NIST Cybersecurity Framework vs ISO 27001/27002 vs NIST 800-53 vs Secure Controls Framework
When you graphically depict the various, leading cybersecurity frameworks from "easier to harder" it primarily focuses on the sheer number of unique cybersecurity and privacy controls. The volume of these controls (e.g., requirements) directly impacts the number of domains covered by that cybersecurity framework. The lesser number of controls in a cybersecurity framework might make it appear easier to implement, but it also might not provide the necessary coverage that your organization needs from the perspective of administrative, technical and physical cybersecurity and privacy practices. This is wheredefining "just right" is primarily a business decision, based on your organization's risk profile, which needs to consider applicable laws, regulations and contractual obligations that are required to support existing or planned business processes.
This selection process generally leads to adopting theNIST Cybersecurity Framework,ISO 27002,NIST 800-53or theSecure Controls Framework (SCF)as a starting point.We call it the "cybersecurity Goldilocks dilemma" since it addresses the question:Which cybersecurity framework is "not too hard, not too soft, but just right!" for my organization? It comes down to first defining you "must have" and "nice to have" requirements, since that helps point you to the most appropriate framework to meet your specific needs.It can be a little confusing when you look at it from a "heat map" perspective, since each framework has its own unique specialization and depth of coverage. However, understanding this can help you make an informed decision on the most appropriate framework for your needs. You may even find you need to leverage ametaframework(e.g., framework of frameworks) to address more complex compliance requirements.
Cybersecurity Policies, Standards & Procedures Are Meant To Address Your Compliance Needs
It is important to keep in mind that picking a cybersecurity framework ismore of a business decision and less of a technical decisionsince cybersecurity and privacy controls identified in external laws, regulations or frameworks directly influence your organization's internal policies, standards and procedures.
The more robust the framework you select to align with, you can expect to have more robust coverage for your companies policies and standards. Therefore, picking a framework to align with is really based on (1) addressing your "must have" compliance requirements (e.g., laws, regulations and contractual obligations) and (2) addressing "nice to have" discretionary security requirements you may have. Those two considerations come together to address the "Compliant vs Secure" decisions that need to be addressed for an organization to be both secure and compliant. You can read more about that in the Integrated Controls Management (ICM) model.
Fundamentally, the process of selecting a cybersecurity framework must be driven by what your organization is obligated to comply with from a statutory, regulatory and contractualperspective, since that understanding establishes the minimum set of requirements necessary to:
- Avoid being considered negligent by being able to demonstrate evidence of due diligence and due carepertaining to "reasonably-expected" security & privacy practices;
- Properly address risk management expectations by having the proper controls to secure your organization's systems, applications and processes from reasonable threats.
Once you know the minimum requirements you need to meet, it can help narrow down the most appropriate framework. As shown in the "framework spectrum" diagram (shown below) that helps depict how not all frameworks are the same, you need to focus on selecting the most appropriate set of cybersecurity controls (e.g., controls framework) for your organization to align with.
How Do You Pick A Cybersecurity Framework? (co*ke vs Pepsi Analogy)
If you look at this from the perspective of a debate over which soft drink tastes best (e.g., co*ke vs Pepsi), it generally comes down to personal preferences, since both products are essentially sugary, carbonated drinks and only differ slightly in flavor and packaging. The same arguments can be made for cybersecurity’s two heavy hitters – NIST 800-53 and ISO 27002.Gaining popularity is the NIST Cybersecurity Framework (NIST CSF), but it lacks appropriate coverage out of the box to be considered a comprehensive cybersecurity framework. For more complex compliance requirements, the SCF is a "metaframework" that encompasses over 100 laws, regulations and frameworks in a hybrid framework that can span multiple compliance requirements.
Cybersecurity Framework Comparison: NIST CSF vs ISO 27001/2 vs NIST 800-53 vs SCF
A key consideration for picking a cybersecurity framework involved understanding the level of content each framework offers, since this directly impacts the available cybersecurity and privacy controls that exist "out of the box" without having to bolt-on content to make it work for your specific needs. If you ask a cybersecurity professional to identify their preferred "best practice framework", it generally comes down to NIST or ISO, since those are the most commonly-found frameworks. However, that doesn't mean that is where you should limit your search.
If you are not sure where to start, here are some recommendations:
- Have a discussion with your legal and procurement departments to find out what laws, regulations and contractual obligations your organization needs to comply with.If they don't know, then you need to perform that discovery with their involvement to ensure you have the facts. Do not try to work off assumptions!
