Select regional store:

ISO 27001 and the NIST CSF (Cybersecurity Framework)

What is ISO 27001?

ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMS). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability.

The Standard offers a set of best-practice controls that can be applied to your organization based on the risks you face and implemented in a structured manner to achieve externally assessed and certified compliance. 

The Standard can also be extended by integrating with several other standards and frameworks, including the NIST CSF (Cybersecurity Framework) and NIST RMF (Risk Management Framework).

Purchase your copy of the standard today >>

What is NIST and the NIST CSF (Cybersecurity Framework)?

NIST (National Institute of Standards and Technology) is a non-regulatory agency that promotes and maintains standards of measurement to enhance economic security and business performance. 

The NIST CSF (Cybersecurity Framework) is a voluntary framework primarily intended to manage and mitigate cybersecurity risk for critical infrastructure organizations based on existing standards, guidelines, and practices.

The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs.


However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. As such, version 1.1 was released in 2018.  

Speak to an expert

For more information about ISO 27001 and the NIST CSF (Cybersecurity Framework)– get in touch with one of our experts today.

Contact us

NIST RMF (Risk Management Framework)

NIST’s RMF provides a structured approach to risk management, ensuring that risk is managed according to the organization’s requirements, business objectives, and risk appetite. And as stated earlier, effective risk management is fundamental to an organization’s cybersecurity.

NIST SPs (Special Publications) 800-53 and 800-171

NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” recommends controls for all US federal information systems (excluding those in national security).

As NIST 800-53 contains a set of 272 recommended security controls, NIST created SP 800-171, a simplified version with just 114 controls, serving as a more approachable framework for contractors to implement.  

NIST SP 800-37 develops the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals. It was issued in response to executive branch orders to strengthen the cybersecurity of federal networks and assets, and it is the first NIST publication to address both security and privacy risk management. The RMF relies on the control catalog in NIST SP 800-53.

How do ISO 27001 and NIST CSF complement each other?

The NIST frameworks were designed as flexible, voluntary frameworks.

Their flexibility makes it relatively easy to implement them in conjunction with ISO 27001, particularly as they have several common principles, including requiring senior management support, a continual improvement process, and a risk-based approach.

The risk assessment process specified by ISO 27001 takes a very similar approach to the RMF: identify risks to the organization’s information, implement controls appropriate to the risk, and finally, monitor their performance.

However, because the CSF and RMF security frameworks were designed to be voluntary, it is difficult to prove compliance.

There is no formal NIST certification (yet). This is particularly unfortunate for organizations that must comply (as mandated by President Trump’s Executive Order 13800).

ISO 27001, meanwhile, has an international presence that many organizations recognize and trust.

Moreover, organizations can achieve external, accredited certification to the Standard – an excellent way to demonstrate partial compliance with NIST’s frameworks.

NIST Cybersecurity Framework and ISO 27001

Download our green paper to learn more about how the NIST Cybersecurity Framework and ISO 27001 can work in conjunction with each other and how both frameworks can help protect your organization.

Download now

NIST vs. ISO 27001: what’s the difference?


ISO 27001

NIST was primarily created to help US federal agencies and organizations better manage their risk

ISO 27001 is an internationally recognized approach for establishing and maintaining an ISMS

NIST frameworks have various control catalogs

ISO 27001 Annex A provides 14 control categories with 114 controls

The NIST CSF framework contains three key components: the core, implementation tiers, and profiles with each function having categories, which are the activities necessary to fulfill each function.

ISO 27001 is less technical, with more emphasis on risk-based management that provides best practice recommendations to securing all information

NIST has a voluntary, self-certification mechanism

ISO 27001 relies on independent audit and certification bodies

The NIST framework uses five functions to customize cybersecurity controls

ISO 27001 has ten clauses to guide organizations through their ISMS

Accredited certification to ISO 27001

Being externally audited and achieving accredited certification against ISO 27001’s requirements is likely to engender a higher level of confidence among customers and stakeholders and be, a prerequisite for securing certain contracts. 

Accredited certification to ISO 27001 demonstrates that your organization follows information security best practices, and delivers an independent, expert assessment of whether your confidential and sensitive information is adequately protected.

Find out more about ISO 27001 certification >>

How IT Governance USA can help you

  • Our implementation methodology has been honed over 15 years
  • We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799)
  • We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else
  • You benefit from real-world practitioner expertise, not just academic knowledge
  • We have trained more than 7,000 professionals on ISO 27001 implementation and audit worldwide
  • We’ve helped hundreds of consultancy clients achieve certification to and compliance with ISO 27001
  • We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organization
  • Our pricing and proposals are completely transparent, so you won’t get any surprises
  • We can help small organizations prepare for ISO 27001 certification in three months
This website uses cookies. View our cookie policy