Managing information security in the organization may be a daunting task, especially considering that it may encompass many areas from physical and network security to human resources security and management of suppliers. This may be especially hard for young specialists or not experienced enough specialists, who may miss some important areas due to lack of practical experience. This is where security frameworks come in handy and put formality into the process of the design and implementation of the security strategy. With a framework in place, it becomes much easier to define the processes and procedures that your organization must take to assess, monitor, and mitigate cybersecurity risk and apply proper controls to protect valuable information. But another problem came up when you are to choose the “just right” framework for your organization taking into account more business-specific characteristics like the context of the organization, area of operation, applicable laws, regulations and contractual obligations, as well as more general ones like framework's maturity, comprehensiveness or popularity. While there are a bunch of different information security frameworks out in the wild, the most commonly-found and preferred by security professionals worldwide are NIST SP 800-53 and ISO/IEC 27001:2013. They combine both the quite comprehensive set of security controls to cover the most important security areas and wide applicability which allows applying these frameworks to all kinds of organizations. But they also have a set of distinct features, that define their relevance to the particular organization. The article is aimed at giving a brief overview of these two most popular security frameworks as well as describing their key characteristics and providing a comparison of their controls.
To successfully achieve the objectives of implementing cybersecurity at different levels, a range of procedures and standards should be followed. Cybersecurity standards determine the requirements that an organization should follow to achieve cybersecurity objectives and facilitate against cybercrimes [1] and ensure the ongoing management of information security controls.
Additionally, the framework establishes a common language for defining a cybersecurity program, enabling organizations to set risk-based cybersecurity goals at the executive level that can be translated to the operations team [2].
These frameworks are a blueprint for managing
and reducing organizational risk. Information
security professionals use frameworks to define
and prioritize the tasks required to manage the
organization's security program. Frameworks are
also used to help prepare for compliance and other
IT and security audits. When you are choosing
from the number of leading information security
frameworks, you would primarily assess the
number of unique information security controls
(requirements) in each of them [
The volume of these controls directly impacts
the number of domains covered by that
framework. The lesser number of controls in a
framework might make it easier to implement, but
it also might not provide the necessary coverage
that your organization needs from the perspective
of administrative, technical, and physical
information security practices [
This is where defining the applicable and
relevant framework is primarily a business
decision [
Commonly, this selection process generally
leads to adopting one of the following
frameworks:
ISO 27001/002 [
Each information security framework has its own unique specialization and depth of coverage. However, understanding this can help you make an informed decision on the most appropriate framework for your needs. [22, 23] You may even find you need to leverage a metaframework (e.g., the framework of frameworks) to address more complex compliance requirements (e.g., when the organization is holding the personal data of EU citizens and process cardholder data, it should comply with both GDPR and PCI DSS requirements).
A key consideration for choosing an information security framework would be understanding the level of content and robustness each framework offers. This will directly impact the available information security controls within each framework [24].
The Special Publication (SP) 800-53 Security and Privacy Controls for Information Systems and Organizations from the National Institute of Standards and Technology (NIST) is currently in its 5th revision (rev5) dated September 2020. It was initially designed to protect the US federal government, but quickly gained popularity among private industry and now is considered as one of the most popular and respectable information security frameworks in the world. It was partially caused due to the significant outsourcing to private companies that do business with the US federal government.
According to the official web page of the standard “This publication [Special Publication (SP) 800-53] provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks” [25].
SO 27001 is a well-respected international information security standard that outlines the key processes and approaches a business needs to manage information security risk in a practical way [26]. ISO 27001 consists of the main part and Annex A, that contains the basic overview of the security controls needed to build an Information Security Management System (ISMS). Additionally, there is a separate standard ISO 27002 that provides a detailed description of the specific controls that are necessary to actually implement ISO 27001 (essentially, you can't meet ISO 27001 without implementing ISO 27002). [27, 28]. The important thing about ISO is that it provides the companies with the possibility to undergo an external audit and get certified against ISO 27001. 2.1.
