Blog NIST Cybersecurity Framework and ISO27001 – Similarities and Differences

The NIST Cybersecurity Framework

NIST (the National Institute of Standards and Technology) is a heavyweight US Government agency which the American administration trusts with advising on, and managing the approach to, a host of technical subjects. Sometimes the US President decides to give NIST a job directly, by issuing an Executive Order, and that’s what happened with the creation of the Cybersecurity Framework in 2014. The focus of the CSF initially was to protect the critical infrastructure of the USA, such as power grids, and that’s still the case, but it has also gained wider acceptance both within other industry sectors of the USA and internationally.

What Does the Cybersecurity Framework Look Like?

Previously there has been V1.0 and V1.1 of the CSF.  The most recently update is V2.0, so let’s focus on this. The highest level of the CSF is the “Function”, and for V2.0 these are shown in the diagram below.

Each function contains a number of “Categories” and within each category there are “Subcategories”. It’s at the subcategory level that a desired cybersecurity outcome is stated, such as “The organizational mission is understood and informs cybersecurity risk management” or “Internal and external stakeholders are determined, and their needs and expectations regarding cybersecurity risk management are understood.” New with V2.0 of the CSF we also have “Implementation Examples” which are intended to give the user a better idea of what they might do to achieve the outcome.

For each subcategory we also have a list of “Informative References” which refer to specific relevant parts of other popular standards, such as other NIST publications, COBIT 5 and ISO27001. The idea is that the CSF embraces other standards as useful, rather than competing with them.

Two other concepts associated with the CSF are “Tiers” (similar to maturity levels but apparently subtly different) and “Profiles”. The latter concept defines a “Current Profile” (where you are now) and a “Target Profile” (where you want to be), much like a gap assessment.

If you’d like a more detailed description of the NIST Cybersecurity Framework, please see our earlier blog on the update between v1.1 and 2.0.

The ISO27001:2022 Standard

ISO27001 has been around since 2005 and is published by the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) which are both international non-governmental not-for-profits with involvement from around 170 countries in defining standards. The standard was updated in 2013 and most recently in 2022.

What’s the Structure of ISO27001?

ISO27001 consists of two main parts; a “Management System” and the “Annex A Controls”.

The management system defines the requirements for putting in place an overall process for understanding what needs to be done and then managing the controls that are put in place to protect the organization. As such, the focus is on continually monitoring and improving information security, with required processes such as risk assessment, management review and internal audit. The standard is structured in clauses with specific requirements stated using the word “shall” such as “The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.” or “The scope shall be available as documented information.”

The Annex A controls are grouped into four “themes” – organizational, people, physical and technological. The controls are stated in a similar way to the requirements of the management system, for example “5.7 Threat intelligence – Information relating to information security threats shall be collected and analysed to produce threat intelligence.” The set of controls effectively forms a menu from which those controls that are applicable may be selected based on the organization’s assessment of risk.

How Do the Two Standards Compare?

Let’s have a look at some of the considerations for an organization when choosing between the NIST Cybersecurity Framework and ISO27001.

How Should an Organization Choose?

It can be a difficult decision, but our view is that your choice will likely come down to one or more of the following factors:

• Need for certification – if you have a strong need to prove that you take information security seriously then ISO27001 fits the bill due to its certification scheme.
• Countries of operation – if your main focus is the USA then the NIST CSF may be the right choice. If you operate in other countries (particularly those that are suspicious of the USA) then ISO27001 would probably be better.
• Desire to implement standards in other areas – if your plan is to consider other standards such as ISO9001 (quality management) and ISO22301 (business continuity) then ISO27001 is a good starting point due to their similar structures.
• Desire to implement other information security standards – if your need is to bring together controls from other standards such as COBIT then the NIST CSF may suit your organization better as a high-level framework.

Of course, there may be more considerations, depending on your organization’s specific profile.

Final Words

Let’s be straight about the fact that the NIST Cybersecurity Framework and ISO27001 are both good choices for improving your organization’s information security. You may find that the choice is more about how other people perceive the options than about your preference internally. This is an important decision that may guide your efforts for many years to come, so it deserves due consideration.

Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

CertiKit Toolkit & Services Options

Whether you’re still deciding or have a fixed choice, we have compliance solutions available for both the NIST Cybersecurity Framework and ISO27001. Click the links below to find out more.

• ISO27001:2022 Toolkit
• NIST CSF 2.0 Toolkit
• ISO27001 Services