What is ISO 27001?
ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMS). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability.
The Standard offers a set of best-practice controls that can be applied to your organization based on the risks you face and implemented in a structured manner to achieve externally assessed and certified compliance.
The Standard can also be extended by integrating with several other standards and frameworks, including the NIST CSF (Cybersecurity Framework) and NIST RMF (Risk Management Framework).
Purchase your copy of the standard today >>
ISO 27001 and ISO 27002 2022 updates
ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.
Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).
For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates
Download your copy of ISO 27001:2022 here
Download your copy of ISO 27002:2022 here
What is NIST and the NIST CSF (Cybersecurity Framework)?
NIST (National Institute of Standards and Technology) is a non-regulatory agency that promotes and maintains standards of measurement to enhance economic security and business performance.
The NIST CSF (Cybersecurity Framework) is a voluntary framework primarily intended to manage and mitigate cybersecurity risk for critical infrastructure organizations based on existing standards, guidelines, and practices.
The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs.
However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. As such, version 1.1 was released in 2018.
NIST RMF (Risk Management Framework)
NIST’s RMF provides a structured approach to risk management, ensuring that risk is managed according to the organization’s requirements, business objectives, and risk appetite. And as stated earlier, effective risk management is fundamental to an organization’s cybersecurity.
NIST SPs (Special Publications) 800-53 and 800-171
NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” recommends controls for all US federal information systems (excluding those in national security).
As NIST 800-53 contains a set of 272 recommended security controls, NIST created SP 800-171, a simplified version with just 114 controls, serving as a more approachable framework for contractors to implement.
NIST SP 800-37 develops the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals. It was issued in response to executive branch orders to strengthen the cybersecurity of federal networks and assets, and it is the first NIST publication to address both security and privacy risk management. The RMF relies on the control catalog in NIST SP 800-53.
How do ISO 27001 and NIST CSF complement each other?
The NIST frameworks were designed as flexible, voluntary frameworks.
Their flexibility makes it relatively easy to implement them in conjunction with ISO 27001, particularly as they have several common principles, including requiring senior management support, a continual improvement process, and a risk-based approach.
The risk assessment process specified by ISO 27001 takes a very similar approach to the RMF: identify risks to the organization’s information, implement controls appropriate to the risk, and finally, monitor their performance.
However, because the CSF and RMF security frameworks were designed to be voluntary, it is difficult to prove compliance.
There is no formal NIST certification (yet). This is particularly unfortunate for organizations that must comply (as mandated by President Trump’s Executive Order 13800).
ISO 27001, meanwhile, has an international presence that many organizations recognize and trust.
Moreover, organizations can achieve external, accredited certification to the Standard – an excellent way to demonstrate partial compliance with NIST’s frameworks.
Find out how the NIST frameworks and ISO 27001 can work in conjunction to help your organization achieve its cybersecurity goals >>
NIST vs. ISO 27001: what’s the difference?
NIST was primarily created to help US federal agencies and organizations better manage their risk
ISO 27001 is an internationally recognized approach for establishing and maintaining an ISMS
NIST frameworks have various control catalogs
ISO 27001 Annex A provides 14 control categories with 114 controls
The NIST CSF framework contains three key components: the core, implementation tiers, and profiles with each function having categories, which are the activities necessary to fulfill each function.
ISO 27001 is less technical, with more emphasis on risk-based management that provides best practice recommendations to securing all information
NIST has a voluntary, self-certification mechanism
ISO 27001 relies on independent audit and certification bodies
The NIST framework uses five functions to customize cybersecurity controls
ISO 27001 has ten clauses to guide organizations through their ISMS
Accredited certification to ISO 27001
Being externally audited and achieving accredited certification against ISO 27001’s requirements is likely to engender a higher level of confidence among customers and stakeholders and be, a prerequisite for securing certain contracts.
Accredited certification to ISO 27001 demonstrates that your organization follows information security best practices, and delivers an independent, expert assessment of whether your confidential and sensitive information is adequately protected.
Find out more about ISO 27001 certification >>
NIST Cybersecurity Framework and ISO 27001
Download our green paper to learn more about how the NIST Cybersecurity Framework and ISO 27001 can work in conjunction with each other and how both frameworks can help protect your organization.
Speak to an expert
One of our qualified ISO 27001 lead implementers are ready to offer you practical advice about the best approach to take for implementing an ISO 27001 project and discuss different options to suit your budget and business needs.