same fundamental information security controls framework but differ in content and layout.
ISO/IEC 27002:
ISO/IEC 27002 contains 14 subsections of security controls that work as supporting documentation to aid the implementation of ISO/IEC 27001. Ultimately, as the framework provides the specifications for controls required to implement ISO/IEC 27001, it is vital in order to achieve certification. ISO/IEC 27002 contains the finer details and best practices required to build a comprehensive IT security system. Its key benefit is its international recognition and the fact that it provides coverage for many common requirements and compliance regulations. However, it’s worth noting that ISO charges for its publication.
NIST 800-53 Rev 5:
NIST 800-53 Rev. 5 contains twenty groups of security controls, which overlaps with the 14 domains of controls found in ISO/IEC 27002. As mentioned for NIST CSF, the framework was designed to protect the US federal government. However, it can be applied to many industries and is commonly used in financial, medical and government contracting industries. One of the benefits of NIST 800-53 Rev. 5 is that it is a superset of ISO/IEC 27002 containing all its components as well as other requirements. It’s also worth noting that, in contrast to ISO, all documentation is freely available.
Which Framework is Right for Your Business?
To be able to choose which framework will be best for your business, you need to consider your business environment (i.e. the risk landscape) and your business requirements (i.e. the risk appetite). The best framework for your organisation will depend on which industry you are in, your customers’ requirement, applicable regulatory obligations, available resources, and organisational priorities. Moreover, there might be an overriding outside pressure from clients and governing or regulatory bodies to comply with a specific standard. Both ISO and NIST standards are well-designed and established ways to uplift your level of cybersecurity maturity and manage risk. However, as they tackle information security and risk management from different angles, one may be more suitable than another. At InfoTrust, we have helped guide many companies through both the ISO and NIST frameworks and can help you to decide which standard you should comply with. To find out more about the security consulting services we offer, download our datasheet.
This completes our 3-part blog series on cybersecurity frameworks. We hope you have a better understanding of the two cybersecurity frameworks and which one is more appropriate for your business. If you’d like to know more information on NIST CSF, click here. If you’d like to read why you should be ISO certified, click here.
see our
Related resources
Cybersecurity should be front of mind for every organisation, especially in the wake of the current global pandemic. Our ways of working have changed immensely, with a surge in the volume of remote workers using different networks, devices, and platforms. Meanwhile, our businesses are using cloud computing and IoT technologies to facilitate new ways of working, reduce costs, and improve performance. The result is that the attack surface has increased, and with that comes an increase in the volume of cyber threats.
There are images of extensive, verbose documents, complex definitions, and eye-watering Excel sheets when the term GRC is mentioned. For the past two decades, GRC has been central to core business processes across many organisations at both ends of the enterprise spectrum, as well as in the small-to-medium business space in recent times.
But the world has moved on; organisations are forced to embrace digital disruption and agility if they haven’t done so whole-heartedly. And this very disruption is positioning GRC to become less-than-ideal to solve the challenges that said disruption brings with it.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Article updated 27th June 2022
Secure Access Service Edge, better known as SASE (pronounced sassy – yes that is right) was one of the new security terms on the block in 2019. But it’s actually been around for some time, just without its official moniker. It is expected that by 2024, at least 40% of enterprises will have strategies in place to adopt SASE, according to Gartner.
In this post, we take a look at why its popularity is increasing, what the term means, and how vendors and organisations are utilising it to enable digital transformation.
We're Here To Help