Unpacking ISO 27001 & NIST
ISO 27001 & NIST information security frameworks
The common perception is that while information security frameworks are incredibly important in our “work” lives, the main question still lingers: Are information security policies and standards really something that we employ in our day-to-day lives outside of work? There is a lot of buzz right now about ISO 27001 or NIST (two of the more prominent infosec frameworks), so let us unpack them.
You Need an Established Framework: ISO 27001 or NIST
We employ information security standards and policies in our personal lives all of the time. While they may not be formally written down, these are things we must be cognizant of at all times. When it comes to establishing this framework at an organization, there is so much more to be aware of, and so many more regulations to comply with. In my house, a lack of information security cost me $25—at your organization, it could cost $25 million.
I needed an ISMS. Your company needs an ISMS.
For those of you asking, “What exactly is that acronym you just threw at me?” ISO 27001 is an information security management system (ISMS). An ISMS is a framework of policies and standards that encompasses a wide variety of technical, physical, and legal controls involved in an organization’s information risk management process. ISO 27001 uses a risk-based approach, is technology-neutral, and defines a 6-step planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select-control objectives and controls to be implemented.
- Prepare a statement of applicability.
NIST (the National Institute of Standards and Technology) is a non-regulatory government agency that develops technology, metrics, and most importantly for the purposes of this blog post, standards and guidelines to help organizations meet the requirements of the Federal Information Security Management Act (FISMA) set forth by the federal government.
So whether it be ISO 27001 or NIST, ensuring that you are employing the proper policies and frameworks is essential. Not doing a regular assessment could cause major, unsustainable damage to your business. Having the right platform to help you organize all of the policies, risks and other pertinent information (trust me, there’s a lot) is essential.
NIST framework types
NIST 800-53 – A catalog of security and privacy controls designed for U.S. federal information systems
NIST CSF – Cyber Security Framework of technology security guidance for private sector organizations
NIST RMF – Risk Management Framework to facilitate decision-making to select appropriate security controls
Onspring’s business process automation software can improve your compliance practice by helping you align to IT and security requirements while reducing operational costs and risks to your organization. Learn more about how we manage IT risk by downloading the data sheet.
About the author
Evan Stos
Vice President at Onspring
15 years GRC experience