richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/NIST/NIST vs ISO 27001.md

3.7 KiB
Raw Permalink Blame History

reviewdate
2024-09-09

See also:

Target organizations NIST CSF provides a high-level scope and flexible framework any organization can use to build an information security program. In contrast, NIST 800-53 is a special publication designed to help implement NIST CSF in private businesses that work with the US federal government.

NIST 800-53 includes both NIST CSF and ISO 27002 requirements, as well as many others, making NIST 800-53 one of the most granular cybersecurity frameworks available.

Similarities

ISO 27001 and NIST CSF are complementary frameworks based on similar risk management processes:

  • Identify risks to the organizations information
  • Implement controls appropriate to the risk
  • Monitor their performance

There are many other overlaps between the two security frameworks. In fact, an organization that holds an ISO 27001 certification has already met about 83% of its NIST CSF requirements. Conversely, an organization thats NIST CSF compliant is already 61% of the way to the ISO 27001 finish line.

Key differences: NIST Framework vs. ISO 27001 
NIST Framework ISO 27001
NIST was primarily created to help US federal agencies and organizations better manage their risk ISO 27001 is an internationally recognised method of creating and managing an Information Security Management System
Consists of various control catalogs - 5 functions, 21 categories & 78 sub categories Consists of an Annex A that has 14 Control Domains, with 114 total controls
Made up of three main sections; Framework Core, Implementation Tiers & Profiles. Each Core Function consists of categories that are required to be completed for that function to be considered fulfilled. Utilises a risk-based management that consists of recommendations on how best to secure information in the organization.
Has voluntary self-assessment and self-compliance. Relies on independent audit and certification bodies. Organizations will get a certification on completion.
Uses five main functions to customise cybersecurity controls Has 10 clauses to guide an organization through their Information Security Management System