Any organisation wanting to build its cyber defences around an internationally-recognised framework has a few (but not that many) choices. Two of these are the NIST Cybersecurity Framework (CSF) and the ISO/IEC 27001:2022 standard. Let’s look at these options and indulge in some comparing and contrasting before giving a few tips on how to decide between them.
The NIST Cybersecurity Framework
NIST (the National Institute of Standards and Technology) is a heavyweight US Government agency which the American administration trusts with advising on, and managing the approach to, a host of technical subjects. Sometimes the US President decides to give NIST a job directly, by issuing an Executive Order, and that’s what happened with the creation of the Cybersecurity Framework in 2014. The focus of the CSF initially was to protect the critical infrastructure of the USA, such as power grids, and that’s still the case, but it has also gained wider acceptance both within other industry sectors of the USA and internationally.
What Does the Cybersecurity Framework Look Like?
Previously there has been V1.0 and V1.1 of the CSF. The most recently update is V2.0, so let’s focus on this. The highest level of the CSF is the “Function”, and for V2.0 these are shown in the diagram below.
Each function contains a number of “Categories” and within each category there are “Subcategories”. It’s at the subcategory level that a desired cybersecurity outcome is stated, such as “The organisational mission is understood and informs cybersecurity risk management” or “Internal and external stakeholders are determined, and their needs and expectations regarding cybersecurity risk management are understood.” New with V2.0 of the CSF we also have “Implementation Examples” which are intended to give the user a better idea of what they might do to achieve the outcome.
For each subcategory we also have a list of “Informative References” which refer to specific relevant parts of other popular standards, such as other NIST publications, COBIT 5 and ISO27001. The idea is that the CSF embraces other standards as useful, rather than competing with them.
Two other concepts associated with the CSF are “Tiers” (similar to maturity levels but apparently subtly different) and “Profiles”. The latter concept defines a “Current Profile” (where you are now) and a “Target Profile” (where you want to be), much like a gap assessment.
The ISO27001:2022 Standard
ISO27001 has been around since 2005 and is published by the ISO (International Organisation for Standardisation) and the IEC (International Electrotechnical Commission) which are both international non-governmental not-for-profits with involvement from around 170 countries in defining standards. The standard was updated in 2013 and most recently in 2022.
What’s the Structure of ISO27001?
ISO27001 consists of two main parts; a “Management System” and the “Annex A Controls”.
The management system defines the requirements for putting in place an overall process for understanding what needs to be done and then managing the controls that are put in place to protect the organisation. As such, the focus is on continually monitoring and improving information security, with required processes such as risk assessment, management review and internal audit. The standard is structured in clauses with specific requirements stated using the word “shall” such as “The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.” or “The scope shall be available as documented information.”
The Annex A controls are grouped into four “themes” – organisational, people, physical and technological. The controls are stated in a similar way to the requirements of the management system, for example “5.7 Threat intelligence – Information relating to information security threats shall be collected and analysed to produce threat intelligence.” The set of controls effectively forms a menu from which those controls that are applicable may be selected based on the organisation’s assessment of risk.
How Do the Two Standards Compare?
Let’s have a look at some of the considerations for an organisation when choosing between the NIST Cybersecurity Framework and ISO27001.
Consideration | NIST Cybersecurity Framework | ISO/IEC 27001:2022 Standard |
Who has overall control of the standard and its development? | Heavily reliant on the requirements of the US Government via NIST. | Controlled by committees made up of representatives from many countries. |
What is the scope of the standard? | With V2.0 a Govern function is introduced; perhaps has more emphasis on supply chain cybersecurity than ISO27001. | Most of the elements of ISO27001 are also reflected in the CSF. |
Can an organization become certified to the standard? | There is no certification scheme, nor is one planned. | An organization can become certified using a registered certification body, and can advertise the fact to customers, suppliers etc. |
How accepted is the standard internationally? | Increasing emphasis on an international audience, but still mainly USA focussed. | Designed to be an international standard from the start and accepted in almost all countries. |
Compatibility with other information security standards. | Designed to utilise resources from other standards, via “informative references”. | Good compatibility with other ISO standards, both within and outside of information security, such as ISO27005 and ISO9001. |
What implementation resources are available from the publisher? | The NIST CSF website aims to provide additional resources geared around implementation and has quite an active community. | ISO and IEC don’t get involved in implementation, but there are many third parties who can help. |
Do we have to implement all of the standard? | The organization can pick and choose the areas they implement and can use tiers to decide how far to go in each area. | For certification, all of the requirements must be implemented. Fewer elements could be used if certification is not needed. |
Are the resources free? | NIST documents can be downloaded free of charge, including the CSF. | ISO standards must be purchased; ISO27001 is currently 129 Swiss Francs from the ISO website. |
How many organizations use the standard? | NIST don’t publish figures, nor would they be able to tell since the standard is free and there is no certification scheme. | According to the most recent ISO survey there are 71,549 organizations certified to the ISO27001 standard worldwide. |
How long would it take to implement? | This depends on how much of the CSF you decide to implement, and to what level, so anywhere between 1 and many months. | Certification to ISO27001 typically takes between 6 and 12 months. |
How Should an Organisation Choose?
It can be a difficult decision, but our view is that your choice will likely come down to one or more of the following factors:
Need for certification – if you have a strong need to prove that you take information security seriously then ISO27001 fits the bill due to its certification scheme.
Countries of operation – if your main focus is the USA then the NIST CSF may be the right choice. If you operate in other countries (particularly those that are suspicious of the USA) then ISO27001 would probably be better.
Desire to implement standards in other areas – if your plan is to consider other standards such as ISO9001 (quality management) and ISO22301 (business continuity) then ISO27001 is a good starting point due to their similar structures.
Desire to implement other information security standards – if your need is to bring together controls from other standards such as COBIT then the NIST CSF may suit your organisation better as a high-level framework.
Of course, there may be more considerations, depending on your organisation’s specific profile.
Final Words
Let’s be straight about the fact that the NIST Cybersecurity Framework and ISO27001 are both good choices for improving your organisation’s information security. You may find that the choice is more about how other people perceive the options than about your preference internally. This is an important decision that may guide your efforts for many years to come, so it deserves due consideration.