Table 2 provides a mapping from the security controls in NIST Special Publication 800-53 to the security controls in ISO/IEC 27001:2013 [29]. AC-6 AC-7 AC-8 AC-9 AC-10 AC-19 AC-20 AC-22 AC-23 AC-24 AT-1 AT-2 AT-3 AT-4 AT-5 AT-6
Separation of Duties Least Privilege AU-2 Event Logging AU-3 AU-4
Content of Audit Records Audit Log Storage Capacity
Response to Audit AU-5 Logging Process
Failures
Audit Record Review, A.12.4.1, AU-6 Analysis, and A.16.1.2,
Reporting A.16.1.4
Audit Record AU-7 Reduction and
Report Generation AU-8 Time Stamps
Protection of Audit
Information AU-10 Non-repudiation
AU-9 AU-11 AU-12 CA-1 CA-2 CA-3 CA-4 CA-5 CA-6 CA-7 CA-9 CA-8
Penetration Testing
None
IR-10
Identification and Authentication (Organizational Users) Device Identification and Authentication Identifier Management Authenticator Management Authentication Feedback Cryptographic Module Authentication Identification and Authentication (Non- A.9.2.1 Organizational Users) Service Identification and Authentication Incident Response Policy and Procedures Incident Response Training Incident Response Testing Incident Handling Incident Monitoring None Incident Reporting Incident Response Assistance Incident Response Plan Information Spillage Response A.9.2.1 None A.9.2.1 MA-3 Maintenance Tools MA-2 MA-4 MA-5
Controlled Maintenance Nonlocal Maintenance Maintenance Personnel A.11.2.4*, A.11.2.5* None None None MA-6 Timely Maintenance A.11.2.4 MA-7 Field Maintenance None A.11.2.2* A.11.1.4, A.11.2.1, A.11.2.2 A.11.1.4, A.11.2.1, A.11.2.2 A.6.2.2, A.11.2.6, A.13.2.1 A.8.2.3, A.11.1.4, A.11.2.1 A.11.1.4, A.11.2.1
PM-1
Information Security Program Plan PM27 PM28 PM29 PM30 PM31 PM32 PS-1 PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 PS-9 PT-1 PT-2 PT-3 PT-4 PT-5 PT-6 PT-7 PT-8 Privacy Reporting Risk Framing Risk Management Program Leadership Roles Supply Chain Risk Management Strategy Continuous Monitoring Strategy Purposing Personnel Security Policy and Procedures Personnel Termination Personnel Transfer Access Agreements External Personnel Security Personally Identifiable Information Processing and Transparency Policy and Procedures Authority to Process Personally Identifiable Information Personally Identifiable Information Processing Purposes Consent Privacy Notice System of Records Notice Specific Categories of Personally Identifiable Information Computer Matching Requirements Position Risk Designation Personnel Screening A.7.1.1 Personnel Sanctions 7.3, A.7.2.3 Position Descriptions A.6.1.1 None 4.3, 6.1.2, 6.2, 7.4, 7.5.1, 7.5.2, 7.5.3 Security Categorization Risk Assessment SA-16
Developer-Provided Training Developer Security and Privacy SA-17 Architecture and
Design
Customized SA-20 Development of
Critical Components SA-21 Developer Screening A.7.1.1 SA-22
Unsupported System
Components SA-23 Specialization None A.14.2.1, A.14.2.5 Separation of System and User Functionality Security Function Isolation Information In Shared System Resources Denial-of ServiceProtection
Resource Availability None SC-1 SC-2 SC-3 SC-4 SC-5 SC-6 SC-8 SC-7
Boundary Protection Transmission Confidentiality and
Integrity SC-9
SC-10 Network Disconnect A.13.1.1 SC-11 Trusted Path
Cryptographic Key SC-12 Establishment and
Management SC-13
Cryptographic
Protection
Collaborative SC-15 Computing Devices and Applications A.10.1.2 None SI-4 SI-5 SI-6 SI-7 SI-8 SI-9 SI-10 SI-12 SI-13 SI-15 SC-23 Session Authenticity
None SC-24 Fail in Known State
Operations SI-19 De-identification SI-20 Tainting Confidentiality, Integrity Confidentiality, Integrity Confidentiality Integrity Confidentiality, Integrity Confidentiality, Integrity Integrity Integrity Integrity SR-12 Component Disposal None Confidentiality
As may be seen from the table there is an overlapping between the controls from ISO and NIST frameworks. But the most important specifics of these frameworks is that NIST 800-53 can be considered a super-set of ISO 27001. In particular, all the controls from ISO 27001 can be covered by NIST 800-53. However, ISO 27001 does not cover all of the areas of NIST 800-53. From the coverage perspective, NIST 800-53 is more comprehensive and contains much more areas and controls than ISO 27001. While the detailed analysis of the missing controls is out of the scope of this investigation let’s take a look at a few examples which would show in which areas NIST, in contrast to ISO, provide more comprehensive coverage of the security-related areas.
