CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Rhand Leal

How to use the NIST SP800 series of standards for ISO 27001 implementation

Although ISO 27001, an international standard for information security management, provides control objectives and controls that cover a wide range of security issues, they are not exhaustive. Thus, ISO 27001 clauses 6.1.3 b) and c) note that an organization can go beyond the standard’s controls to set proper security levels, by developing its own solutions or using other knowledge sources.

This article will show you an alternative to ISO 27002 as guidance to support ISO 27001 controls implementation: the NIST SP 800 series. You will see what they are about and their general structure compared to those of ISO 27001 and ISO 27002.

The NIST SP 800 series

The NIST SP 800 series is a set of free-to-download documents from the United States federal government, describing computer security policies, procedures, and guidelines, published by the NIST (National Institute of Standards and Technology), containing more than 130 documents.

NIST_documentation_structure_figure

Figure: NIST documentation structure

NIST SP 800 series documents for information security management and risk assessment

blogpost-banner-22301-en

Like the ISO 27000 series, the SP 800 series provides information covering management and operational information security practices, but in a greater number of documents.

To provide specific guidance for integrating information security risk management with organizational operations, the NIST 800 SP series has the document SP 800-39 – Managing Information Security Risk.

For risk assessment, the SP 800 series has a documentation set created using a six-step risk methodology:

  • Categorize: prioritization of information systems based on impact assessment. Detail is found in the document SP 800-60 rev.1.
  • Select: definition of controls to be used, based on the impact assessment and baselines. SP 800-53 Rev.4 is the reference document for this step.
  • Implement: implementation of the controls and document elaboration. Detail is found in the document SP 800-160.
  • Assess: confirmation that controls are implemented correctly, operate as intended, and produce the desired outcomes. Detail is found in the document SP 800-53 A rev.4.
  • Authorize: acceptance of the risk scenario, and authorization for information systems operation and use. Detail is found in the document SP 800-37 rev.1.
  • Monitor: accompaniment on an ongoing basis of information systems and operational environment to determine controls’ effectiveness and compliance. Detail is found in the document SP 800-137.

Since ISO 27001 requires, but does not prescribe any methodology (clause 6.1.2), this one can be adopted by your organization. If your organization already has a risk assessment methodology, you can keep it and use only the document’s security control catalogue.

NIST SP 800 series documents for ISO 27001 controls implementation

The SP 800 series has numerous standards that cover 256 safeguards. This is where SP800-53 is very useful, because it organizes all those safeguards into 18 categories:

FamilyNum. of controlsFamilyNum. of controls
Access Control25Media Protection8
Awareness and Training5Physical and Environmental Protection20
Audit and Accountability16Planning9
Security Assessment and Authorization9Personnel Security8
Configuration planning11Risk Assessment6
Contingency Planning13System and Services Acquisition22
Identification and Authentication11System and Communication Protection44
Incident Response10System and Information Integrity17
Maintenance6Program Management16

Table: Security control families and number of controls per family

Some useful documents in the SP 800 series that are referenced by SP 800-53 Rev.4 controls are:

  • SP 800-61 rev. 2: guidelines for detecting, analyzing, prioritizing, and handling incidents to respond to them effectively and efficiently (supporting ISO 27001 A.16).
  • SP 800-50: guidelines for designing, developing, implementing, and evaluating an awareness and training program (supporting ISO 27001 A.7.2.2).
  • SP 800-116: risk-based approach for selecting appropriate authentication mechanisms to manage physical access (supporting ISO 27001 A.11.1.2).
  • SP 800-46 rev. 1: practices for mitigating the risks associated with technologies used for telework (supporting ISO 27001 A.6.2.2).
  • SP 800-122: orientations for protecting the confidentiality of personally identifiable information (PII) in information systems (supporting ISO 27001 A.18.1.4).
  • SP 800-161: guidance on identifying, assessing, selecting, and implementing risk management and controls to manage ICT supply chain risks (supporting ISO 27001 A.15).
  • SP 800-92: guidance on developing, implementing, and maintaining effective log management practices (supporting ISO 27001 A.12.4).
  • SP 800-88 rev.1: recommendations for implementing a media sanitization program, considering techniques and controls for sanitization and disposal of sensitive information (supporting ISO 27001 A.8.3.2 and A.11.2.7).
  • SP 800-83 rev.1: guidance on preventing malware incidents and responding to malware incidents (supporting ISO 27001 A.12.2.1).
  • SP 800-64 rev.2: description of key security roles and responsibilities required in development of information systems, and information about the relationship between information security and the Software Development Life Cycle (supporting ISO 27001 A.14.2).
  • SP 800-45 rev.2: provides security practices for designing, implementing, and operating email systems on public and private networks (supporting ISO 27001 A.13.2.3).
  • SP 800-44 rev.2: presents security practices for designing, implementing, and operating publicly accessible Web servers and related network infrastructure (supporting ISO 27001 A.14.1.2).
  • SP 800-41 rev.1: provides guidance on developing firewall policies and selecting, configuring, testing, deploying, and managing firewalls (supporting ISO 27001 A.13.1).
  • SP 800-34 rev.1: provides information about information system contingency planning and other types of security and emergency contingency plans (SDLC) (supporting ISO 27001 A.17).

Improve your options through multiple knowledge sources

The security implementation must have a holistic view to be effective, and for that, the more input to define the controls the better.

The SP 800 series documents provide a free alternative source of additional information to perform the risk assessment process and to design, implement, and manage security controls that can be matched to those of ISO 27001 and ISO 27002 and help your organization to better prepare its environment to face risks in a more reliable and cost-effective way.

To learn more about integrating other sources of security controls in your ISO 27001 implementation, try this free ISO 27001 Lead Implementer Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.