Which one do I choose? NIST Cybersecurity Framework vs ISO 27002 vs NIST 800-53
Picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, this should be driven by compliance requirements where understanding what you need to address from a statutory, regulatory and contractual perspective should create the minimum set of compliance requirements. Understanding that baseline makes it pretty easy to understand where on the "compliance spectrum" you need to focus.
NIST CSF < ISO 27002 < NIST 800-53 < Secure Controls Framework
If you ask a cybersecurity professional to identify their preferred best practice, it generally comes down to NIST or ISO. If you look at this from the perspective of a debate over which soft drink tastes best (e.g., Coke vs Pepsi), it comes down to personal preferences, since both products are essentially sugary, carbonated drinks and only differ slightly in flavor and packaging. The same arguments can be made for IT security’s two heavy hitters – NIST 800-53 and ISO 27002. These leading cybersecurity frameworks both cover the same fundamental building blocks of a cybersecurity program, but differ in some content and layout. Both can be great solutions, but it is important to understand that each one has its benefits and drawbacks. Therefore, choice should be driven by the type of industry your business is in. Gaining popularity is the NIST Cybersecurity Framework (NIST CSF), but it lacks appropriate coverage out of the box to be considered a comprehensive cybersecurity framework.
A key consideration for picking a cybersecurity framework comes down to the level of content the framework offers, since this governs what you can natively comply without having to bolt-on content to make it work:
- NIST Cybersecurity Framework (NIST CSF) has the least coverage of the major cybersecurity frameworks. It works great for smaller or unregulated businesses.
- ISO 27002 is an internationally-recognized cybersecurity framework that provides coverage for many common requirements (e.g., PCI DSS, HIPAA, etc.). It is important to note that companies cannot certify against ISO 27002, just ISO 27001. ISO 27001 Appendix A contains the basic overview of the security controls needed to build an Information Security Management System (ISMS), but ISO 27002 provides those specific controls that are necessary to actually implement ISO 27001.
- NIST 800-53 includes what both ISO 27002 and NIST CSF addresses, as well as a whole host of other requirements.
- The Secure Controls Framework (SCF) is a "best in class" approach that covers NIST 800-53, ISO 27002 and NIST CSF. Being a hybrid, it allows you to address all three frameworks at once.
What Documentation Do I Need To Comply With NIST CSF, ISO 27002 or NIST 800-53?
To do NIST CSF, ISO 27002 or NIST 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to be in compliance with NIST CSF vs ISO 27002 vs NIST 800-53, since there are significantly different levels of expectation.
When you look at the compliance bundles we created to help comply with NIST CSF, ISO 27002 and NIST 800-53, you will see that each has a different selection of products. These products listed below map directly to the section of NIST CSF vs ISO 27002 vs NIST 800-53. As depicted in the spectrum graphic at the top of this page, there are less requirements to comply with the NIST Cybersecurity Framework, while ISO 27002 has more requirements. However, ISO 27002 has less requirements than NIST 800-53.
Not Sure Which Cybersecurity Framework Your Company Needs?
To help visualize it, the fourteen (14) sections of ISO 27002 security controls fit within the twenty-six (26) families of NIST 800-53 rev4 security controls. ISO 27002 is essentially a subset of NIST 800-53.
The NIST Cybersecurity Framework (NIST CSF) takes parts of ISO 27002 and parts of NIST 800-53, but is not inclusive of both. That makes the NIST CSF better for smaller companies that need a best practice framework to align with, where ISO 27002 and NIST 800-53 are better for larger companies or those that have unique compliance requirements. Unfortunately, common requirements such as the Payment Card Industry Data Security Standard (PCI DSS) are more comprehensive than the NIST CSF, so you would need to use ISO 27002 or NIST 800-53 to meet PCI DSS as a framework, unless you want to bolt-on additional controls to the NIST CSF to make that work. Is that wrong? No, but it is just messy when you start bolting onto frameworks. Think of it along the lines of gnawing off the square sides of a peg to make it fit into a round hole, where it will eventually fit but it likely will not look very good.
One thing to keep in mind is that NIST 800-53 is a super-set of ISO 27002 - that means you will find all the components of ISO 27002 covered by NIST 800-53. However, ISO 27002 does not cover all of the areas of NIST 800-53. The following diagram provide a good representation of the additional compliance requirements that can be addressed with NIST over ISO. This shows how:
Regardless of what flavor cybersecurity program you need or want to have, ComplianceForge has a solution that can work for you. We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!
