- Cybersecurity Frameworks - NIST vs ISO
NIST 800-53 vs ISO 27002 vs NIST Cybersecurity Framework
Not Sure Which Cybersecurity Framework Your Company Needs?
If you ask an IT security professional to identify their preferred best practice, it generally comes down to NIST or ISO. If you look at this from the perspective of a debate over which soft drink tastes best (e.g., Coke vs Pepsi), it comes down to personal preferences, since both products are essentially sugary, carbonated drinks and only differ slightly in flavor and packaging. The same arguments can be made for IT security’s two heavy hitters – NIST and ISO. These frameworks both cover the same fundamental building blocks of an IT security program, but differ in some content and layout. Both can be great solutions, but it is important to understand that each one has its benefits and drawbacks. Therefore, choice should be driven by the type of industry your business is in.
To help visualize it, the fourteen (14) sections of ISO 27002:2013 security controls fit within the twenty-six (26) families of NIST 800-53 rev4 security controls. ISO 27002 is essentially a subset of NIST 800-53. However, the NIST Cybersecurity Framework (NIST CSF) takes parts of ISO and parts of NIST to create a type of "middle ground" that is not inclusive of either framework. That makes the NIST CSF better for smaller companies, where ISO 27002 and NIST 800-53 are better for larger companies or those that have unique compliance requirements, such as the Payment Card Industry Data Security Standard (PCI DSS).
From A Content Perspective, NIST CSF < ISO 27002 < NIST 800-53
One thing to keep in mind is that NIST 800-53 is a super-set of ISO 27002 - that means you will find all the components of ISO 27002 covered by NIST 800-53. However, ISO 27002 does not cover all of the areas of NIST 800-53. The following diagram provide a good representation of the additional compliance requirements that can be addressed with NIST over ISO. This shows how:
- NIST Cybersecurity Framework (NIST CSF) covers a lot, but it is not inclusive of all ISO 27002 controls.
- ISO 27002 addresses most of what you need to comply with NIST CSF and a few other requirements.
- NIST 800-53 includes what ISO 27002 addresses, as well as a whole host of other requirements.
The Digital Security Program (DSP) column shows how a "digital company" must rely on more than just ISO 27002 or NIST 800-53 to ensure they are secure. However, for most companies, selecting ISO or NIST is a good option. The rest of this page describes other considerations in that decisions making process on which framework is best for your organization.
NIST 800-53 Overview
The National Institute of Standards and Technology (NIST) is on the fourth revision (rev4) of Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Notice that doesn’t mention anything about private industry – NIST designed this framework to protect the US federal government. However, due to the significant outsourcing to private companies, as well as extensive regulation for businesses, NIST 800-53 best practices have become the de facto standard for private businesses that do business with the US federal government.
The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs. Additionally, for NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is called out as the best practices for government contractors to secure their systems. That further helps strengthen NIST 800-53 as a best practice within the US, especially for any government contractors.
One great thing about NIST 800-53, and it applies to all NIST publications, is that it is freely available, at no cost to the public - http://csrc.nist.gov/publications/PubsSPs.html.
ISO 27002 Overview
The International Organization for Standardization (ISO) is a non-governmental organization that is headquartered in Switzerland. ISO can be a little more confusing for newcomers to IT security or compliance, since a rebranding occurred in 2007 to keep ISO’s IT security documents in the 27000 series of their documentation catalog - ISO 17799 was renamed and became ISO 27002. To add to any possible confusion, ISO 27002 is a supporting document that aides in the implementation of ISO 27001.
To keep things simple, just remember that ISO 27001 lays out the framework to create an “Information Security Management System” (e.g., a comprehensive IT security program), whereas ISO 27002 contains the actual “best practices” details of what goes into building a comprehensive IT security program. Since ISO’s information security framework has been around since the mid-1990s, it was in “right time at the right place” to evolve into the de facto IT security framework outside of the United States. You will find ISO 27002 extensively used by multinational corporations and for companies that do not have to specifically comply with US federal regulations. ISO 27002 is also “less paranoid” than NIST 800-53, which has an advantage of being less complex and therefore easier implement.
One unfortunate thing about ISO 27002, and it applies to all ISO publications, is that ISO charges for its publications - http://www.iso.org/iso/home/store.htm.
NIST Cybersecurity Framework Overview
The NIST Cybersecurity Framework (NIST CSF) does not introduce new standards or concepts, but leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and ISO. The CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues.
The NIST CSF is designed to evolve with changes in cybersecurity threats, processes, and technologies. Essentially, the NIST CSF envisions effective cybersecurity as a dynamic, continuous loop of response to both threats and solutions.
The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, PCI DSS, and HIPAA. For those, more comprehensive frameworks, such as NIST 800-53 or ISO 27002 are required.
Government or DoD Contractor? FAR & DFARS Implications
When you look at choosing ISO or NIST from the viewpoint of complying with US government regulations, there are considerations that need to be accounted for.
- If you only need to address FAR 52.204-21, it is possible to comply with either ISO 27002, NIST 800-53 or the NIST CSF.
- If you need to address DFARS 252.204-7012, it limits your options and you really need to align with NIST 800-53, since ISO 27002's scope is insufficient to address its required NIST 800-171 controls.
NIST CSF, ISO 27002, NIST 800-53 or All of The Above?
Regardless of what flavor IT security program you need or want to have, ComplianceForge has a solution that can work for you.