Select regional store:

ISO 27001 and the NIST CSF (Cybersecurity Framework)

What is ISO 27001?

ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMS). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability.

The Standard offers a set of best-practice controls that can be applied to your organization based on the risks you face and implemented in a structured manner to achieve externally assessed and certified compliance. 

The Standard can also be extended by integrating with several other standards and frameworks, including the NIST CSF (Cybersecurity Framework) and NIST RMF (Risk Management Framework).

Purchase your copy of the standard today >>

ISO 27001 and ISO 27002 2022 updates

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

What is NIST and the NIST CSF (Cybersecurity Framework)?

NIST (National Institute of Standards and Technology) is a non-regulatory agency that promotes and maintains standards of measurement to enhance economic security and business performance. 

The NIST CSF (Cybersecurity Framework) is a voluntary framework primarily intended to manage and mitigate cybersecurity risk for critical infrastructure organizations based on existing standards, guidelines, and practices.

The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs.


However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. As such, version 1.1 was released in 2018.  

NIST RMF (Risk Management Framework)

NIST’s RMF provides a structured approach to risk management, ensuring that risk is managed according to the organization’s requirements, business objectives, and risk appetite. And as stated earlier, effective risk management is fundamental to an organization’s cybersecurity.

NIST SPs (Special Publications) 800-53 and 800-171

NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” recommends controls for all US federal information systems (excluding those in national security).

As NIST 800-53 contains a set of 272 recommended security controls, NIST created SP 800-171, a simplified version with just 114 controls, serving as a more approachable framework for contractors to implement.  

NIST SP 800-37 develops the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals. It was issued in response to executive branch orders to strengthen the cybersecurity of federal networks and assets, and it is the first NIST publication to address both security and privacy risk management. The RMF relies on the control catalog in NIST SP 800-53.

How do ISO 27001 and NIST CSF complement each other?

The NIST frameworks were designed as flexible, voluntary frameworks.

Their flexibility makes it relatively easy to implement them in conjunction with ISO 27001, particularly as they have several common principles, including requiring senior management support, a continual improvement process, and a risk-based approach.

The risk assessment process specified by ISO 27001 takes a very similar approach to the RMF: identify risks to the organization’s information, implement controls appropriate to the risk, and finally, monitor their performance.

However, because the CSF and RMF security frameworks were designed to be voluntary, it is difficult to prove compliance.

There is no formal NIST certification (yet). This is particularly unfortunate for organizations that must comply (as mandated by President Trump’s Executive Order 13800).

ISO 27001, meanwhile, has an international presence that many organizations recognize and trust.

Moreover, organizations can achieve external, accredited certification to the Standard – an excellent way to demonstrate partial compliance with NIST’s frameworks.

Find out how the NIST frameworks and ISO 27001 can work in conjunction to help your organization achieve its cybersecurity goals >>

NIST vs. ISO 27001: what’s the difference?


ISO 27001

NIST was primarily created to help US federal agencies and organizations better manage their risk

ISO 27001 is an internationally recognized approach for establishing and maintaining an ISMS

NIST frameworks have various control catalogs

ISO 27001 Annex A provides 14 control categories with 114 controls

The NIST CSF framework contains three key components: the core, implementation tiers, and profiles with each function having categories, which are the activities necessary to fulfill each function.

ISO 27001 is less technical, with more emphasis on risk-based management that provides best practice recommendations to securing all information

NIST has a voluntary, self-certification mechanism

ISO 27001 relies on independent audit and certification bodies

The NIST framework uses five functions to customize cybersecurity controls

ISO 27001 has ten clauses to guide organizations through their ISMS

Accredited certification to ISO 27001

Being externally audited and achieving accredited certification against ISO 27001’s requirements is likely to engender a higher level of confidence among customers and stakeholders and be, a prerequisite for securing certain contracts. 

Accredited certification to ISO 27001 demonstrates that your organization follows information security best practices, and delivers an independent, expert assessment of whether your confidential and sensitive information is adequately protected.

Find out more about ISO 27001 certification >>

NIST Cybersecurity Framework and ISO 27001

Download our green paper to learn more about how the NIST Cybersecurity Framework and ISO 27001 can work in conjunction with each other and how both frameworks can help protect your organization.

Download now

This website uses cookies. View our cookie policy
GET 24/7