IT GOVERNANCE USA | GREEN PAPER

NIST CSF and ISO 27001

Becoming cyber secure

Protec Protect Comply Thrive

IT GOVERNANCE USA GREEN PAPER | AUGUST 2020 2

Introduction Background to the CSF

Information is the backbone of commerce, and protecting that information is critical
for organizations large and small, across all sectors.
Information and cybersecurity are particularly essential for critical infrastructure
sectors such as chemical, energy, health care, water, and transportation. The impact
of a major cybersecurity breach in such critical sectors could result in serious
disruption, with potentially catastrophic consequences, both physical and digital.
However, effective cybersecurity is also critical for smaller organizations in non-
infrastructure sectors. Without the resources of their larger counterparts, smaller
organizations are often just as, if not more, vulnerable to the predations of cyber
criminals, yet many mistakenly believe they are not large or important enough to be
targeted. Nothing could be further from the truth.
In 2013, Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”, was
issued to establish a voluntary, risk-based cybersecurity framework outlining best
practice for critical infrastructure sectors.2 In response to the executive order, NIST
developed the CSF in collaboration with stakeholders across a range of industries.
In 2017, a further executive order (EO 13800) was issued, requiring all federal
agencies to use the CSF to manage their cybersecurity risk, placing it at the core of the
federal cybersecurity program.3
While initially developed for use by US critical infrastructure sectors, the Framework
has proven flexible enough to be adopted by organizations of all sizes, across all
industry sectors, all around the world. As of 2015, the CSF was used by 30% of US
organizations; Gartner projected that this figure would rise to 50% by 2020.4

As the frequency and complexity of cyber attacks increase, so too does the cost of a
data breach. The 2020 Cost of a Data Breach Report places the average cost of a
breach in the US at $8.64 million.1

To combat the risk of a data breach and the associated reputational, commercial, and
legal damage, more and more organizations are adopting internationally recognized
cybersecurity frameworks to help them protect the information they hold. This paper
discusses two such frameworks with strong uptake in the US: the NIST Cybersecurity
Framework (CSF) and an information security management system (ISMS) as defined
by ISO 27001.
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020 3

The CSF explained
The CSF is an outcome-focused system for ensuring cybersecurity. It comprises three
key elements: the ‘core’, ‘profiles’, and ‘implementation tiers’.
The informative references are not mandatory. As the CSF is an outcome-focused
system, the specific method used to achieve a given cybersecurity objective does not
matter, provided the objective is achieved. If none of the listed references for a given
objective contains a method suitable for the organization, you can opt to develop your
own.

Framework core
Profiles
The framework core describes five high-level cybersecurity ‘functions’:
Profiles play a key role in determining the current state of the organization’s
1. Identify cybersecurity (the ‘current profile’) and the desired future state (the ‘target profile’).
2. Protect
3. Detect The current profile is developed by mapping the organization’s current practices
4. Respond against the functions, categories, and subcategories in the framework core. This
5. Recover provides a picture of the organization’s present cybersecurity status.

These functions are divided into ‘categories’, which describe related cybersecurity The target profile follows the same process, but instead focuses on the organization’s
objectives in a general sense. The ‘identify’ function, for example, contains six desired cybersecurity status. Once the two profiles are complete, you can compare
categories: asset management, business environment, governance, risk assessment, them against each other – or perform a ‘gap analysis’, if you like – to determine what
risk management strategy, and supply chain risk management. steps you need to take to achieve the target.

Categories are subdivided into ‘subcategories’, which contain specific cybersecurity The target profile should be developed following a risk assessment. This lets the
objectives, each of which has a unique identifier. For example, the ‘risk assessment’ organization determine which functions, categories, and subcategories to include or
category contains a subcategory requiring that “Asset vulnerabilities are identified exclude in their profile. The target profile should be a ‘living document’ that is
and documented.” updated to reflect the organization’s ongoing cybersecurity requirements.

Subcategories describe specific cybersecurity objectives, but do not specify how to

