NIST 800-53 vs ISO 27002
Picking An IT Security Framework For Your Company
If you ask an IT security professional to identify their preferred best practice, it generally comes down to NIST or ISO. If you look at this from the perspective of a debate over which soft drink tastes best (e.g., Coke vs Pepsi), it comes down to personal preferences, since both products are essentially sugary, carbonated drinks and only differ slightly in flavor and packaging. The same arguments can be made for IT security’s two heavy hitters – NIST and ISO. These frameworks both cover the same fundamental building blocks of an IT security program, but differ in some content and layout. Both can be great solutions, but it is important to understand that each one has its benefits and drawbacks. Therefore, choice should be driven by the type of industry your business is in.
The National Institute of Standards and Technology (NIST) is on the fourth revision (rev4) of Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Notice that doesn’t mention anything about private industry – NIST designed this framework to protect the US federal government. However, due to the significant outsourcing to private companies, as well as extensive regulation for businesses, NIST 800-53 best practices have become the de facto standard for private businesses that do business with the US federal government.
The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs. Additionally, for NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is called out as the best practices for government contractors to secure their systems. That further helps strengthen NIST 800-53 as a best practice within the US, especially for any government contractors.
One great thing about NIST 800-53, and it applies to all NIST publications, is that it is freely available, at no cost to the public - http://csrc.nist.gov/publications/PubsSPs.html.
The International Organization for Standardization (ISO) is a non-governmental organization that is headquartered in Switzerland. ISO can be a little more confusing for newcomers to IT security or compliance, since a rebranding occurred in 2007 to keep ISO’s IT security documents in the 27000 series of their documentation catalog - ISO 17799 was renamed and became ISO 27002. To add to any possible confusion, ISO 27002 is a supporting document that aides in the implementation of ISO 27001.
To keep things simple, just remember that ISO 27001 lays out the framework to create an “Information Security Management System” (e.g., a comprehensive IT security program), whereas ISO 27002 contains the actual “best practices” details of what goes into building a comprehensive IT security program. Since ISO’s information security framework has been around since the mid-1990s, it was in “right time at the right place” to evolve into the de facto IT security framework outside of the United States. You will find ISO 27002 extensively used by multinational corporations and for companies that do not have to specifically comply with US federal regulations. ISO 27002 is also “less paranoid” than NIST 800-53, which has an advantage of being less complex and therefore easier implement.
One unfortunate thing about ISO 27002, and it applies to all ISO publications, is that ISO charges for its publications - http://www.iso.org/iso/home/store.htm.
Government or DoD Contractor - FAR & DFARS Implications?
When you look at choosing ISO or NIST from the viewpoint of complying with US government regulations, there are considerations that need to be accounted for.
- If you only need to address FAR 52.204-21, it is possible to comply with either ISO 27002 or NIST 800-53.
- If you need to address DFARS 252.204-7012, it limits your options and you really need to align with NIST 800-53, since ISO 27002's scope is insufficient to address NIST 800-171 controls.
ISO 27002, NIST 800-53 or Both?
Regardless of what flavor IT security program you need or want to have, ComplianceForge has a solution that can work for you.