ISO 27001 & NIST

ISO 27001 & NIST information security frameworks

The common perception is that while information security frameworks are incredibly important in our “work” lives, the main question still lingers: Are information security policies and standards really something that we employ in our day-to-day lives outside of work? There is a lot of buzz right now about ISO 27001 or NIST (two of the more prominent infosec frameworks), so let us unpack them.

You Need an Established Framework: ISO 27001 or NIST

We employ information security standards and policies in our personal lives all of the time. While they may not be formally written down, these are things we must be cognizant of at all times. When it comes to establishing this framework at an organization, there is so much more to be aware of, and so many more regulations to comply with. In my house, a lack of information security cost me $25—at your organization, it could cost $25 million.

I needed an ISMS. Your company needs an ISMS.

For those of you asking, “What exactly is that acronym you just threw at me?” ISO 27001 is an information security management system (ISMS). An ISMS is a framework of policies and standards that encompasses a wide variety of technical, physical, and legal controls involved in an organization’s information risk management process. ISO 27001 uses a risk-based approach, is technology-neutral, and defines a 6-step planning process:

  1. Define a security policy.
  2. Define the scope of the ISMS.
  3. Conduct a risk assessment.
  4. Manage identified risks.
  5. Select-control objectives and controls to be implemented.
  6. Prepare a statement of applicability.

NIST (the National Institute of Standards and Technology) is a non-regulatory government agency that develops technology, metrics, and most importantly for the purposes of this blog post, standards and guidelines to help organizations meet the requirements of the Federal Information Security Management Act (FISMA) set forth by the federal government.

So whether it be ISO 27001 or NIST, ensuring that you are employing the proper policies and frameworks is essential. Not doing a regular assessment could cause major, unsustainable damage to your business. Having the right platform to help you organize all of the policies, risks and other pertinent information (trust me, there’s a lot) is essential.

NIST framework types

  • NIST 800-53 – A catalog of security and privacy controls designed for U.S. federal information systems

  • NIST CSF – Cyber Security Framework of technology security guidance for private sector organizations

  • NIST RMF – Risk Management Framework to facilitate decision-making to select appropriate security controls

About the author

Evan Stos Vice President Customer Experience Onspring GRC Software

Evan Stos
Vice President at Onspring
15 years GRC experience