ISO 27001 and NIST both involve establishing information security controls, but the scope for each vary on how they approach information security. ISO 27001 is a standard that focuses on keeping customer and stakeholder information confidential, maintaining integrity by preventing unauthorised modification and being available to authorised people and systems.
ISO 27001 outlines the requirements for Information Security Management Systems (ISMS) and gives organizations guidance on how to establish, implement, maintain and continually improve an ISMS. Everyone in the organization gets involved in cybersecurity to create a more secure environment, with risks that are clearly established and planned for.
The National Institute of Standards and Technology (NIST) has a voluntary cybersecurity framework available for organisations overseeing critical infrastructure. Its goals are the same as ISO 27001, with an emphasis on identifying, evaluating and managing the acceptable risks to information systems.
ISO 27001 Structure
The ISO 27001 standard has 10 clauses, the first three of which go over the references, terms and other basic information that is covered in the regulation. The other seven clauses guide companies in establishing and maintaining their Information Security Management System.
- 4. Organisation's Context: The company looks at the environment that it's working in, the systems involved and the goals that it has. Some of the areas covered include the overall scope that the ISMS covers, relevant parties and the assets that should fall under the system.
- 5. Leadership and Commitment: Information security comes from the top down. When upper management is actively involved with following these requirements and offering guidance throughout the process, it's more likely that the project will succeed. The business strategy should inform the information security measures that are part of the ISMS and leadership should provide the resources needed to support these initiatives.
- 6. Planning: Businesses should have a way to identify cybersecurity risks, treat the most concerning threats and discover opportunities. A risk management process is the most important part of this clause. Organisations must prepare for ongoing cybersecurity assessment as new threats come up.
- 7. Support: Successful cybersecurity measures require enough resources to support these efforts. Organisations need the right combination of infrastructure, budget, people and communications to achieve success in this area.
- 8. Operation: This clause covers what organisations need to do to act on the plans that they have to protect and secure data.
- 9. Performance Evaluation: After the plan deploys, companies should track whether it's effective at managing the risk to determine if they need to make changes.
- 10. Improvement: Effective information security management is an ongoing process. Organisations should plan to re-evaluate their ISMS on a regular basis to keep up with the latest risks.
NIST Cybersecurity Framework
Companies may see a lot of overlap between the NIST Cybersecurity Framework and ISO 27001 standards. Any company that is heavily reliant on technology can benefit from implementing these guidelines, as it's a flexible framework that can accommodate everything from standard information systems to the Internet of Things. The NIST framework uses five overarching functions to allow companies to customise their cybersecurity measures to best meet their goals and unique challenges that they face in their environments.
- Identify: What cybersecurity risks exist in the organisation? The context of the company is important, similar to clause 4 in ISO 27001, as well as the infrastructure and capabilities that are present. Assessments of existing cybersecurity measures and risks fall under this category.
- Protect: A company needs to design the safeguards that protect against the most concerning risks and minimizes the overall consequences that could happen if a threat becomes a reality. The protective measures that organisations put in place can include data security systems, cybersecurity training among all employees, routine maintenance procedures, access control and user account control.
- Detect: Early threat detection can make a significant difference in the amount of damage that it could do. This function allows companies to discover incidents earlier, determine whether the system has been breached, proactively monitor all of the infrastructure and surface anomalies that could be the result of a cybersecurity problem.
- Respond: How does the company respond to a cybersecurity attack after it happens, and do they have procedures in place that cover these eventualities? Everything should be planned out ahead of time so there's no question about who needs to be contacted during an emergency or an incident. The chain of command and lines of communication also get established under this function. Post-incident analysis can provide excellent information on what happened and how to prevent it from reoccurring.
- Recover: What needs to happen to get the organisation back to normal following a cybersecurity incident? Business continuity planning should cover how to restore the systems and data impacted by an attack. It also dictates how long it takes to recover and what needs to happen moving forward.
NIST and ISO 27001 have frameworks that tackle information security and risk management from different angles. The right choice for an organisation depends on the level of risk inherent in their information systems, the resources they have available and whether they have an existing cybersecurity plan in place. Significant overlap between the two standards provides companies with extensive guidance and similar protections, no matter which they choose. An Information Security Management System Consultant can help a company decide which standard they should comply with.