How to use the NIST SP800 series of standards for ISO 27001 implementation

Although ISO 27001, an international standard for information security management, provides control objectives and controls that cover a wide range of security issues, they are not exhaustive. Thus, ISO 27001 clauses 6.1.3 b) and c) note that an organization can go beyond the standard’s controls to set proper security levels, by developing its own solutions or using other knowledge sources.

This article will show you an alternative to ISO 27002 as guidance to support ISO 27001 controls implementation: the NIST SP 800 series. You will see what they are about and their general structure compared to those of ISO 27001 and ISO 27002.

The NIST SP 800 series

The NIST SP 800 series is a set of free-to-download documents from the United States federal government, describing computer security policies, procedures, and guidelines, published by the NIST (National Institute of Standards and Technology), containing more than 130 documents.

NIST_documentation_structure_figure

Figure: NIST documentation structure

NIST SP 800 series documents for information security management and risk assessment

Like the ISO 27000 series, the SP 800 series provides information covering management and operational information security practices, but in a greater number of documents.

To provide specific guidance for integrating information security risk management with organizational operations, the NIST 800 SP series has the document SP 800-39 – Managing Information Security Risk.

For risk assessment, the SP 800 series has a documentation set created using a six-step risk methodology:

  • Categorize: prioritization of information systems based on impact assessment. Detail is found in the document SP 800-60 rev.1.
  • Select: definition of controls to be used, based on the impact assessment and baselines. SP 800-53 Rev.4 is the reference document for this step.
  • Implement: implementation of the controls and document elaboration. Detail is found in the document SP 800-160.
  • Assess: confirmation that controls are implemented correctly, operate as intended, and produce the desired outcomes. Detail is found in the document SP 800-53 A rev.4.
  • Authorize: acceptance of the risk scenario, and authorization for information systems operation and use. Detail is found in the document SP 800-37 rev.1.
  • Monitor: accompaniment on an ongoing basis of information systems and operational environment to determine controls’ effectiveness and compliance. Detail is found in the document SP 800-137.

Since ISO 27001 requires, but does not prescribe any methodology (clause 6.1.2), this one can be adopted by your organization. If your organization already has a risk assessment methodology, you can keep it and use only the document’s security control catalogue.


NIST SP 800 series documents for ISO 27001 controls implementation

The SP 800 series has numerous standards that cover 256 safeguards. This is where SP800-53 is very useful, because it organizes all those safeguards into 18 categories:

Family Num. of controls Family Num. of controls
Access Control 25 Media Protection 8
Awareness and Training 5 Physical and Environmental Protection 20
Audit and Accountability 16 Planning 9
Security Assessment and Authorization 9 Personnel Security 8
Configuration planning 11 Risk Assessment 6
Contingency Planning 13 System and Services Acquisition 22
Identification and Authentication 11 System and Communication Protection 44
Incident Response 10 System and Information Integrity 17
Maintenance 6 Program Management 16

Table: Security control families and number of controls per family

Some useful documents in the SP 800 series that are referenced by SP 800-53 Rev.4 controls are:

  • SP 800-61 rev. 2: guidelines for detecting, analyzing, prioritizing, and handling incidents to respond to them effectively and efficiently (supporting ISO 27001 A.16).
  • SP 800-50: guidelines for designing, developing, implementing, and evaluating an awareness and training program (supporting ISO 27001 A.7.2.2).
  • SP 800-116: risk-based approach for selecting appropriate authentication mechanisms to manage physical access (supporting ISO 27001 A.11.1.2).
  • SP 800-46 rev. 1: practices for mitigating the risks associated with technologies used for telework (supporting ISO 27001 A.6.2.2).
  • SP 800-122: orientations for protecting the confidentiality of personally identifiable information (PII) in information systems (supporting ISO 27001 A.18.1.4).
  • SP 800-161: guidance on identifying, assessing, selecting, and implementing risk management and controls to manage ICT supply chain risks (supporting ISO 27001 A.15).
  • SP 800-92: guidance on developing, implementing, and maintaining effective log management practices (supporting ISO 27001 A.12.4).
  • SP 800-88 rev.1: recommendations for implementing a media sanitization program, considering techniques and controls for sanitization and disposal of sensitive information (supporting ISO 27001 A.8.3.2 and A.11.2.7).
  • SP 800-83 rev.1: guidance on preventing malware incidents and responding to malware incidents (supporting ISO 27001 A.12.2.1).
  • SP 800-64 rev.2: description of key security roles and responsibilities required in development of information systems, and information about the relationship between information security and the Software Development Life Cycle (supporting ISO 27001 A.14.2).
  • SP 800-45 rev.2: provides security practices for designing, implementing, and operating email systems on public and private networks (supporting ISO 27001 A.13.2.3).
  • SP 800-44 rev.2: presents security practices for designing, implementing, and operating publicly accessible Web servers and related network infrastructure (supporting ISO 27001 A.14.1.2).
  • SP 800-41 rev.1: provides guidance on developing firewall policies and selecting, configuring, testing, deploying, and managing firewalls (supporting ISO 27001 A.13.1).
  • SP 800-34 rev.1: provides information about information system contingency planning and other types of security and emergency contingency plans (SDLC) (supporting ISO 27001 A.17).

Improve your options through multiple knowledge sources

The security implementation must have a holistic view to be effective, and for that, the more input to define the controls the better.

The SP 800 series documents provide a free alternative source of additional information to perform the risk assessment process and to design, implement, and manage security controls that can be matched to those of ISO 27001 and ISO 27002 and help your organization to better prepare its environment to face risks in a more reliable and cost-effective way.

To learn more about integrating other sources of security controls in your ISO 27001 implementation, try this free ISO 27001 Lead Implementer Online Course.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.