What are the main diffrences between ISO 27001 and NIST? How can I know what is best for any organization?
Assign topic to the user
Generally speaking:
- ISO 27001 provides general requirements for the implementation, operation, control, and improvement of a management system to protect the information, regardless of the environment where it is (e.g., physical reports or digital databases).
- ISO 27001 provides protection through the selection of security controls described in Annex A, as well as other controls that can be added by the organization.
- NIST SP-800 series of documents provide detailed information about processes to select and implement controls for computer security.
Considering that, you can use ISO 27001 to implement the overall approach to protect the information, and after the identification of controls that can be related to NIST documents, you can use the NIST documents to implement the details for each control. For example, you can use information from SP 800-53 control for contingency plan testing to implement the Disaster Recovery Plan template.
Regarding how to know which one is best for your organization, you should first study information security regulations in the countries you operate in to evaluate whether 27001 or NIST is closer to the requirements you need to fulfill. For example, in most European countries 27001 is more appropriate.
These articles will provide you with further explanation about ISO 27001 and NIST:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
Comment as guest or Sign in
Mar 29, 2023