The world's mostpowerful website builder.

Insight

Integrating NIST CSF and ISO 27001 to Establish Stronger Information Security

What Differs Between NIST CSF & ISO 27001?

The key to successfully integrating the NIST CSF and ISO 27001 is understanding what to put together and what to break apart. This could be done by looking at the differences between the two programs. The differences here are not necessarily put things to work against each other and exclude each other. Otherwise, the two NIST CSF and ISO 27001 programs are synergistic. Read thoroughly the differences between NIST CSF and ISO 27001 in the following discussion.

First, Cybersecurity Framework provides better support for implementation of controls and safeguards. Besides ISO 27001, CSF works side by side with other well-known frameworks and best practices which makes CSF better suited for integration than ISO 27001. Next, Cybersecurity Framework provides a basis for self-assessment and definition of objectives thus, help organizations to have a solid basis to identify where they are and what they want to achieve. Then, unlike NIST CSF, ISO 27001 is certifiable that provides many benefits to be had with a system in which a third-party who is trusted by your clients, partners, and regulators can vouch for your efforts to keep information safe. After that, ISO 27001 is internationally recognized and will be a much better option than NIST CSF. Lastly, ISO 27001 goes beyond IT when organization need to protect information.

Adopting NIST CSF With ISO 27001 Has Been Implemented

Combine NIST CSF and ISO 27001 could bring more advantages to organization to develop aligned security practices and stronger cyber security, allowing organization to optimize resources and improve business results. There are several considerations if an organization that has already implemented ISO 27001 wants to adopt NIST CSF. First, review the risk management process, to include the concepts of Current Profile and Target Profile. Then, use the Statement of Applicability and the Framework Core to create a Current Profile. After that, perform an internal audit of its risk management process and implemented controls, considering as a reference the NIST CSF Framework Core and Framework Implementation Tiers. Moreover, define a Target Profile, considering the created Current Profile, business and security objectives, and the results of the internal audit. Lastly, prepare action plans to achieve the proposed Target Profile.

How to Implement the ISO 27001 When You Have Already Adopt NIST CSF

For this scenario, because most of the elements of the management system probably will not be in place formally, the organization should first consider reviewing NIST CSF implemented controls, with consideration of ISO 27001 clauses which divided from clauses 4.1 until clauses 10.1. Clauses 4.1 to 4.3: business environment, clause 4.4: governance, clauses 5.1 to 5.3: governance, clause 6.1: risk management, risk assessment, information protection processes and procedures, clause 7.3: awareness and training, clause 7.4: communication, clause 7.5.3: data security, clauses 8.2 and 8.3: risk assessment, clause 9.1: detection process and protective technology, and clause 10.1: improvements.

No Structured Approach and Looking for Alternatives

The last scenario is when an organization has no structured approach to information security and is searching for alternatives. This situation is the easiest to deal with since organization is facing a clean start. The recommendation for this approach is to design all of the information security and cyber security according to ISO 27001 (clauses 4, 5, 7, 9, and 10), and use Cybersecurity Framework when it comes to risk management and implementation of the particular cyber security controls and safeguards.

Conclusion

The key to successfully integrating the NIST CSF and ISO 27001 is to understand the differences between the two programs. However, combining the NIST CSF and ISO 27001 could bring more advantages to organization to develop aligned security practices and stronger cyber security, allowing organization to optimize resources and improve business results.

There are three scenarios when combining NIST CSF and ISO 27001. Firstly, the organization has already implemented ISO 27001, and wants to adopt NIST CSF. Secondly, the organization has already implemented NIST CSF, and wants to adopt ISO 27001. Lastly, the organization has no structured approach to information security, and searching for alternatives. All ways to combine NIST CSF and ISO 27001 could be read completely in this article.

References

Advisera Expert Solutions Ltd. How to implement NIST Cybersecurity Framework using ISO 27001. Zagreb: Advisera Expert Solutions Ltd., 2017.
Almuhammadi, S., & Alsaleh, M. (2017). Information security maturity model for NIST cyber security framework. Computer Science & Information Technology (CS & IT), 7(3), 51-62.
Ukidve, A., & Tadvalkar, M. (2016). Analysis of management of Information security and related Enterprise risks in view of ISO/IEC 27001: 2013. Journal of Emerging Trends in Economics and Management Sciences, 7(6), 389-391.


Visit Our Office

AXA Tower 37th Floor
Jln. Prof. Dr. Satrio Kav.18 Setiabudi, Kuningan
South Jakarta, 12940 Indonesia

Let's Talk

Phone: +6221 300 56 123
Fax: +6221 300 56 124

Social Media

Instagram: @multimatics
Facebook: Multimatics_ID
LinkedIn: Multimatics ID