Is the security program of your organisation aligned with ISO 27001 but you wish you were able to use other frameworks as well? In this article you will learn how to use the controls of the NIST SP 800-53 in combination with an information security management system according to ISO 27001.
Let's delve into these two standards and discover why they are indeed better together.
To begin with let’s have a closer look at the two of them.
ISO/IEC 27001:2022 Information Security Management Systems
ISO 27001 is a globally recognized standard designed to help organizations manage and protect their information assets. The core principle behind ISO 27001 revolves around the CIA triad - Confidentiality, Integrity, and Availability. These three pillars are critical to any organization's information security framework, as they determine the safety and accessibility of data.
To address risks related to the CIA triad, organizations establish Information Security Management Systems (ISMS). ISO 27001 serves as one such ISMS, providing a systematic approach to managing sensitive company information. It encompasses a set of policies, procedures, and guidelines, combined with associated resources and activities. The primary aim is to implement controls that safeguard the organization's information assets.
When these controls are effectively put into place, they significantly reduce potential risks to the information assets. By mitigating these risks, organizations not only ensure the safety of their data but also achieve their operational objectives more seamlessly. In essence, ISO 27001 acts as a protective shield, ensuring that an organization's valuable information remains secure and accessible when needed.
In addition ISO 27001 contains a set of 93 reference controls in its annex. These controls are often referred to as the Annex A controls.
The controls are categorised as:
Organisational controls
People controls
Physical controls
Technological controls
Further implementation guidance can be found in ISO/IEC 27002:2022.
NIST SP 800-53: Security and Privacy Controls
NIST SP 800-53, Revision 5, includes a total of 20 control families, and within these families, there are over 800 individual security and privacy controls. These controls are designed to address various aspects of security and privacy for information systems and organizations.
The control families:
Access Control
Awareness and Training
Audit and Accountability
Assessment
Authorization and Monitoring
Configuration Management
Contingency Planning
Identification and Authentication
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Planning; Program Management
Personnel Security
PII Processing and Transparency
Risk Assessment
System and Services Acquisition
System and Communications Protection
System and Information Integrity
Supply Chain Risk Management
While both ISO 27001 and NIST SP 800-53 are foundational in the realm of information security, they serve distinct purposes and are structured differently.
ISO 27001 is a comprehensive framework for an Information Security Management System (ISMS). It not only provides guidelines for implementing security controls but also offers a full management system approach. This means that ISO 27001 encompasses the organizational structure, policies, procedures, processes, and resources needed to manage and maintain an organization's information security. It places a strong emphasis on continuous improvement and risk management, requiring organizations to regularly review and refine their security practices.
On the other hand, NIST SP 800-53 is primarily a control catalog. It provides an extensive list of security and privacy controls designed to safeguard federal information systems against a plethora of threats. While it offers detailed guidelines on various controls, it doesn't prescribe a full-fledged management system like ISO 27001. Instead, it focuses on detailing the controls that organizations should consider based on their specific risk profiles.
In essence, while ISO 27001 provides a holistic approach to information security management, NIST SP 800-53 offers a more granular and focused set of controls.
This is what makes them excellent companions.
Here are three reasons why ISO 27001 and NIST SP 800-53 are better together.
Reason 1: Comprehensive Coverage
Think of ISO 27001 as the big picture. It gives businesses a general plan to keep their information safe. By adding NIST SP 800-53 to the mix, organisations can select from a vast variety of controls that goes way beyond what’s provided in annex a.
This is possible because in clause 6.1.3 c) ISO 27001 offers explicitly the use of additional information security controls. All that needs to be done in terms of a compliant documentation is to compare the controls selected with the controls provided in Annex A and produce a statement of applicability that reflects the choices made.
Reason 2: Versatility in Application
Combining ISO 27001 with NIST SP 800-53 brings a unique versatility that caters to a wide range of industries and sectors. ISO 27001, with its global recognition, offers a universal framework that can be applied across different geographical locations and business models. On the other hand, NIST SP 800-53, with its granular controls, can be tailored to address specific challenges that might be more prevalent in certain industries, especially those dealing with federal information systems. Together, they provide a flexible toolkit that can be molded to fit any organization's specific needs, ensuring that businesses, whether big or small, public or private, can find value and direction in their combined guidance.
Reason 3: Strengthened Compliance and Trust
In today's digital age, compliance with industry standards and regulations is not just a legal necessity but also a hallmark of trust. By leveraging both ISO 27001 and NIST SP 800-53, organizations send a clear signal to stakeholders, partners, and customers about their commitment to information security. ISO 27001's certification process demonstrates a proactive approach to risk management. Simultaneously, adherence to the detailed controls of NIST SP 800-53 showcases an organization's dedication to operational excellence. When organizations adopt both standards, they not only ensure that they are compliant with international and industry-specific regulations but also enhance their reputation in the market, building trust and confidence among their clientele.
Bonus Content
The following video explains the ISO 27000 family of standards.