NIST Cybersecurity Framework (CSF) vs ISO/IEC 27002 – Which Cybersecurity Framework is Best Suited to Your Organisation?
We are frequently asked the same question by our clients: "Which cybersecurity framework is best suited to our type of organisation, NIST CSF or ISO 27002 and what are the differences and benefits between the two?” I thought this was an ideal topic for an article to answer these questions for you. First, let us start by answering a fundamental question: what is a cybersecurity framework?
A cybersecurity framework is a set of guidelines an organisation chooses to adopt to mitigate cybersecurity risks. The frameworks we deal with primarily at Loop are the NIST Cybersecurity Framework, ISO/IEC 27002:2013, and more recently the updated 2022 version, CPG 234 (to be fair, this is a guideline rather than a framework) and the Australian Governments Information Security Manual (ISM).
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) has been providing standards for cybersecurity for ~50 years. In 2014, NIST working with the US private sector and government experts, created the cybersecurity framework as we know it today. Traditionally clients who have OT environments have turned to NIST on the assumption that NIST caters to critical infrastructure more than other standards. This is true to some degree. However, the framework is primarily designed to reduce, respond to, and recover from any form of cybersecurity risk in any organisational environment.
How Do ISO/IEC 27002 and NIST CSF Differ?
ISO/IEC 27002, not to be confused with 27001 (which we will talk about later), is an information security standard published by the International Organization for Standards (ISO) and the International Electronical Commission (IEC). The standard initially appeared in the early 1990s under BS 7799 and then in 2000 under ISO/IEC 17799. In 2005 the standard became known as ISO/IEC 27002. An interesting bit of trivia, the original standard was donated by Shell (yes, the oil and gas company) to the UK government. Like NIST, 27002 is a set of best practice information security controls.
The primary difference that I have come across regarding NIST CSF and 27002 is that NIST was created to help US Federal agencies and organisations manage cyber-risk. At the same time, 27002 is an international approach to managing information security risk. Further, 27002 was written as an Annex to 27001, which helps organisations create and maintain an Information Security Management System (ISMS). An organisation implements a documented management system of security controls to protect the confidentiality, integrity and availability of an organisation's assets against information security threats.
In my opinion, there are more commonalities between NIST CSF and 27002 than differences. Both take a risk-based approach to cybersecurity, and both cover the basics of cybersecurity, for example, access control, asset management, incident response and supplier management. NIST CSF does have more specific controls around supplier management and incident response. NIST CSF recommends that you conduct an incident response exercise with critical suppliers, which is more in-depth than 27002, which requires you to assess suppliers who have access to data and assets only. To see where NIST CSF and 27002 align, NIST has cross-referenced 27002 against NIST CSF for you. It may be downloaded from https://www.nist.gov/cyberframework/framework or via the quick link here.
Can I CERTIFY AGAINST ISO/IEC 27002 and NIST CSF?
At this stage, you may be thinking that the only major difference between ISO/IEC 27002 and NIST CSF is you can essentially certify against ISO and you cannot certify against NIST CSF. Well… when you certify your organisation against ISO, you certify it against ISO/IEC 27001:2013 and not 27002. As stated in 27001, “organizations can design controls as required or identify them from any source”. Organisations should “produce a Statement of Applicability [SOA] that contains the necessary controls […] and justification for inclusion […] and the justification for exclusions of controls from Annex A”. So what does this all mean?
Suppose you as an organisation decide that NIST CSF provides a better way to manage, for example, incidents. In your SOA, you would state that the organisation has taken a risk-based approach and decided that NIST CSF Incident Response fits your organisation better than 27002 A.16 Incident Management. You can even state that NIST CSF as a framework fits your organisation better than 27002. Therefore, your organisation has made a risk-based decision to implement the controls in NIST CSF over 27002. I know, mind blown, right!!!! When I first realised this, I confirmed it with our external auditors, and they validated this for me. I encourage you to also talk to your external audits regarding this.
So, where do you begin? As an organisation, your best starting point is to undertake an information security risk assessment that covers the whole organisation. Understand what your ‘crown jewels’ are and what risks exist that threaten those crown jewels. You can cross-reference them against NIST CSF and 27002 and decide which of the two frameworks would better serve to mitigate those risks. If you want to obtain ISO/IEC 27001:2013 certification, you need to ensure that the Clauses in 27001 are met. For example, do you have a risk management framework in place, have leadership buy-in, and have you defined your information security or cybersecurity strategy for your organisation.
Information security is all about protecting your organisations information, regardless of whether this is in the cloud, stored locally, on paper, repeated in conversations or stored in your employees’ minds. There are basic controls your organisation should have in place to protect this information: Passwords, MFA, user awareness, visibility into your threat landscape, asset management, management of suppliers to name a few. Both ISO/IEC 27002 and NIST CSF address these controls and more. So, in my humble opinion, the framework you have in place will often come down to the recommendations from your security team and recommendations from your board and executive team. If your organisation chooses NIST over ISO or vice versa, you can always adopt some of the controls from the other framework in addition to the controls in the chosen framework – security is not a one-stop shop. It comes down to your organisation, your critical data and your threat landscape, therefore your security framework should be Gumby, flexible and easy to bend into the places it is needed the most.