ISO 27001 vs NIST 800-53: which one is more suitable for your company?

There are two methodologies for IT security guidance: ISO 27001 (ISO/IEC 27001 Information Security Management) and NIST 800-53 (Security and Privacy Controls for Information Systems and Organizations). How do you make the right decision on choosing which is right for your business and which meets your goals? To help you make the right decision, I am going to talk about two security standards.

ISO 27001 is the result of collaboration between several entities. In the early 90’s, major UK companies came together to put in place measures to secure their online exchanges. In 1991, a draft “best practices” code of practice was born, calling for the formalization of an information security policy.

NIST 800-53 was developed in the United States on the basis of Executive Order number 13636, and published on February 12th, 2013. As a result of this Executive Order, NIST 800-53 has taken the lead in developing the Cybersecurity Framework.

Is there a difference between the two methodologies?

The ISO27001 standard helps organizations to secure their information assets. It defines the requirements for the information security management system (ISMS). It uses a systematic approach to manage sensitive information so that the information remains secure. Management must be able to demonstrate that the organization identifies, reviews and manages security risks on an ongoing basis through the application of appropriate controls.

The standard also defines 14 areas that are broken down into 114 controls.

14 Control Areas of ISO 27001

• Information Security Policies
• Information Security Organization
• Human Resource Security
• Asset Management
• Access Control
• Cryptography
• Physical and Environmental Security
• Operations Security
• Communications Security
• Systems Acquisition
• Development and Maintenance
• Vendor Relations
• Information Security Incident Management
• Information Security Aspects of Business Continuity Management
• Compliance

Its strengths lie in the planning phase, where you define your organization’s coverage context, highlighting and defining risks, and developing a risk mitigation strategy. It is less technical and more risk-based for organizations of all shapes and sizes. Another benefit is that your company can get a certificate stating that it has passed an ISO 27001 audit, which can be a winning marketing strategy.

On the other hand, strength of the NIST 800-53 lies in the execution phases, and its weakness lies in the planning phase. It is composed of three main elements:

• The Core represents a set of cyber security activities and outcomes. It is composed of three parts: Functions, Categories, and Subcategories. It includes five high-level functions: Identification, Protection, Detection, Response and Recovery. Categories are separated into 23 across the Functions and 108 subcategories detail the Categories further.
• Implementation Tiers describe the maturity of cyber security risk management practices within organizations.
• Profiles represent the unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile with a “Target” Profile.”

It is not always necessary to choose between NIST 800-53 and ISO. In fact, the two are complementary and can be used in the same organization.

Sources:

• NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations, https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• SO/IEC 27001 Information Security Management, https://www.iso.org/isoiec-27001-information-security.html

If you need any assistance or have any questions regarding cybersecurity within your company, don’t hesitate to contact us.