Table of Contents The NIST guidelines were created to be flexible and optional. They are reasonably straightforward to adopt in combination with ISO 27001 due to their flexibility, especially since they share a number of similar concepts, such as requiring senior management support, a continuous improvement process, and a risk-based strategy. In reality, the ISO 27001 risk assessment method is quite similar to the RMF in that it identifies threats to the organisation ’s information, implements suitable controls, and then monitors their effectiveness.
NIST 800-53 is primarily focused on security controls and collaborates with a wide range of organisations to enable best practises in government information systems.
ISO 27001, on the other hand, is less technical and more risk-oriented, making it suitable for businesses of all sizes. It has a global reputation that many businesses respect and trust. Organisations can also obtain external, authorised certification to the Standard, which is a great method to show that they are at least partially compliant with NIST’s standards.
What is ISO27001 for?
— ISO 27001 is an internationally recognised approach for establishing and maintaining an ISMS
— ISO 27001 Annex A provides 14 control categories with 114 controls
— ISO 27001 is less technical, with more emphasis on risk-based management that provides best practice recommendations to securing all information
— ISO 27001 relies on independent audit and certification bodies
— ISO 27001 has 10 clauses to guide organisations through their ISMS
What is NIST for?
— NIST was primarily created to help US federal agencies and organisations better manage their risk
— NIST frameworks have various control catalogs.
— The NIST CSF contains three key components: the core, implementation tiers, and profiles with each function having categories, which are the activities necessary to fulfil each function.
— NIST has a voluntary, self-certification mechanism
— The NIST framework uses five functions to customised cybersecurity controls
