I am about to join a company as the IT security person. Thus, I would like to implement NIST framework inside the company but I am not sure how much your solution (ISO27001 Documentation Toolkit) can help me to do so. I dont have the experience in implementing of ethier one, NIST and ISO27001.
Answer: First, let's understand both NIST and ISO 27001:
- NIST SP-800 series of documents provides detailed information about processes to select and implement controls for computer security
- ISO 27001 provides general requirements for the implementation, operation, control and improvement of a management system to protect information, regardless of the environment where it is (e.g., physical reports or digital databases). ISO 27001 provides protection through the selection of security controls described in its Annex A, as well other controls that can be added by the organization.
The ISO 27001 Documentation Toolkit has templates that are organized and can be used to implement either the management requirements of the ISO 27001 standard, as well as the most common used information security controls from ISO 27001 Annex A, some of them IT related, and that can be linked to NIST SP-800 documents.
Considering that, you can use the ISO 27001 Documentation Toolkit to implement the overall approach to protect information, and after the identification of controls that can be related to NIST documents, you can use the NIST documents to implement the details for each control. For example, you can use information from SP 800-53 control for contingency plan testing to implement the Disaster Recovery Plan template.