NIST 800-53 vs ISO 27002 vs NIST Cybersecurity Framework
Not Sure Which Cybersecurity Framework Your Company Needs?
If you ask an IT security professional to identify their preferred best practice, it generally comes down to NIST or ISO. If you look at this from the perspective of a debate over which soft drink tastes best (e.g., Coke vs Pepsi), it comes down to personal preferences, since both products are essentially sugary, carbonated drinks and only differ slightly in flavor and packaging. The same arguments can be made for IT security’s two heavy hitters – NIST and ISO. These frameworks both cover the same fundamental building blocks of an IT security program, but differ in some content and layout. Both can be great solutions, but it is important to understand that each one has its benefits and drawbacks. Therefore, choice should be driven by the type of industry your business is in.
To help visualize it, the fourteen (14) sections of ISO 27002:2013 security controls fit within the twenty-six (26) families of NIST 800-53 rev4 security controls. ISO 27002 is essentially a subset of NIST 800-53. However, the NIST Cybersecurity Framework (NIST CSF) takes parts of ISO and parts of NIST to create a type of "middle ground" that is inclusive of NIST 800-53, but not ISO 27002. That makes the NIST CSF better for smaller companies, where ISO 27002 and NIST 800-53 are better for larger companies or those that have unique compliance requirements. Unfortunately, common requirements such as the Payment Card Industry Data Security Standard (PCI DSS) are more comprehensive than the NIST CSF, so you would need to use ISO 27002 or NIST 800-53 to meet PCI DSS as a framework, unless you want to bolt-on additional controls to the NIST CSF to make that work. Is that wrong? No, but it is just messy when you start bolting onto frameworks - kind of along the lines of gnawing off the square sides of a peg to make it fit into a round hole, where it will eventually fit but it likely will not look very good.
From A Content Perspective, NIST CSF < ISO 27002 < NIST 800-53
One thing to keep in mind is that NIST 800-53 is a super-set of ISO 27002 - that means you will find all the components of ISO 27002 covered by NIST 800-53. However, ISO 27002 does not cover all of the areas of NIST 800-53. The following diagram provide a good representation of the additional compliance requirements that can be addressed with NIST over ISO. This shows how:
- NIST Cybersecurity Framework (NIST CSF) covers a lot, but it is not inclusive of all ISO 27002 controls.
- ISO 27002 addresses most of what you need to comply with NIST CSF and a few other requirements.
- NIST 800-53 includes what ISO 27002 addresses, as well as a whole host of other requirements.
The Digital Security Program (DSP) column shows how a "digital company" must rely on more than just ISO 27002 or NIST 800-53 to ensure they are secure. However, for most companies, selecting ISO or NIST is a good option. The rest of this page describes other considerations in that decisions making process on which framework is best for your organization.
NIST 800-53 Overview
The National Institute of Standards and Technology (NIST) is on the fourth revision (rev4) of Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Notice that doesn’t mention anything about private industry – NIST designed this framework to protect the US federal government. However, due to the significant outsourcing to private companies, as well as extensive regulation for businesses, NIST 800-53 best practices have become the de facto standard for private businesses that do business with the US federal government.
The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs. Additionally, for NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is called out as the best practices for government contractors to secure their systems. That further helps strengthen NIST 800-53 as a best practice within the US, especially for any government contractors.
One great thing about NIST 800-53, and it applies to all NIST publications, is that it is freely available, at no cost to the public - http://csrc.nist.gov/publications/PubsSPs.html.
ISO 27002 Overview
The International Organization for Standardization (ISO) is a non-governmental organization that is headquartered in Switzerland. ISO can be a little more confusing for newcomers to IT security or compliance, since a rebranding occurred in 2007 to keep ISO’s IT security documents in the 27000 series of their documentation catalog - ISO 17799 was renamed and became ISO 27002. To add to any possible confusion, ISO 27002 is a supporting document that aides in the implementation of ISO 27001.
To keep things simple, just remember that ISO 27001 lays out the framework to create an “Information Security Management System” (e.g., a comprehensive IT security program), whereas ISO 27002 contains the actual “best practices” details of what goes into building a comprehensive IT security program. Since ISO’s information security framework has been around since the mid-1990s, it was in “right time at the right place” to evolve into the de facto IT security framework outside of the United States. You will find ISO 27002 extensively used by multinational corporations and for companies that do not have to specifically comply with US federal regulations. ISO 27002 is also “less paranoid” than NIST 800-53, which has an advantage of being less complex and therefore easier implement.
One unfortunate thing about ISO 27002, and it applies to all ISO publications, is that ISO charges for its publications - http://www.iso.org/iso/home/store.htm.
NIST Cybersecurity Framework Overview
The NIST Cybersecurity Framework (NIST CSF) does not introduce new standards or concepts, but leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and ISO. The CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues.
The NIST CSF is designed to evolve with changes in cybersecurity threats, processes, and technologies. Essentially, the NIST CSF envisions effective cybersecurity as a dynamic, continuous loop of response to both threats and solutions.
The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, PCI DSS, and HIPAA. For those, more comprehensive frameworks, such as NIST 800-53 or ISO 27002 are required.
Government or DoD Contractor? FAR & DFARS Implications
NIST 800-171 isn’t just for Department of Defense (DoD) contractors. Representatives from the National Institute of Standards and Technology (NIST) and DoD officials have recently been putting this information out in webinars and other training seminars on NIST 800-171. Many of our clients who need to address DFARS 252.204-7012 also have to address FAR 52.204-21. One common question we receive from clients pertains to aligning with the correct security framework to ensure they have the proper coverage for compliance. This generally revolves around aligning with ISO 27001/27002, the NIST Cybersecurity Framework or NIST 800-53, since those are the most common security frameworks.
The bottom line is that utilizing the NIST Cybersecurity Framework or ISO 27001/27002 as a security framework does not directly meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171. Therefore, policies and standards based on NIST 800-53 are what is needed to comply with NIST 800-171.
This means that only the NIST 800-53 framework is going to meet FAR requirements of NIST 800171 - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage.
Not sure what CUI is or if you have CUI on your network? We have several free guides and videos that you can use to educate yourself on the matter or you can go to the US Government's authoritative source, the US Archives CUI Registry at https://www.archives.gov/cui/registry.
NIST CSF, ISO 27002, NIST 800-53 or All of The Above?
Regardless of what flavor IT security program you need or want to have, ComplianceForge has a solution that can work for you. We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!