achieve them. Instead, each subcategory is linked to a set of ‘informative references’
that offer guidance on how to achieve the objective by referring to specific sections of
recognized cybersecurity standards and publications like ISO 27001 and NIST Special
Publication (SP) 800-53.
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020
Implementation tiers
Implementation tiers provide a common language for the organization to describe its
cybersecurity program in broad terms. They also serve as a continual improvement
mechanism.
The four tiers (‘partial’, ‘risk informed’, ‘repeatable’, and ‘adaptive’) are used in a
similar manner to profiles. A frank examination of the current profile will indicate the
tier that most accurately represents the organization’s cybersecurity status.
Organizations should also select a target tier that reflects their cybersecurity goals.
The broad requirements of the chosen tier can then be used to inform how the ‘target
profile’ develops over time, helping ensure that information security arrangements
remain effective as the organization evolves.
The tiers consider three high-level cybersecurity aspects: risk management processes,
integrated risk management programs, and the degree of external participation (in
information-sharing programs, collaboration with suppliers, etc.).
NIST encourages progressing to higher tiers where doing so would result in a cost-
effective reduction in risk.
4
Implementing the CSF
Implementing the CSF is best approached in stages. To begin with, map the
organization’s current cybersecurity status against the components of the framework
core to develop a current profile and identify the organization’s current
implementation tier.
Then perform a risk assessment to identify threats and vulnerabilities. Once the
organization understands the threats to its information, it can determine how to
mitigate them. This information is then used as the basis of the target profile, which
describes what the organization wants to achieve in detail, and the target
implementation tier, which describes the organization’s aims for risk management, so
that everyone involved is on the same page.
Once the target profile is complete, examine the informative references for each
requirement in the framework core, and select the most appropriate measure for
implementation. If none of the CSF’s informative references are suitable, the
organization can look for or develop its own – what matters is that the objective is
achieved.
All this forms the basis for a plan of action to move from the organization’s current
cybersecurity arrangements to a more mature, comprehensive, and consistent set of
arrangements.
As the organization’s cybersecurity stance evolves over time, profiles and
implementation tiers should be regularly reviewed to ensure that the chosen
measures remain effective and that newly identified vulnerabilities are mitigated by
existing (or, where necessary, new) controls.
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020 5

ISO 27001 explained
The international standard ISO 27001 provides the specification for a best-practice
ISMS. An ISMS offers a systematic, risk-based approach to information security that
focuses on three core ‘pillars’: people, processes, and technology, recognizing that IT
is only one part of the wider security equation.
ISO 27001 requires the organization to determine its needs and obligations (legal,
contractual, and business), and the information security risks it faces. Policies and
procedures are then introduced to support the actions taken, and records are kept as
evidence of those actions.
Certification allows the organization to prove to stakeholders, including customers,
partners, and regulators, that it takes information security seriously. A certified ISMS
may also open new business opportunities – an increasing number of contracts,
including government contracts, require the tenderer to demonstrate robust
information security practices. Some even specifically require ISO 27001 certification.
Certification is not mandatory, however. Many organizations choose to use ISO 27001
as the basis for their information security program but forego certification. While this
can make it difficult to prove beyond any doubt that your cybersecurity practices are
effective, this approach can be used to implement the CSF.

ISO 27001 contains 14 categories of information security controls that cover all
aspects of the organization. As with the CSF, risk assessment is used to determine
which controls should be implemented, allowing the ISMS to truly reflect the
organization’s unique needs. Risk assessment and treatment are the core components
of a successful ISMS, and the approach chosen must be structured and repeatable to
ensure consistent results over time.

Monitoring and measurement are mandated to ensure the ISMS remains effective.
Periodic audits ensure that the ISMS operates as intended, and regular management
reviews keep the board informed as to the state of the management system, better
enabling it to make informed cybersecurity decisions and provide direction.

Many organizations opt to certify their ISMS through an independent certification

body. Certifications to ISO 27001 in the US increased by 37% from 2017–18.5
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020
ISO 27001 and the CSF
The requirements of ISO 27001 and the CSF are closely aligned. Both frameworks
require the organization to implement controls based on a risk assessment, strongly
emphasizing the importance of risk management in protecting information.
Both frameworks are outcome-focused and vendor-neutral, specifying information
security goals and objectives, but leaving the decision as to how they are achieved to
the organization. ISO 27001 explicitly recognizes the critical role that top management
and the board play, not only in such decision-making but also in driving awareness and
responsibility for information security throughout the organization.
Both ISO 27001 and the CSF require a controlled, long-term approach to information
security based on continual improvement: Through regular review of profiles and tiers
in the CSF, and through regular audit, monitoring, measurement, and review in an
ISMS.
In fact, of the 108 subcategories within the CSF, only 3 do not reference ISO 27001 as
a possible route to achieving the objective, making an ISO 27001-compliant ISMS an
effective way to implement the CSF.
6
How we can help
Organizations looking to implement the CSF to increase their access to contracts
and markets will find distinct benefit in meeting the requirements by way of a
certified ISMS.
An ISO 27001-compliant ISMS not only helps achieve the objectives of the CSF
but also helps ensure the organization adheres to the widening array of
cybersecurity regulations in effect around the world, reducing the long-term cost
of compliance.
As a leading provider of IT governance, risk, and compliance solutions, IT
Governance USA is perfectly positioned to help you on your cybersecurity
journey. Our team has extensive experience in implementing the CSF, and we
have helped more than 600 organizations achieve certification to ISO 27001.
Whether you are implementing the CSF as a first step on the road to
cybersecurity, or as an enhancement to an existing program, IT Governance USA
should be your first port of call.
Speak to an expert
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020
Useful resources
IT Governance USA offers a unique range of helpful products and services, including books, documentation toolkits, standards, training courses, professional
consultancy services, and more.
NIST Cybersecurity Framework – A pocket guide
Get a clear understanding of the NIST CSF with this essential
pocket guide. Among other things, learn how to implement
the CSF and integrate it with standards such as ISO 27001.
ISO/IEC 27001:2013 Standard
The international standard ISO 27001 details the requirements
of a best-practice ISMS, which your organization can
implement to improve the state of its information security.
Certified ISO 27001 ISMS Lead Implementer Training
Course
If you are involved in information security management or
implementing ISO 27001, this course covers all the key steps
in preparing for and achieving ISMS certification first time.
Certified ISO 27001 ISMS Lead Auditor Training Course
Learn the skills to plan, execute, and report second- and
third-party audits. Build your career as a lead auditor, and
gain the skills to achieve ISO 27001 compliance in this five-
day course.
7
ISO 27001 Cybersecurity Toolkit
Accelerate your ISO 27001 project with this bestselling
toolkit, which includes customizable and fully compliant
documentation templates, dashboards and gap analysis
tools, and direction and guidance from ISO 27001 experts.
ISO 27001 Gap Analysis
A specialist review of your information security measures
against the ISO 27001 requirements. Get the true picture of
your compliance gaps, and receive expert advice on how to
scope your project and establish your resource requirements.
ISO 27001 FastTrack™ 500
A fixed-priced consultancy package designed to help
organizations between 20 and 500 employees achieve ISO
27001 certification readiness in an agreed time frame. We
offer a certification guarantee with no surprises!
View more products and services
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020 8

