Estimated Reading Time: 4 Minutes
Written by: Aaron Nolan
Standards and frameworks are implemented by organisations to have business alignment, adopt business best practice and adhere to industry regulations. Moreover, standards and frameworks outline security controls to help protect the confidentiality, integrity and availability of business-critical assets.
The firm’s Information Security Governance structure, which should comprise of top-level management, should ensure security controls are managed, monitored and measurable. The easiest way to do this is to implement an existing framework or standard. Two of such well-known frameworks are ISO27001 and the NIST Cyber Security Framework (CSF).
ISO 27001 and the NIST CSF framework approach information security and risk management differently, but the control measures for both are similar. The correct choice of framework for an organisation largely depends on their operational maturity, level of inherent risk, resources available and outside-pressure from clients and governing bodies. There is a significant overlap in the two frameworks to allow companies to implement controls which address risks within both. We will explain each in brief below.
ISO 27001 is a globally recognised standard for information security management systems (ISMS). It sets out the requirements against an organisation’s ISMS which can be certified. Achieving certification requires an independent audited verification to ensure the ISMS are managed in line with the standard.
ISO 27001 requires the organisation to outline its cybersecurity program in a Master Security Policy, and then prove it is driven by the organisation’s governance structure.
The two critical steps of an ISO 27001 implementation are the risk assessment and risk treatment plan, which are better detailed in our article Building your Asset and Risk Register. These ensure adequate controls are in place for information assets, and that they are based on actual threats and vulnerabilities.
The NIST CSF is a risk-based framework developed for critical infrastructure sectors but has been adapted by organisations across all industry sectors. NIST does not provide a certification process, rather a well-designed framework to assist in establishing its Cyber Security maturity posture over the five business-critical functions:
Identify, Protect, Detect, Respond and Recover
Each of the core NIST functions is graded on a scale of 0-4, their higher scores outlining higher levels and degrees of Cyber Security maturity. This ability to provide an overall rating for an organisation’s cyber security posture makes it attractive. This way, Senior Management can quickly understand and appreciate positive developments in a risk improvement programme.
Use our Simplified Self Assessment Tool to view how your company performs in relation to the criteria used by the NIST CSF. Our GRC experts have also made a video explaining how to use the tool in more detail, which you can watch below:
With either of these materials, you’ll have a better understanding of how NIST works and of some of the topics you will need to address to obtain a good result and protect your business. Keep in mind this tool is based on a simplified version of the framework and does not cover the same width or depth.
As NIST practitioners and ISO 27001 lead auditors, we are commonly asked which approach is most appropriate to each client. The response depends on what you want to achieve as an organisation. If the eventual aim is to achieve and maintain ISO 27001 certification, then starting with that ISO27001 would seem obvious.
There is one caveat to that rule, though, and that is the current level of Cyber Security Maturity and Risk preparation of an organisation.
Where the NIST CSF truly comes into its own is for organisations that are trying to get a structured technology risk management programme off the ground. This is never more right than where such efforts may have failed previously. Such organisations tend to have lower NIST scores but have the Governance drive and desire to build a structured approach to building a Cyber Security maturity programme.
The NIST CSF will identify your current Cyber Security maturity levels and set out a clear plan to mitigate the risks by order of priority. It also helps rule out costly mistakes when making decisions about technology choices and budget by clearly identifying what is needed to address each risk.
This makes the NIST CSF a good starting point, as organisations may progress through the critical areas needed to reach compliance and focus on the specifics required for each stage. Then, companies can address whatever is missing for standards such as ISO 27001 only when they are better prepared. Furthermore, progress can be better visualised in this framework than for most standards – as they are based on a “yes or no” approach, versus NIST’s 0 to 4 scoring.
Before deciding on which path to walk, it is always a good idea to take your time to analyse industry standards and your organisation’s priorities and goals. Depending on your particular situation, the ideal choice will change. Think about what will bring you more value in the long run, but don’t panic if you think you have made the wrong choice.
In the case of ISO 27001 and the NIST CSF, you have the advantage that several key areas of improvement overlap between both. Plus, they are both well-designed and established choices to raise the level of your business’ activities.
Getting someone familiar with the process can help, so if you need specific advice for your business, feel free to get in touch. We have guided many companies through these paths and will be happy to assist you if you are stuck. It may seem hard, but it is truly a matter of knowing the route to proceed.
Thank you for reading. For more Compliance content, please check our blog.
Follow us on Social Media!
I do believe that when you are an international company and have to comply with the GDPR for example it is better to choose the ISO standard as this will give you more leverage with the surveillance authorities in case something goes haywire…. NIST is a pure USA orientated standard that is not used much outside of the USA….
Thank you for your comment!
You are right about ISO being better recognised worldwide. The reason we tend to recommend starting with NIST is that it gives businesses a sense of progress – whereas with ISO you either are certified or not.
Then, in this case, after laying the foundation with NIST, we would push forward for ISO27001. That would be fairly straightforward since they both share many of the same key areas of improvement.