Which one to go with – Cybersecurity Framework or ISO 27001?
On February 12, 2014, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cybersecurity, commonly known as Cybersecurity Framework. If you already came across ISO 27001, you’re probably wondering: What does this Framework have to do with ISO 27001? Should you use one over the other? Which one is better for your company?
Cybersecurity Framework follows the U.S. president’s executive order Improving Critical Infrastructure Cybersecurity from 2013, and was initially intended for U.S. companies that are considered part of critical infrastructure. However, it is suitable for use by any organization that faces cybersecurity risks, and it is voluntary.
ISO/IEC 27001 is an information security standard published in 2005 and revised in 2013, published by the International Organization for Standardization. Although not mandatory, it is accepted in most countries as a de facto main framework for information security / cybersecurity implementation. It describes the information security management system, and it places security in the context of the overall management and processes in a company.
What do Cybersecurity Framework and ISO 27001 have in common?
Most importantly, both Cybersecurity Framework and ISO 27001 give you the methodology on how to implement information security or cybersecurity in an organization. In reality, you could implement information security according to either of these, and you would probably achieve quite good results.
Both are technology neutral, applicable to any type of organization (not only to those that are part of critical infrastructure), and both have the purpose of achieving business benefits while observing legal and regulatory requirements, and requirements of all the interested parties.
And, perhaps the biggest similarity is that they are both based on risk management: this means that they both require the safeguards to be implemented only if cybersecurity risks were detected.
What does the Framework have that ISO 27001 doesn’t?
What I really like about Cybersecurity Framework is how clearly it is structured when it comes to planning and implementation – I must admit it is better than ISO 27001 in that respect:
Framework Core is divided into Functions (Identify, Protect, Detect, Respond, and Recover), and then into 22 related Categories (e.g., Asset Management, Risk Management, etc. – very similar to sections in ISO 27001 Annex A), 98 Subcategories (very similar to controls in ISO 27001 Annex A), and for each Subcategory several references are made to other frameworks like ISO 27001, COBIT, NIST SP 800-53, ISA 62443, and CCS CSC. This way, it is very easy to see what the requirements for cybersecurity are and where to find out how to implement them.
Framework Implementation Tiers (Partial, Risk Informed, Repeatable, and Adaptive) explain how deeply the implementation of cybersecurity should go. This way, a company can easily decide how far they want to go with their implementation, taking into account requirements from various interested parties.
Framework Profile (e.g., Current Profile, Target Profile) easily pictures where the organization is right now, related to the categories and subcategories from Framework Core, and where it wants to be. This way, it is very easy to see where the gaps are, and then Action plans can be developed for closing these gaps.
Further, Framework Profiles could be used for setting the minimum requirements for other organizations – e.g., suppliers or partners, and such technique unfortunately does not exist in ISO 27001.
Overall, Cybersecurity Framework enables both the top management but also engineers and other IT staff to understand easily what is to be implemented, and where the gaps are.
Where ISO 27001 is better
One of the greatest advantages of ISO 27001 is that companies can become certified against it – this means that a company can prove to its clients, partners, shareholders, government agencies, and others that it can indeed keep their information safe.
Further, ISO 27001 is an internationally recognized and accepted standard – if a U.S. company wants to prove its ability to its clients, partners, and governments outside of the United States, ISO 27001 will be much better than the Framework.
ISO 27001 focuses on protecting all types of information, not just information stored or processed in IT systems. It is true that paper-based information has less and less importance, but for some companies such information might still pose significant risks.
Unlike Cybersecurity Framework, ISO 27001 clearly defines which documents and records are needed, and what is the minimum that must be implemented. See also List of mandatory documents required by ISO 27001 (2013 revision).
Finally, whereas the Framework focuses only on how to plan and implement cybersecurity, ISO 27001 takes a much wider approach – its methodology is based on the Plan-Do-Check-Act (PDCA) cycle, which means it builds the management system that not only plans and implements cybersecurity, but also maintains and improves the whole system. This is because practice has shown that it is not enough to plan and implement a system, because without constant measurement, review, audit, corrective actions, and improvements, such a system will gradually deteriorate and ultimately lose its purpose. Learn more here: ISO 27001 implementation checklist.
Cybersecurity Framework or ISO 27001?
Well, I would say that it is not a question of “either-or” – it seems to me that it would be best to combine the two. (By the way, Cybersecurity Framework suggests it can easily complement some other program or system, and ISO 27001 has proved to be a very good umbrella framework for different information security methodologies.)
Cybersecurity Framework is better when it comes to structuring the areas of security that are to be implemented and when it comes to defining exactly the security profiles that are to be achieved; ISO 27001 is better for making a holistic picture: for designing a system within which security can be managed in the long run.
So, I think the best results can be achieved if the design of the whole information security / cybersecurity would be set according to ISO 27001 (clauses 4, 5, 7, 9, and 10), and to use Cybersecurity Framework when it comes to risk management and implementation of the particular cyber security areas and safeguards. Of course, practice will show how Cybersecurity Framework works in real life, and whether this kind of combination makes sense. What is your experience?
For a better understanding on how to implement cybersecurity, see this free eBook 9 Steps to Cybersecurity.