Other papers you may be interested in

IT GOVERNANCE USA | GREEN PAPER IT GOVERNANCE USA | GREEN PAPER

Implementing an ISMS Implementing

Cybersecurity

The nine-step approach The case for the NIST CSF

Protect Comply Thrive Protect Comply Thrive

Implementing an ISMS – The nine-step approach Implementing Cybersecurity – The case for the NIST CSF
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020 9

IT Governance USA solutions

IT Governance USA is your one-stop shop for cybersecurity and IT governance, risk Training
management, and compliance (GRC) information, books, tools, training, and
We offer training courses from staff awareness and foundation courses, through to
consultancy.
advanced programs for IT practitioners and certified lead implementers and auditors.
Our products and services are designed to work harmoniously together so you can
Our training team organizes and runs Live Online and self-paced online training
benefit from them individually or use different elements to build something bigger
courses all year round, as well as in-house training courses, covering a growing
and better.
number of IT GRC topics.

Visit www.itgovernanceusa.com/training for more information.

Books
We sell sought-after publications covering all areas of corporate and IT governance. Consultancy
Our publishing team also manages a growing collection of titles that provide practical
advice for staff taking part in IT governance projects, suitable for all levels of We are an acknowledged world leader in our field. Our experienced consultants, with
knowledge, responsibility, and experience. multi-sector and multi-standard knowledge and experience, can help you accelerate
your IT GRC projects.
Visit www.itgovernanceusa.com/shop/category/it-governance-usa-books to view our
Visit www.itgovernanceusa.com/consulting for more information.
full catalog.

Toolkits
Our unique documentation toolkits are designed to help organizations adapt quickly
and adopt best practice using customizable template policies, procedures, forms, and
records.
Visit www.itgovernanceusa.com/documentation-toolkits to view and trial our toolkits.
Software
Our industry-leading software tools, developed with your needs and requirements in
mind, make information security risk management straightforward and affordable for
all, enabling organizations worldwide to be ISO 27001-compliant.
Visit www.itgovernanceusa.com/shop/category/software for more information.
 IT Governance USA is the one-stop shop for cybersecurity, cyber
risk, and privacy management solutions. Contact us if you require
consultancy, books, toolkits, training, or software.

t: +1 877 317 3454

e: servicecenter@itgovernanceusa.com
w: www.itgovernanceusa.com

A GRC International Group plc subsidiary

420 Lexington Avenue, Suite 300

New York, NY 10170, USA

IT Governance USA Inc.

@ITG_USA

/it-governance-usa-inc

@ITGovernanceUSA

© 2003–2021 GRCI International Group Limited | Acknowledgement of Copyrights | GRC International Group Trademark Ownership Notification
Endnotes
1
IBM, “2020 Cost of a Data Breach Report”, July 2020,
https://www.ibm.com/security/data-breach.
2
The White House, “Executive Order -- Improving Critical Infrastructure Cybersecurity”, February 2013,
https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
3
The White House, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”, May 2017,
https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/.
4
NIST, “Cybersecurity Framework”, accessed August 2020,
https://www.nist.gov/industry-impacts/cybersecurity-framework.
5
ISO, “ISO Survey 2018”, September 2019,
https://www.iso.org/the-iso-survey.html.