ISO 27001 vs NIST Cybersecurity Framework
ISO 27001 is a standard that focuses on keeping customer and stakeholder information confidential, maintaining integrity by preventing unauthorized modification, and ensuring information is available to authorized people and systems. This standard outlines the requirements for Information Security Management Systems (ISMS) and gives organizations guidance on establishing, implementing, maintaining, and continually improving an ISMS.
On the other hand, the National Institute of Standards and Technology (NIST) has a voluntary cyber security framework for organizations overseeing critical infrastructure. Its goals are the same as ISO 27001, with the emphasis on identifying, evaluating and managing the acceptable risks to information systems.
ISO 27001 Overview and Structure
The ISO 27001 standard has ten clauses; the first three go over the references, terms, and other essential information covered in the regulation.
The other seven clauses guide companies in establishing and maintaining their Information Security Management System (ISMS). These are:
Clause 4: Organization's Context
Clause 5: Leadership and Commitment
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance Evaluation
Clause 10: Improvement
NIST Cyber Security Framework (CSF) Overview and Structure
Any company that has a heavy reliance on technology can benefit from implementing the NIST Cyber Security Framework (CSF) guidelines. The NIST CSF uses five overarching functions to allow companies to customize their cybersecurity measures to best meet their goals and the unique challenges that they face.
Protect: A company needs to design the safeguards that protect against the most concerning risks and minimize the consequences that could happen if a threat becomes a reality. The protective measures that organizations put in place can include data security systems, cybersecurity training among all employees, routine maintenance procedures, access control and user account control.
- Identify: The key question here is what cybersecurity risks exist in the organization. The context of the company is important, similar to clause 4 in ISO 27001, as well as the present infrastructure and capabilities. Assessments of existing cybersecurity measures and risks fall under this section.
- Detect: Early threat detection can significantly differ in the amount of damage that threats may cause. This section is focused on ensuring companies discover incidents earlier, determine whether the system has been breached, and proactively monitor all of the infrastructure and surface anomalies that could be the result of a cybersecurity problem.
- Respond: How does the company respond to a cybersecurity attack after it happens, and do they have procedures in place that cover these eventualities? Everything should be planned out ahead of time so there's no question about who needs to be contacted during an emergency or an incident. The chain of command and lines of communication also get established under this function. Post-incident analysis can provide excellent information on what happened and how to prevent it from reoccurring.
- Recover: This section focuses on what needs to happen to get the organization back to normal following a cybersecurity incident. Business continuity planning should cover how to restore the systems and data impacted by an attack. It also dictates how long it takes to recover and what needs to happen moving forward.
Choosing Between ISO 27001 & NIST CSF
Companies may see a lot of overlap between the NIST Cybersecurity Framework and the ISO 27001 standard. The right choice for an organization depends on the level of risk inherent in their information systems, the resources they have available, and whether they have an existing cybersecurity plan in place. Significant overlap between the two standards provides companies with extensive guidance and similar protections, no matter which they choose. As such, in many cases, organizations choose to adopt both NIST CSF and ISO 27001.
Ready to start building your top-down approach to GRC? How about a whistle-stop tour with one of our 6clicks maestros?
Easy - just click the button below and let the good times roll.
All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!
Fast, clear, smart, agile. #NoSpreadsheets 🚫