ISO 27001 and NIST
Assign topic to the user
Answer: First, let's understand both NIST and ISO 27001:
- NIST SP-800 series of documents provides detailed information about processes to select and implement controls for computer security
- ISO 27001 provides general requirements for the implementation, operation, control and improvement of a management system to protect information, regardless of the environment where it is (e.g., physical reports or digital databases). ISO 27001 provides protection through the selection of security controls described in its Annex A, as well other controls that can be added by the organization.
The ISO 27001 Documentation Toolkit has templates that are organized and can be used to implement either the management requirements of the ISO 27001 standard, as well as the most common used information security controls from ISO 27001 Annex A, some of them IT related, and that can be linked to NIST SP-800 documents.
Considering that, you can use the ISO 27001 Documentation Toolkit to implement the overall approach to protect information, and after the identification of controls that can be related to NIST documents, you can use the NIST documents to implement the details for each control. For example, you can use information from SP 800-53 control for contingency plan testing to implement the Disaster Recovery Plan template.
These articles will provide you further explanation about ISO 27001 and NIST:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
Comment as guest or Sign in
Jun 09, 2018