cyber security

Please respond .. 100 min word ..

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) originated in 2014 by then President Barack Obama to protect our critical infrastructure, it is considered useful for any organization to manage cybersecurity risks. The International Standards Organization (ISO) standard 27001 was developed in 2015 and revised in 2013, shows how to develop an Information Management Security System (ISMS) in conjunction with the overall management of an organization.

ISO 27001 and NIST are different ways for organizations to enhance their security posture. They are both technology neutral and may be applied to any organization regardless of industry or even size. They can be used in conjunction with industry or local, national, international and industry regulations. They are also based on risk management, this means that precautions are to be implemented only when risks are detected.

The NIST framework is divided into five functions, Identify Protect, Respond and Recover. Those are further broken down into categories and subcategories making these controls granular and easy to implement. There is a tiered implementation system. This means, depending on the size and needs of a company, will depend on how much of the framework is needed. Another handy feature of the CSF is that of the profile there is the current profile, what the security posture of the organization looks now and where the desired state is and how to get there. This framework can be used as a requirement of for partners and suppliers as well.

The ISO 27001 standard is also a standard for certification. An organization that is certified under the standard can show their customers, partners and vendor that their information is safe. The standard also will help an organization manage information that is on paper as well as digitally stored. Because there is a certification, there is a set of documents that must be kept on file, including: risk assessment and treatment, acceptable use statements, incident management, logs, and corrective actions. One other key factor in the ISO 27001 standard is the Plan-Do-Check-Act (PDCA) cycle meaning that the system must be regularly tested and maintained.

The question often asked is which is better? The answer is the technology catch-all answer of, “It depends”, or better still a combination of both. ISO is a bit better at the big picture while the CSF is better at looking at the specific security needs of different industries or departments. Personally, if I were a small business I would start with the CSF and as things expanded, I would combine this with the ISO’s profiles and functions.

 

 

References

Advisera. (2014). Cybersecurity framework vs. ISO 27001 – which one to choose? Retrieved from https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/