cyber security

The NIST Cybersecurity Framework (CF) is a voluntary framework that allows organizations to implement secure practices and controls to secure data within their infrastructure. The framework is divided into three components: Implementation tiers, framework core, and profiles. Within each component, the NIST outlines five categories with multiple sub-categories within them that offer recommendations on how to align with the framework. Lastly, there is no official certification for NIST CF. Organizations can choose to follow the NIST’s voluntary, self-certification mechanism for the NIST CF (ISO 27001 and NIST, 2019). Organizations are not required to adopt all the recommendations outlined in the NIST CF and can utilize what recommendations fit within their risk profile.

ISO 27001 is a globally recognized standard developed by the International Organization for Standardization (ISO). The ISO 27001 standard provides a series of requirements for an information security management system (ISMS) that an organization must follow to secure their data to be considered compliant. There is a total of 14 control categories with 114 controls within the framework which are technology-neutral and focus primarily on data protection. Unlike the NIST CF, ISO 27001 does have a certification that can be gained after completing an independent audit with a certification body and meeting all the standard requirements.

Between the two standards, ISO 27001 is better prepared to handled disasters and attacks. With the NIST CF, the focus is centered around implementing a cybersecurity strategy. With ISO 27001, not only is there an implementation strategy but there is also a methodology built into the infrastructure designed to encourage continuous improvement. “ISO 27001 takes a much wider approach – its methodology is based on the Plan-Do-Check-Act (PDCA) cycle, which means it builds the management system that not only plans and implements cybersecurity, but also maintains and improves the whole system” (Kosutic, 2014). Where NIST CF sets the groundwork, it is not designed to encourage future security. Because of this, NIST CF is ideal for organizations that need to create a strong baseline strategy while ISO 27001 has a long-term focus on security. Both standards help implement a strong cybersecurity framework which is why some organizations choose to adopt both instead of choosing one or the other.

An introduction to the components of the framework. (2018). NIST. Retrieved from https://www.nist.gov/cyberframework/online-learning/components-framework

ISO/IEC 27001 information security management. (2013). ISO. Retrieved from https://www.iso.org/isoiec-27001-information-security.html

ISO 27001 and NIST. (2019). IT Governance. Retrieved from https://www.itgovernanceusa.com/iso27001-and-nist

Kosutic, D. (2014). Which one to go with – Cybersecurity Framework or ISO 27001? Advisera. Retrieved from https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/