[AT-4 Training Records], [AT-6 Training
Feedback]. These two controls require the
organization to document and monitor
information security and privacy training
activities, including security and privacy
awareness training and specific role-based
security and privacy training, retain individual
training records, and gather feedback on
organizational training results [
[CM-2 Baseline Configuration], [CM-6
Configuration Settings]. These controls force
organizations to develop, document, and maintain
under configuration control, a current baseline
configuration of the system, and configuration
settings for components. Baseline configurations
for systems and system components include
connectivity, operational, and communications
aspects of systems. Baseline configurations are
documented, formally reviewed, and agreed-upon
specifications for systems or configuration items
within those systems. Baseline configurations
serve as a basis for future builds, releases, or
changes to systems and include security and
privacy control implementations, operational
procedures, information about system
components, network topology, and logical
placement of components in the system
architecture [
[PE-6 Monitoring Physical Access], [PE-8
Visitor Access Records]. NIST 800-53 requires
from organizations to monitor physical access to
the facility where the system resides to detect and
respond to physical security incidents and to
maintain and periodically review visitor access
records to the facility where the system resides
[
[RA-10 Threat Hunting]. Threat hunting is an
active means of cyber defense in contrast to
traditional protection measures, such as firewalls,
intrusion detection and prevention systems,
quarantining malicious code in sandboxes, and
Security Information and Event Management
technologies and systems. Cyber threat hunting
involves proactively searching organizational
systems, networks, and infrastructure for
advanced threats. The objective is to track and
disrupt cyber adversaries as early as possible in the
attack sequence and to measurably improve the
speed and accuracy of organizational responses.
[
[PM-18 Privacy Program Plan], [PT-1 Personally Identifiable Information Processing and Transparency Policy and Procedures], [PT-2 Authority to Process Personally Identifiable Information], [PT-4 Consent], [PT5 Privacy Notice] and other controls related to the protection of personally identifiable information (PII) processing. The defining characteristic of the NIST 800-53 is that it contains a set of controls to address privacy requirements for the processing of PII while ISO 27001 does not specifically address privacy beyond the inherent benefits provided by maintaining the security of PII, therefore we can assume that the ISO 27001 controls do not satisfy privacy requirements with respect to PII processing [29]. From this perspective, NIST has an advantage over ISO 27001 in regard to the protection of the PII processing and may be considered a good basis for GDPR compliance.
Understanding both the differences and similarities between these two the most known and adopted security frameworks—ISO 27001 and NIST 800-53 is crucial for implementing an effective information security program that would be tightened to the organization’s context and needs and expectations of interested parties.
A common misunderstanding is that companies have to pick one or the other framework and stick with it, or that one is better than the other. In fact, both frameworks can be applied to a single organization due to their synergy and can greatly increase its information security, risk management, and security program.
It is not always necessary to choose between NIST 800-53 and ISO 27001. In fact, the two are complementary and can be used in the same organization. However, if certification is your goal, you should definitely look closer at ISO 27001. Being externally audited and achieving accredited certification against ISO 27001’s requirements would likely provide a higher level of confidence among clients and stakeholders and would be a prerequisite for securing certain contracts. Accredited certification to ISO 27001 demonstrates that your organization follows information security best practices, and delivers an independent, expert assessment of whether your valuable information and information assets are adequately protected. At the same time, while implementing the ISO 27001 requirements you still can leverage NIST 800-53 to strengthen the areas that are missing or not sufficiently covered in the ISO.