USA
Select regional store:

ISO 27001 and the NIST CSF (Cybersecurity Framework)

What is ISO 27001?

ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMS). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability.

The Standard offers a set of best-practice controls that can be applied to your organization based on the risks you face and implemented in a structured manner in order to achieve externally assessed and certified compliance. 

The Standard can also be extended by integrating with a number of other standards and frameworks, including the NIST CSF (Cybersecurity Framework) and NIST RMF (Risk Management Framework).

Purchase your copy of the standard today >>


What is NIST and the NIST CSF (Cybersecurity Framework)?

NIST (National Institute of Standards and Technology) is a non-regulatory agency that promotes and maintains standards of measurement to enhance economic security and business performance. 

The NIST CSF (Cybersecurity Framework) is a voluntary framework primarily intended to manage and mitigate cybersecurity risk for critical infrastructure organizations based on existing standards, guidelines, and practices. However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs. As such, version 1.1 was released in 2018.  


NIST RMF (Risk Management Framework)

NIST’s RMF provides a structured approach to risk management, ensuring that risk is managed in line with the organization’s requirements, business objectives, and risk appetite. And as stated earlier, effective risk management is fundamental to an organization’s cybersecurity.


NIST SPs (Special Publications) 800-53 and 800-171

NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” recommends controls for all US federal information systems (excluding those in national security).

As NIST SP 800-53 contains a tremendous set of 272 recommended controls, NIST created SP 800-171, a simplified version with just 114 controls, serving as a more approachable framework for contractors to implement.  

NIST SP 800-37 develops the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals. It was issued in response to executive branch orders to strengthen the cybersecurity of federal networks and assets, and it is the first NIST publication to address both security and privacy risk management. The RMF relies on the control catalog in NIST SP 800-53.

How do ISO 27001 and NIST CSF complement each other?

The NIST frameworks were designed as flexible, voluntary frameworks. The fact that they are flexible makes it relatively easy to implement them in conjunction with ISO 27001, particularly as they have a number of common principles, including requiring senior management support, a continual improvement process, and a risk-based approach. In fact, the risk assessment process specified by ISO 27001 takes a very similar approach to the RMF: identify risks to the organization’s information, implement controls appropriate to the risk, and finally, monitor their performance.

However, because the CSF and RMF were designed to be voluntary, it is difficult to prove compliance. There is no formal NIST certification (yet). This is particularly unfortunate for organizations that must comply (as mandated by President Trump’s Executive Order 13800).

ISO 27001, meanwhile, has an international presence that many organizations recognize and trust. Moreover, organizations can achieve external, accredited certification to the Standard – an excellent way of demonstrating at least partial compliance with NIST’s frameworks.

Find out how the NIST frameworks and ISO 27001 can work in conjunction to help your organization achieve its cybersecurity goals >>


The key differences between ISO 27001 and NIST

NIST

ISO 27001

NIST was primarily created to help US federal agencies and organizations better manage their risk

ISO 27001 is an internationally recognized approach for establishing and maintaining an ISMS

NIST frameworks have various control catalogs

ISO 27001 Annex A provides 14 control categories with 114 controls

The NIST CSF contains three key components: the core, implementation tiers, and profiles with each function having categories, which are the activities necessary to fulfil each function.

ISO 27001 is less technical, with more emphasis on risk-based management that provides best practice recommendations to securing all information

NIST has a voluntary, self-certification mechanism

ISO 27001 relies on independent audit and certification bodies

The NIST framework uses five functions to customize cybersecurity controls

ISO 27001 has 10 clauses to guide organizations through their ISMS

Accredited certification to ISO 27001

Being externally audited and achieving accredited certification against ISO 27001’s requirements is likely to engender a higher level of confidence among customers and stakeholders, as well as being a prerequisite for securing certain contracts. 

Accredited certification to ISO 27001 demonstrates that your organization is following information security best practices, and delivers an independent, expert assessment of whether your confidential and sensitive information is adequately protected.

Find out more about ISO 27001 certification >>

NIST Cybersecurity Framework and ISO 27001

Download our green paper to find out more about how the NIST Cybersecurity Framework and ISO 27001 can work in conjunction with each other and how both frameworks can help protect your organization.

Download now

This website uses cookies. View our cookie policy