- Talk with peers in your industry to identify what framework(s) their organization chose to align with and what those decisions were that led them to adopting one framework over another.You still have to do your own analysis to determine what is right, but talking with peers can help avoid "re-inventing the wheel" on certain aspects of the analysis process.
- Determine what resources you have available to adopt and implement a framework.If it is a flip of the coin decision between two frameworks where you feel both meet your needs, you need to be sure to take into account which framework will be the most efficient to implement and maintain.
- Evaluate your organization's business and IT strategies to identify components that may require the adoption of a specific framework. For example:.
- Your CEO puts out a roadmap to grow business and next year the company will start going after US Government and Department of Defense (DoD) contracts. This means your organization will have to address DFARS, FAR and CMMC compliance, which is based on NIST SP 800-171.This means alignment with NIST SP 800-53 or SCF might be the best path forward
- A business unit is expanding into the European market and will focus on B2C sales. This means your organization will have to address EU GDPR forrobust privacy practices, on top of cybersecurity. This means you could select any framework to address underlying cybersecurity practices, but you need a privacy program.The SCF might be the best path forward.
NIST CSF < ISO 27002 < NIST 800-53 < Secure Controls Framework
To help provide further context to the image:
- ISO 27002 is essentially a subset of NIST 800-53 (ISO went fromfourteen (14) sections in 2013 to three (3) sections in 2022) where ISO 27002's cybersecurity controls fit within the twenty (20) families of NIST 800-53 rev5 security controls.
- NIST CSF is a subset of NIST 800-53 and also shares controls found in ISO 27002.
- NIST CSF incorporates parts of ISO 27002 and parts of NIST 800-53, but is not inclusive of both - this makes the NIST CSF a common choice for smaller companies that need a set of "industry-recognized secure practices" to align with, where ISO 27002 and NIST 800-53 are better for larger companies or those that have unique compliance requirements.
- When you start taking into account common requirements such as the Payment Card Industry Data Security Standard (PCI DSS), you will see from crosswalk mapping that these common requirements are more comprehensive than what is included natively by NIST CSF, so you would need to use ISO 27002 or NIST 800-53 to meet PCI DSS as a framework (depending on your SAQ level), unless you want to bolt-on additional controls to the NIST CSF to make that work. Is that wrong? No, but it is just messy when you start bolting onto frameworks.
From a customization perspective, think of "bolting on" content to a cybersecurity frameworks similar to the concept of gnawing off the square sides of a peg to make it fit into a round hole - it will eventually fit but it likely will not look very good or fit very well. This is the downside of customizing cybersecurity frameworks to add content that the framework lacks. It is generally less painful/costly to align with a more robust framework and remove content than it is to start with a lesser framework and add content.
Secure Controls Framework (SCF) Overview
If you are not familiar with the Secure Controls Framework (SCF), it was developed with the ambitious goal of providing a comprehensive catalog of cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. By using the SCF, your IT, cybersecurity, legal and project teams can speak the same language about controls and requirement expectations!The SCF is a "metaframework" which is a framework of frameworks. The SCF is a superset that covers the controls found in NIST CSF, ISO 27002, NIST 800-53 and over 100 other laws, regulations and frameworks.These leading cybersecurity frameworks tend to cover the same fundamental building blocks of a cybersecurity program, but differ in some content and layout. Before picking a framework, it is important to understand that each one has its benefits and drawbacks. Therefore, your choice should be driven by the type of industry your business is in and what laws, regulations and contractual obligations your organization needs to comply with.
The SCF is an open source project that provides free cybersecurity and privacy controls for business. The SCF focuses on internal controls, which are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
TheSecure Controls Framework (SCF)is a "best in class" approach that covers NIST 800-53, ISO 27002 and NIST CSF. Being a hybrid, it allows you to address multiple cybersecurity and privacy frameworks simultaneously. The SCF is a free resource for businesses to use. The Digital Security Program (DSP) has 1-1 mapping with the SCF, so the DSP provides the most comprehensive coverage of any ComplianceForge product.
NIST 800-53 Overview
TheNational Institute of Standards and Technology (NIST)is on the fifth revision (rev5) of Special Publication (SP) 800-53,Security and Privacy Controls for Federal Information Systems and Organizations. Notice that doesn’t mention anything about private industry – NIST designed this framework to protect the US federal government. However, due to the significant outsourcing to private companies, as well as extensive regulation for businesses, NIST 800-53 best practices have become the de facto standard for private businesses that do business with the US federal government.
