How does the ISO 27001 compare ( differences, advantages and limitations) to other frameworks such as NIST CSF , CIS Critical Controls and Common Criteria ? AND How does an organisation decide which framework is suitable for it ?
The main difference between ISO 27001 and other standards (like the NIST series, CIS Critical Controls) is that after the implementation of the standard, you can certify it by a third party, which give warranty that you are compliant with an international standard. You cannot certify in the same way NIST series and/or CIS Critical Controls. Regarding Common Criteria, it is also an ISO standard (ISO 15408), although ISO 27001 is related to the certification of companies, while Common Criteria (ISO 15408) is related to the certification of products.
Regarding the advantages, to be certified on ISO 27001 means that you have a certificate signed by a certification body, and this entity audit your company every year to check if your company is compliant with the standard, which can help your business to im prove your business continually.
Regarding limitations, from my point of view, ISO 27001 is only a standard that defines requirements (says you what you need to do), but does not say you how to do it, so generally you need another standards or best practices (ISO 27002, ISO 27799, etc) for the implementation of ISO 27001.
The decision should be made depending the needs of the business, I mean, if the business need a certificate signed by an third party to show to their customers that they are compliant with an international standard related to information security, the best standard is ISO 27001. If not, the company should decide the best standard depending on their needs and the benefits of each standard.