Professional Documents
Culture Documents
NIST CSF and ISO 27001: Becoming Cyber Secure
NIST CSF and ISO 27001: Becoming Cyber Secure
NIST CSF and ISO 27001: Becoming Cyber Secure
As the frequency and complexity of cyber attacks increase, so too does the cost of a
data breach. The 2020 Cost of a Data Breach Report places the average cost of a
breach in the US at $8.64 million.1
To combat the risk of a data breach and the associated reputational, commercial, and
legal damage, more and more organizations are adopting internationally recognized
cybersecurity frameworks to help them protect the information they hold. This paper
discusses two such frameworks with strong uptake in the US: the NIST Cybersecurity
Framework (CSF) and an information security management system (ISMS) as defined
by ISO 27001.
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020 3
The CSF explained The informative references are not mandatory. As the CSF is an outcome-focused
system, the specific method used to achieve a given cybersecurity objective does not
The CSF is an outcome-focused system for ensuring cybersecurity. It comprises three matter, provided the objective is achieved. If none of the listed references for a given
key elements: the ‘core’, ‘profiles’, and ‘implementation tiers’. objective contains a method suitable for the organization, you can opt to develop your
own.
Framework core
Profiles
The framework core describes five high-level cybersecurity ‘functions’:
Profiles play a key role in determining the current state of the organization’s
1. Identify cybersecurity (the ‘current profile’) and the desired future state (the ‘target profile’).
2. Protect
3. Detect The current profile is developed by mapping the organization’s current practices
4. Respond against the functions, categories, and subcategories in the framework core. This
5. Recover provides a picture of the organization’s present cybersecurity status.
These functions are divided into ‘categories’, which describe related cybersecurity The target profile follows the same process, but instead focuses on the organization’s
objectives in a general sense. The ‘identify’ function, for example, contains six desired cybersecurity status. Once the two profiles are complete, you can compare
categories: asset management, business environment, governance, risk assessment, them against each other – or perform a ‘gap analysis’, if you like – to determine what
risk management strategy, and supply chain risk management. steps you need to take to achieve the target.
Categories are subdivided into ‘subcategories’, which contain specific cybersecurity The target profile should be developed following a risk assessment. This lets the
objectives, each of which has a unique identifier. For example, the ‘risk assessment’ organization determine which functions, categories, and subcategories to include or
category contains a subcategory requiring that “Asset vulnerabilities are identified exclude in their profile. The target profile should be a ‘living document’ that is
and documented.” updated to reflect the organization’s ongoing cybersecurity requirements.
The tiers consider three high-level cybersecurity aspects: risk management processes, Once the target profile is complete, examine the informative references for each
integrated risk management programs, and the degree of external participation (in requirement in the framework core, and select the most appropriate measure for
information-sharing programs, collaboration with suppliers, etc.). implementation. If none of the CSF’s informative references are suitable, the
organization can look for or develop its own – what matters is that the objective is
NIST encourages progressing to higher tiers where doing so would result in a cost- achieved.
effective reduction in risk.
All this forms the basis for a plan of action to move from the organization’s current
cybersecurity arrangements to a more mature, comprehensive, and consistent set of
arrangements.
ISO 27001 explained Certification allows the organization to prove to stakeholders, including customers,
partners, and regulators, that it takes information security seriously. A certified ISMS
The international standard ISO 27001 provides the specification for a best-practice may also open new business opportunities – an increasing number of contracts,
ISMS. An ISMS offers a systematic, risk-based approach to information security that including government contracts, require the tenderer to demonstrate robust
focuses on three core ‘pillars’: people, processes, and technology, recognizing that IT information security practices. Some even specifically require ISO 27001 certification.
is only one part of the wider security equation.
Certification is not mandatory, however. Many organizations choose to use ISO 27001
ISO 27001 requires the organization to determine its needs and obligations (legal, as the basis for their information security program but forego certification. While this
contractual, and business), and the information security risks it faces. Policies and can make it difficult to prove beyond any doubt that your cybersecurity practices are
procedures are then introduced to support the actions taken, and records are kept as effective, this approach can be used to implement the CSF.
evidence of those actions.
ISO 27001 contains 14 categories of information security controls that cover all
aspects of the organization. As with the CSF, risk assessment is used to determine
which controls should be implemented, allowing the ISMS to truly reflect the
organization’s unique needs. Risk assessment and treatment are the core components
of a successful ISMS, and the approach chosen must be structured and repeatable to
ensure consistent results over time.