One thing to keep in mind is that NIST 800-53 is a super-set of ISO 27002 - that means you will find all the components of ISO 27002 covered by NIST 800-53. However, ISO 27002 does not cover all of the areas of NIST 800-53. The following diagram provide a good representation of the additional compliance requirements that can be addressed with NIST over ISO.
The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Risk Management Framework (DIARMF) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs. Additionally, for NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is called out as the best practices for government contractors to secure their systems. That further helps strengthen NIST 800-53 as a best practice within the US, especially for any government contractors.
NIST 800-53includes what both ISO 27002 and NIST CSF addresses, as well as a whole host of other requirements. NIST 800-53 is the basis for the controls found in NIST 800-171 / CMMC. NIST 800-53 is commonly found in the financial, medical and government contracting industries.One great thing about NIST 800-53, and it applies to all NIST publications, is that it is freely available, at no cost to the public -http://csrc.nist.gov/publications/PubsSPs.html.
ISO 27002 Overview
TheInternational Organization for Standardization (ISO)is a non-governmental organization that is headquartered in Switzerland. ISO can be a little more confusing for newcomers to IT security or compliance, since a rebranding occurred in 2007 to keep ISO’s IT security documents in the 27000 series of their documentation catalog - ISO 17799 was renamed and became ISO 27002. To add to any possible confusion, ISO 27002 is a supporting document that aides in the implementation of ISO 27001. Adding a little more confusion to the mix, itis important to note that companies cannot certify against ISO 27002, just ISO 27001. ISO 27001 Appendix A contains the basic overview of the security controls needed to build an Information Security Management System (ISMS), but ISO 27002 provides those specific controls that are necessary to actually implement ISO 27001. Essentially, you can't meet ISO 27001 without implementing ISO 27002.
To keep things simple, just remember that ISO 27001 lays out the framework to create an “Information Security Management System” (e.g., a comprehensive IT security program), whereas ISO 27002 contains the actual “best practices” details of what goes into building a comprehensive IT security program. Since ISO’s information security framework has been around since the mid-1990s, it was in “right time at the right place” to evolve into the de facto IT security framework outside of the United States. You will find ISO 27002 extensively used by multinational corporations and for companies that do not have to specifically comply with US federal regulations. ISO 27002 is also “less paranoid” than NIST 800-53, which has an advantage of being less complex and therefore easier implement.
ISO 27002is an internationally-recognized cybersecurity framework that provides coverage for many common requirements (e.g., PCI DSS, HIPAA, etc.).One unfortunate thing about ISO 27002, and it applies to all ISO publications, is that ISO charges for its publications -http://www.iso.org/iso/home/store.htm.
NIST Cybersecurity Framework Overview
TheNIST Cybersecurity Framework (NIST CSF)does not introduce new standards or concepts, but leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and ISO. The CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues.The NIST CSF is designed to evolve with changes in cybersecurity threats, processes, and technologies. Essentially, the NIST CSF envisions effective cybersecurity as a dynamic, continuous loop of response to both threats and solutions.
The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, PCI DSS, and HIPAA. For those, more comprehensive frameworks, such as NIST 800-53 or ISO 27002 are required.NIST Cybersecurity Framework (NIST CSF)has the least coverage of the major cybersecurity frameworks. It works great for smaller or unregulated businesses. The NIST CSF is often used as a reporting tool to report security to executive leadership, since the five high-level categories of Identify, Detect, Protect, Respond & Recover make it easier to report complex topics under this perspective.
What Documentation Do I Need To Comply With NIST CSF, ISO 27002 or NIST 800-53?
To do NIST CSF, ISO 27002 or NIST 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to be in compliance with NIST CSF vs ISO 27002 vs NIST 800-53, since there are significantly different levels of expectation.
