NIST Cybersecurity Framework or ISO 27001 – Which is the better choice for your company?

On February 12, 2014, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cybersecurity, commonly known as Cybersecurity Framework. If you already came across ISO 27001, you’re probably wondering: What does this Framework have to do with ISO 27001? Should you use one over the other or NIST vs. ISO 27001? Which one is better for your company? What is the difference between ISO 27001 and NIST?

NIST, commonly known as Cybersecurity Framework, follows the U.S. president’s executive order Improving Critical Infrastructure Cybersecurity from 2013. It is suitable for use by any organization that faces cybersecurity risks.

ISO 27001 is an information security standard published in 2005 and was last revised in 2019. It is accepted worldwide as a de facto main framework for information security / cybersecurity implementation. It describes the Information Security Management System, and it places security in the context of the overall management and processes in a company.

Overview

Cybersecurity Framework follows the U.S. president’s executive order Improving Critical Infrastructure Cybersecurity from 2013, and was initially intended for U.S. companies that are considered part of critical infrastructure. However, it is suitable for use by any organization that faces cybersecurity risks, regardless its maturity, size, or industry.

ISO/IEC 27001 is an information security standard published in 2005 and last revised in 2019, published by the International Organization for Standardization. It is accepted in most countries as a de facto main framework for information security / cybersecurity implementation. It describes the Information Security Management System, and it places security in the context of the overall management and processes in a company. It is suitable for use by any organizations of any maturity, size, or industry.

Who is obliged to comply with ISO 27001 and the Cybersecurity Framework?

Both frameworks are voluntary, so NIST and ISO do not require organizations to implement them.

What happens in practice is that in some countries, governments define laws or regulations that make compliance with them mandatory in certain circumstances.

NIST versus ISO 27001 – Do both have recognized certifications?

At this moment, only ISO 27001 has certification recognition schemes that are recognized worldwide.

Cybersecurity Framework implementation recognition depends upon the criteria defined between the involved parties.

What do Cybersecurity Framework and ISO 27001 have in common?

Most importantly, both Cybersecurity Framework and ISO 27001 give you the methodology on how to implement information security or cybersecurity in an organization. In reality, you could implement information security according to either of these, and you would probably achieve quite good results.

Both are technology neutral, applicable to any type of organization (not only to those that are part of critical infrastructure), and both have the purpose of achieving business benefits while observing legal and regulatory requirements, and requirements of all the interested parties.

And, perhaps the biggest similarity is that they are both based on risk management: this means that they both require the safeguards to be implemented only if cybersecurity risks were detected.

NIST vs. ISO 27001 | Which one is better for your company?

What does the Framework have that ISO 27001 doesn’t?

When analyzing NIST versus ISO 27001, what I really like about Cybersecurity Framework is how clearly it is structured when it comes to planning and implementation – I must admit it is better than ISO 27001 in that respect:

Framework Core is divided into Functions (Identify, Protect, Detect, Respond, and Recover), and then into 22 related Categories (e.g., Asset Management, Risk Management, etc. – very similar to sections in ISO 27001 Annex A), 98 Subcategories (very similar to controls in ISO 27001 Annex A), and for each Subcategory several references are made to other frameworks like ISO 27001, COBIT, NIST SP 800-53, ISA 62443, and CCS CSC. This way, it is very easy to see what the requirements for cybersecurity are and where to find out how to implement them.

Framework Implementation Tiers (Partial, Risk Informed, Repeatable, and Adaptive) explain how deeply the implementation of cybersecurity should go. This way, a company can easily decide how far they want to go with their implementation, taking into account requirements from various interested parties.

Framework Profile (e.g., Current Profile, Target Profile) easily pictures where the organization is right now, related to the categories and subcategories from Framework Core, and where it wants to be. This way, it is very easy to see where the gaps are, and then Action plans can be developed for closing these gaps.

Further, Framework Profiles could be used for setting the minimum requirements for other organizations – e.g., suppliers or partners, and such technique unfortunately does not exist in ISO 27001.


NIST vs. ISO 27001 – Where ISO 27001 is better

So, let’s go deeper into the NIST vs. ISO 27001 comparison. One of the greatest advantages of ISO 27001 is that companies can become certified against it – this means that a company can prove to its clients, partners, shareholders, government agencies, and others that it can indeed keep their information safe.

Further, ISO 27001 is an internationally recognized and accepted standard – if a U.S. company wants to prove its ability to its clients, partners, and governments outside of the United States, ISO 27001 will be much better than the Framework.

Another difference between ISO 27001 and NIST is that ISO 27001 focuses on protecting all types of information, not just information stored or processed in IT systems. It is true that paper-based information has less and less importance, but for some companies such information might still pose significant risks.

Unlike Cybersecurity Framework, ISO 27001 clearly defines which documents and records are needed, and what is the minimum that must be implemented. See also List of mandatory documents required by ISO 27001 (2013 revision).

Finally, whereas the Framework focuses only on how to plan and implement cybersecurity, ISO 27001 takes a much wider approach – its methodology is based on the Plan-Do-Check-Act (PDCA) cycle, which means it builds the management system that not only plans and implements cybersecurity, but also maintains and improves the whole system. This is because practice has shown that it is not enough to plan and implement a system, because without constant measurement, review, audit, corrective actions, and improvements, such a system will gradually deteriorate and ultimately lose its purpose. Learn more here: ISO 27001 implementation checklist.

Ease of implementation

This topic needs to be considered from two points of view.

ISO 27001 provides an easier way to implement the management part of the security framework, i.e., the elements that will ensure that security can be managed in the long run (e.g., risk management, recognizing internal and external requirements, decision making, providing resources, internal audit, management review, corrective actions, etc.).

When it comes to the implementation of security controls, Cybersecurity Framework enables companies to easily understand what is to be implemented, and where the gaps are.

So, Cybersecurity Framework is better when it comes to structuring the areas of security that are to be implemented and when it comes to defining exactly the security profiles that are to be achieved, whereas ISO 27001 is better with the overall picture of how to fit security into a company.

About costs, how do they differ?

When it comes to costs, besides the costs related to the implementation of controls, and eventual personnel training, ISO 27001 also has costs related to the standard itself (the NIST document is free of charge), and in the case of certified organizations, costs related to certification and surveillance audits. On the other hand, compliance with NIST will most likely require more investment in technology.

Cybersecurity Framework or ISO 27001?

When it comes to the differences between ISO 27001 and NIST and choosing between them, I would say that it is not a question of NIST versus ISO 27001 – it seems to me that it would be best to combine the two. (By the way, Cybersecurity Framework suggests it can easily complement some other program or system, and ISO 27001 has proved to be a very good umbrella framework for different information security methodologies.)

So, to conclude this NIST vs. ISO 27001 comparison, I think the best results can be achieved if the design of the whole information security / cybersecurity would be set according to ISO 27001 (clauses 4, 5, 7, 9, and 10), and to use Cybersecurity Framework when it comes to risk management and implementation of the particular cyber security areas and safeguards. Of course, practice will show how Cybersecurity Framework works in real life, and whether this kind of combination makes sense. What is your experience?

To learn how to implement ISO 27001 through a step-by-step wizard and get all the necessary policies and procedures, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.