Monitoring and measurement are mandated to ensure the ISMS remains effective.
Periodic audits ensure that the ISMS operates as intended, and regular management
reviews keep the board informed as to the state of the management system, better
enabling it to make informed cybersecurity decisions and provide direction.
Both frameworks are outcome-focused and vendor-neutral, specifying information An ISO 27001-compliant ISMS not only helps achieve the objectives of the CSF
security goals and objectives, but leaving the decision as to how they are achieved to but also helps ensure the organization adheres to the widening array of
the organization. ISO 27001 explicitly recognizes the critical role that top management cybersecurity regulations in effect around the world, reducing the long-term cost
and the board play, not only in such decision-making but also in driving awareness and of compliance.
responsibility for information security throughout the organization.
As a leading provider of IT governance, risk, and compliance solutions, IT
Both ISO 27001 and the CSF require a controlled, long-term approach to information Governance USA is perfectly positioned to help you on your cybersecurity
security based on continual improvement: Through regular review of profiles and tiers journey. Our team has extensive experience in implementing the CSF, and we
in the CSF, and through regular audit, monitoring, measurement, and review in an have helped more than 600 organizations achieve certification to ISO 27001.
ISMS.
Whether you are implementing the CSF as a first step on the road to
In fact, of the 108 subcategories within the CSF, only 3 do not reference ISO 27001 as cybersecurity, or as an enhancement to an existing program, IT Governance USA
a possible route to achieving the objective, making an ISO 27001-compliant ISMS an should be your first port of call.
effective way to implement the CSF.
Speak to an expert
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020 7
Useful resources
IT Governance USA offers a unique range of helpful products and services, including books, documentation toolkits, standards, training courses, professional
consultancy services, and more.
Certified ISO 27001 ISMS Lead Implementer Training ISO 27001 FastTrack™ 500
Course
A fixed-priced consultancy package designed to help
If you are involved in information security management or organizations between 20 and 500 employees achieve ISO
implementing ISO 27001, this course covers all the key steps 27001 certification readiness in an agreed time frame. We
in preparing for and achieving ISMS certification first time. offer a certification guarantee with no surprises!
Implementing an ISMS – The nine-step approach Implementing Cybersecurity – The case for the NIST CSF
IT GOVERNANCE USA GREEN PAPER | AUGUST 2020 9
IT Governance USA is your one-stop shop for cybersecurity and IT governance, risk Training
management, and compliance (GRC) information, books, tools, training, and
We offer training courses from staff awareness and foundation courses, through to
consultancy.
advanced programs for IT practitioners and certified lead implementers and auditors.
Our products and services are designed to work harmoniously together so you can
Our training team organizes and runs Live Online and self-paced online training
benefit from them individually or use different elements to build something bigger
courses all year round, as well as in-house training courses, covering a growing
and better.
number of IT GRC topics.
Software
Toolkits
Our industry-leading software tools, developed with your needs and requirements in
Our unique documentation toolkits are designed to help organizations adapt quickly mind, make information security risk management straightforward and affordable for
and adopt best practice using customizable template policies, procedures, forms, and all, enabling organizations worldwide to be ISO 27001-compliant.
records.
Visit www.itgovernanceusa.com/shop/category/software for more information.
Visit www.itgovernanceusa.com/documentation-toolkits to view and trial our toolkits.
IT Governance USA is the one-stop shop for cybersecurity, cyber
risk, and privacy management solutions. Contact us if you require
consultancy, books, toolkits, training, or software.
@ITG_USA
/it-governance-usa-inc
@ITGovernanceUSA
© 2003–2021 GRCI International Group Limited | Acknowledgement of Copyrights | GRC International Group Trademark Ownership Notification
Endnotes
1
IBM, “2020 Cost of a Data Breach Report”, July 2020,
https://www.ibm.com/security/data-breach.
2
The White House, “Executive Order -- Improving Critical Infrastructure Cybersecurity”, February 2013,
https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
3
The White House, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”, May 2017,
https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/.
4
NIST, “Cybersecurity Framework”, accessed August 2020,
https://www.nist.gov/industry-impacts/cybersecurity-framework.
5
ISO, “ISO Survey 2018”, September 2019,
https://www.iso.org/the-iso-survey.html.