Secure Controls Framework (SCF) Overview
If you are not familiar with the Secure Controls Framework (SCF), it was developed with the ambitious goal of providing a comprehensive catalog of cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. By using the SCF, your IT, cybersecurity, legal and project teams can speak the same language about controls and requirement expectations!
The SCF is an open source project that provides free cybersecurity and privacy controls for business. The SCF focuses on internal controls, which are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
On the comprehensive side of the spectrum, the Secure Controls Framework (SCF) provides coverage for NIST 800-53, ISO 27002 and the NIST Cybersecurity Framework, since it is a best-in-class hybrid. The Digital Security Program (DSP) has 1-1 mapping with the SCF, so the DSP provides the most comprehensive coverage of any ComplianceForge product.
NIST 800-53 Overview
The National Institute of Standards and Technology (NIST) is on the fourth revision (rev4) of Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Notice that doesn’t mention anything about private industry – NIST designed this framework to protect the US federal government. However, due to the significant outsourcing to private companies, as well as extensive regulation for businesses, NIST 800-53 best practices have become the de facto standard for private businesses that do business with the US federal government.
The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs. Additionally, for NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is called out as the best practices for government contractors to secure their systems. That further helps strengthen NIST 800-53 as a best practice within the US, especially for any government contractors.
One great thing about NIST 800-53, and it applies to all NIST publications, is that it is freely available, at no cost to the public - http://csrc.nist.gov/publications/PubsSPs.html.
ISO 27002 Overview
The International Organization for Standardization (ISO) is a non-governmental organization that is headquartered in Switzerland. ISO can be a little more confusing for newcomers to IT security or compliance, since a rebranding occurred in 2007 to keep ISO’s IT security documents in the 27000 series of their documentation catalog - ISO 17799 was renamed and became ISO 27002. To add to any possible confusion, ISO 27002 is a supporting document that aides in the implementation of ISO 27001.
To keep things simple, just remember that ISO 27001 lays out the framework to create an “Information Security Management System” (e.g., a comprehensive IT security program), whereas ISO 27002 contains the actual “best practices” details of what goes into building a comprehensive IT security program. Since ISO’s information security framework has been around since the mid-1990s, it was in “right time at the right place” to evolve into the de facto IT security framework outside of the United States. You will find ISO 27002 extensively used by multinational corporations and for companies that do not have to specifically comply with US federal regulations. ISO 27002 is also “less paranoid” than NIST 800-53, which has an advantage of being less complex and therefore easier implement.
One unfortunate thing about ISO 27002, and it applies to all ISO publications, is that ISO charges for its publications - http://www.iso.org/iso/home/store.htm.
NIST Cybersecurity Framework Overview
The NIST Cybersecurity Framework (NIST CSF) does not introduce new standards or concepts, but leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and ISO. The CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues.
The NIST CSF is designed to evolve with changes in cybersecurity threats, processes, and technologies. Essentially, the NIST CSF envisions effective cybersecurity as a dynamic, continuous loop of response to both threats and solutions.
The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, PCI DSS, and HIPAA. For those, more comprehensive frameworks, such as NIST 800-53 or ISO 27002 are required.
Government or DoD Contractor? FAR & DFARS Implications
NIST 800-171 isn’t just for Department of Defense (DoD) contractors. Representatives from the National Institute of Standards and Technology (NIST) and DoD officials have recently been putting this information out in webinars and other training seminars on NIST 800-171. Many of our clients who need to address DFARS 252.204-7012 also have to address FAR 52.204-21. One common question we receive from clients pertains to aligning with the correct security framework to ensure they have the proper coverage for compliance. This generally revolves around aligning with ISO 27001/27002, the NIST Cybersecurity Framework or NIST 800-53, since those are the most common security frameworks.
The bottom line is that utilizing the NIST Cybersecurity Framework or ISO 27001/27002 as a security framework does not directly meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171. Therefore, policies and standards based on NIST 800-53 are what is needed to comply with NIST 800-171.
This means that only the NIST 800-53 framework is going to meet FAR requirements of NIST 800171 - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage.
Not sure what CUI is or if you have CUI on your network? We have several free guides and videos that you can use to educate yourself on the matter or you can go to the US Government's authoritative source, the US Archives CUI Registry at https://www.archives.gov/cui/registry.