When you start looking at "What should I buy to comply or align with X framework?" it is important to understand what the expectations of the various frameworks entail. When you look at these frameworks from the perspective of a spectrum that spans from weaker to more robust controls coverage, the basic expectation is that there are more requirements as you advance along this spectrum. The chart below helps identify the various ComplianceForge products where they intersect with NIST CSF, ISO 27002, NIST 800-53 and NIST 800-171/CMMC requirements.As depicted in the spectrum graphic at the top of this page, there are less requirements to comply with the NIST Cybersecurity Framework, while ISO 27002 has more requirements. However, ISO 27002 has less requirements than NIST 800-53.
| ComplianceForge Products | NIST CSF | ISO 27002 | NIST 800-53 r4 | NIST 800-171 r1 |
| Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) | ID.GV-1 [multiple sections] | 5.1.1 [multiple sections] | PM-1 [multiple sections] | 252.204-7008 252.204-7012 NIST 800-171 (multiple CUI & NFO controls) |
| Supply Chain Risk Management (SCRM) | ID.SC-1 | 15.1.1 | PS-7 SA-4 | 252.204-7008 252.204-7012 NIST 800-171 NFO PS-7 |
| Cybersecurity Risk Management Program (RMP) | ID.GV-4 ID.RA-5 ID.RM-1 ID.RM-2 ID.RM-3 | 11.1.4 | PM-9 RA-1 RA-3 | 252.204-7008 252.204-7012 NIST 800-171 3.11.1 & NFO RA-1 |
| Cybersecurity Risk Assessment Template (CRA) | ||||
| Vulnerability & Patch Management Program (VPMP) | ID.RA-1 PR.IP-12 | 12.6.1 | SI-2 SI-3(2) | 252.204-7008 252.204-7012 NIST 800-171 3.11.2 |
| Integrated Incident Response Program (IIRP) | PR.IP-9 | 16.1.1 | IR-1 | 252.204-7008 252.204-7009 252.204-7010 252.204-7012 NIST 800-171 3.6.1 |
| Security & Privacy By Design (SPBD) | N/A | N/A | Privacy Section SA-3 | 252.204-7008 252.204-7012 NIST 800-171 NFO SA-3 |
| System Security Plan (SSP) & POA&M | N/A | N/A | PL-2 | 252.204-7008 252.204-7012 NIST 800-171 3.12.4 |
| Cybersecurity Standardized Operating Procedures (CSOP) | PR.IP-5 [multiple sections] | 12.1.1 [multiple sections] | PL-7 [multiple sections] | 252.204-7008 252.204-7012 NIST 800-171 (multiple CUI & NFO controls) |
| Continuity of Operations Plan (COOP) | RC.RP-1 | 17.1.2 | CP-1 CP-2 IR-4(3) PM-8 | 252.204-7008 252.204-7012 NIST 800-171 3.6.1 |
| Secure Baseline Configurations (SBC) | PR.IP-1 PR.IP-3 | 14.1.1 | CM-2 CM-6 SA-8 | 252.204-7008 252.204-7012 NIST 800-171 3.4.1 |
| Information Assurance Program (IAP) | N/A | 14.2.8 | CA-1 PM-10 | 252.204-7008 252.204-7012 NIST 800-171 NFO CA-1 |
| Cybersecurity Business Plan (CBP) | N/A | N/A | N/A | CMMC Level 4 CMMC Level 5 |
NIST Cybersecurity Framework (NIST CSF) - Good/Better/Great/Awesome Solutions
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with the NIST Cybersecurity Framework (NIST CSF). The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST CSF.
| Good (NIST CSF) | Better (NIST CSF) | Great (NIST CSF) | Awesome (NIST CSF) |
| CDPP - NIST CSF Policies & Standards | CDPP + CSOP - NIST CSF Policies, Standards & Procedures | CDPP Bundle 2: CDPP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC | DSP Bundle 3: DSP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD |
ISO 27002- Good/Better/Great/Awesome Solutions
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with ISO 27001 / 27002. The product names you see in the various packages below map into the matrix shown above to show you how that maps into ISO 27002.
| Good (ISO 27002) | Better (ISO 27002) | Great (ISO 27002) | Awesome (ISO 27002) |
| CDPP - ISO 27002 Policies & Standards | CDPP + CSOP - ISO 27002 Policies, Standards & Procedures | CDPP Bundle 3:CDPP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP | DSP Bundle 3: DSP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD |
NIST 800-53- Good/Better/Great/Awesome Solutions
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with NIST 800-53. The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST 800-53.
| Good (NIST 800-53) | Better (NIST 800-53) | Great (NIST 800-53) | Awesome (NIST 800-53) |
| CDPP - NIST 800-53 Policies & Standards | CDPP + CSOP - NIST 800-53 Policies, Standards & Procedures | CDPP Bundle 4: CDPP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD-SSP | DSP Bundle 3: DSP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD |
If you have any questions, please contact us and we'd be happy to explain the difference between the products and packages.
