Show me desktop version
CALL US +1 (646) 759 9933

The ISO 27001 & ISO 22301 Blog

Which one to go with – Cybersecurity Framework or ISO 27001?

On February 12, 2014, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cybersecurity, commonly known as Cybersecurity Framework. If you already came across ISO 27001, you’re probably wondering: What does this Framework have to do with ISO 27001? Should you use one over the other? Which one is better for your company?

Overview

blogpost-banner-27001-en

Cybersecurity Framework follows the U.S. president’s executive order Improving Critical Infrastructure Cybersecurity from 2013, and was initially intended for U.S. companies that are considered part of critical infrastructure. However, it is suitable for use by any organization that faces cybersecurity risks, and it is voluntary.

ISO/IEC 27001 is an information security standard published in 2005 and revised in 2013, published by the International Organization for Standardization. Although not mandatory, it is accepted in most countries as a de facto main framework for information security / cybersecurity implementation. It describes the information security management system, and it places security in the context of the overall management and processes in a company.

What do Cybersecurity Framework and ISO 27001 have in common?

Most importantly, both Cybersecurity Framework and ISO 27001 give you the methodology on how to implement information security or cybersecurity in an organization. In reality, you could implement information security according to either of these, and you would probably achieve quite good results.

Both are technology neutral, applicable to any type of organization (not only to those that are part of critical infrastructure), and both have the purpose of achieving business benefits while observing legal and regulatory requirements, and requirements of all the interested parties.

And, perhaps the biggest similarity is that they are both based on risk management: this means that they both require the safeguards to be implemented only if cybersecurity risks were detected.

What does the Framework have that ISO 27001 doesn’t?

What I really like about Cybersecurity Framework is how clearly it is structured when it comes to planning and implementation – I must admit it is better than ISO 27001 in that respect:

Framework Core is divided into Functions (Identify, Protect, Detect, Respond, and Recover), and then into 22 related Categories (e.g., Asset Management, Risk Management, etc. – very similar to sections in ISO 27001 Annex A), 98 Subcategories (very similar to controls in ISO 27001 Annex A), and for each Subcategory several references are made to other frameworks like ISO 27001, COBIT, NIST SP 800-53, ISA 62443, and CCS CSC. This way, it is very easy to see what the requirements for cybersecurity are and where to find out how to implement them.

Framework Implementation Tiers (Partial, Risk Informed, Repeatable, and Adaptive) explain how deeply the implementation of cybersecurity should go. This way, a company can easily decide how far they want to go with their implementation, taking into account requirements from various interested parties.

Framework Profile (e.g., Current Profile, Target Profile) easily pictures where the organization is right now, related to the categories and subcategories from Framework Core, and where it wants to be. This way, it is very easy to see where the gaps are, and then Action plans can be developed for closing these gaps.

Further, Framework Profiles could be used for setting the minimum requirements for other organizations – e.g., suppliers or partners, and such technique unfortunately does not exist in ISO 27001.

Overall, Cybersecurity Framework enables both the top management but also engineers and other IT staff to understand easily what is to be implemented, and where the gaps are.

Where ISO 27001 is better

One of the greatest advantages of ISO 27001 is that companies can become certified against it – this means that a company can prove to its clients, partners, shareholders, government agencies, and others that it can indeed keep their information safe.

Further, ISO 27001 is an internationally recognized and accepted standard – if a U.S. company wants to prove its ability to its clients, partners, and governments outside of the United States, ISO 27001 will be much better than the Framework.

ISO 27001 focuses on protecting all types of information, not just information stored or processed in IT systems. It is true that paper-based information has less and less importance, but for some companies such information might still pose significant risks.

Unlike Cybersecurity Framework, ISO 27001 clearly defines which documents and records are needed, and what is the minimum that must be implemented. See also List of mandatory documents required by ISO 27001 (2013 revision).

Finally, whereas the Framework focuses only on how to plan and implement cybersecurity, ISO 27001 takes a much wider approach – its methodology is based on the Plan-Do-Check-Act (PDCA) cycle, which means it builds the management system that not only plans and implements cybersecurity, but also maintains and improves the whole system. This is because practice has shown that it is not enough to plan and implement a system, because without constant measurement, review, audit, corrective actions, and improvements, such a system will gradually deteriorate and ultimately lose its purpose. Learn more here: ISO 27001 implementation checklist.

Cybersecurity Framework or ISO 27001?

Well, I would say that it is not a question of “either-or” – it seems to me that it would be best to combine the two. (By the way, Cybersecurity Framework suggests it can easily complement some other program or system, and ISO 27001 has proved to be a very good umbrella framework for different information security methodologies.)

Cybersecurity Framework is better when it comes to structuring the areas of security that are to be implemented and when it comes to defining exactly the security profiles that are to be achieved; ISO 27001 is better for making a holistic picture: for designing a system within which security can be managed in the long run.

So, I think the best results can be achieved if the design of the whole information security / cybersecurity would be set according to ISO 27001 (clauses 4, 5, 7, 9, and 10), and to use Cybersecurity Framework when it comes to risk management and implementation of the particular cyber security areas and safeguards. Of course, practice will show how Cybersecurity Framework works in real life, and whether this kind of combination makes sense. What is your experience?

For a better understanding on how to implement cybersecurity, see this free eBook  9 Steps to Cybersecurity.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

  • Paul Basson

    This is a very useful analysis, but it omits one key difference
    I believe that the most significant risk from Cyber Security is the Operational Risk of Creating awareness with ALL employees, and training the IT professionals.
    NIST identify this in their framework, as do ISO BUT NIST thought important enough to publish a further document “Building an Information Technology Security Awareness and Training Program” NIST-SP800-50

    • Not sure if I understood your comment correctly, but ISO 27001 also requires all the employees to be aware of information security, and that trainings need to be performed for the personnel who require special skills.

      However it is true that at the moment ISO 27k series of standards does not have a standard that is focused on training and awareness.

  • Dharmendra

    ISO 27XX have not published any series of Smart Grid but NIST is working aggressively

  • S Vaidya

    I completely agree with your analysis. Having worked on both I personally feel that when it comes to showcasing compliance to information security industry best practices ISO27001 is the best way as your ISMS is certified by a third party auditor which is not the case with CSF.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Upcoming free webinar
Seven key problems to avoid in ISO 27001 implementation
Wednesday - May 3, 2017
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933