ISO 27001 and NIST
What is ISO 27001?
ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMS). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability. The Standard offers a set of best-practice controls that can be applied to your organization based on the risks you face and implemented in a structured manner in order to achieve externally assessed and certified compliance.
Purchase your copy of the standard today >>
What is an ISMS?
An ISMS (information security management system) is a system of processes, documentation, technology, and people that helps to protect all of your organization’s sensitive and confidential information through a centrally managed framework.
An ISMS needs to be supported by top management, incorporated into your organization’s culture and strategy, and constantly monitored, updated, and reviewed. Putting a continual improvement process in place will ensure your organization’s ISMS adapts to changes in the threat landscape and technology, and within the organization.
ISO 27001 is the international standard that lays out the specification for a best-practice ISMS. The Standard can also be extended by integrating with a number of other standards and frameworks, including the NIST CSF (Cybersecurity Framework) and NIST RMF (Risk Management Framework).
What is NIST?
NIST (National Institute of Standards and Technology) is a non-regulatory agency that promotes and maintains standards of measurement to enhance economic security and business performance.
What is the NIST CSF?
The NIST CSF (Cybersecurity Framework) is a voluntary framework primarily intended to manage and mitigate cybersecurity risk for critical infrastructure organizations based on existing standards, guidelines, and practices. However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs. As such, version 1.1 was released in 2018.
NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” recommends controls for all US federal information systems (excluding those in national security). As NIST SP 800-53 contains a tremendous set of 272 recommended controls, NIST created SP 800-171, a simplified version with just 114 controls, serving as a more approachable framework for contractors to implement.
NIST SP 800-37 develops the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals. It was issued in response to executive branch orders to strengthen the cybersecurity of federal networks and assets, and it is the first NIST publication to address both security and privacy risk management. The RMF relies on the control catalog in NIST SP 800-53.
How do ISO 27001 and NIST CSF complement each other?
The NIST frameworks were designed as flexible, voluntary frameworks. The fact that they are flexible makes it relatively easy to implement them in conjunction with ISO 27001, particularly as they have a number of common principles, including requiring senior management support, a continual improvement process, and a risk-based approach. In fact, the risk assessment process specified by ISO 27001 takes a very similar approach to the RMF: identify risks to the organization’s information, implement controls appropriate to the risk, and finally, monitor their performance.
However, because the CSF and RMF were designed to be voluntary, it is difficult to prove compliance. There is no formal NIST certification (yet). This is particularly unfortunate for organizations that must comply (as mandated by President Trump’s Executive Order 13800).
ISO 27001, meanwhile, has an international presence that many organizations recognize and trust. Moreover, organizations can achieve external, accredited certification to the Standard – an excellent way of demonstrating at least partial compliance with NIST’s frameworks.
Find out how the NIST frameworks and ISO 27001 can work in conjunction to help your organization achieve its cybersecurity goals >>
Key differences between ISO and NIST
- NIST was primarily created to help US federal agencies and organizations better manage their risk; ISO is an internationally recognized approach for establishing and maintaining an ISMS
- NIST frameworks have various control catalogs; ISO 27001 Annex A provides 14 control categories with 114 controls
- ISO 27001 is less technical, with more emphasis on risk-based management that provides best practice recommendations to securing all information
- NIST has a voluntary, self-certification mechanism; ISO relies on independent audit and certification bodies
- ISO 27001 has 10 clauses to guide organizations through their ISMS; the NIST framework uses five functions to customize cybersecurity controls
Accredited certification to ISO 27001
Being externally audited and achieving accredited certification against ISO 27001’s requirements is likely to engender a higher level of confidence among customers and stakeholders, as well as being a prerequisite for securing certain contracts.
Accredited certification to ISO 27001 demonstrates that your organization is following information security best practices, and delivers an independent, expert assessment of whether your confidential and sensitive information is adequately protected.
Download our free NIST and ISO 27001 resources
To learn more about how the NIST CSF and ISO 27001 can work together, check out our free resources.
Let’s work together to get things moving
Whatever the nature or size of your problem, we are here to help. Click the button below to request a call and one of our experts will get in touch to help you establish an effective compliance regime as soon as possible.