The ISO/IEC 27001 outline and the NIST publication provide organizations and individuals with the methodology to implement cyber-security or information security and, in reality; the organization can implement measures to ensure information security using any of the two guidelines with satisfactory results (Frisken, 2015). Both security models are applicable to any form of firm or organization even if they are not part f critical infrastructure, are technology neutral, and both seek to provide business benefits within regulatory and legal guidelines as well as the requirements of all interested parties. Moreover, both the ISO/IEC 27001 and the NIST publication are based on risk mitigation and management (Frisken, 2015). While these security models differ in several ways, they both provide an avenue for developing risk and security management systems. This paper will discuss areas in the ISO/IEC 27001 outline that are missing in the NIST publications, as well as the strengths and weaknesses of the latter over the former.
The tools suggested by both the NIST publications and the ISO/IEC 27001, especially in terms of the provision of conformance statements, are largely compatible. In this case, the NIST publications introduce the framework profile concept, albeit superficially, and suggests the creation of target and current profiles that outline the selected control categories based on risk assessment and business drivers. The ISO/IEC 27001 also has a similar concept that is more detailed than the NIST concept by providing a template for these statements, as well as providing more specifics about minimum contents; which the NIST publication does not provide (Frisken, 2015). Furthermore, the NIST publication provides less specific control objectives compared to the ISO/IEC 27001 outline. These control objectives contained in the latter but not the former include mobile device policy requirements, regular access rights review, acceptable use standards, and supplier agreement provision. Majority of the control objectives in the ISO/IEC 27001 outline can, arguably, be mapped into the NIST framework core (Frisken, 2015).
Moreover, the NIST publication does not address requirements for documentation on the use of cryptographic controls and the management of cryptographic control keys, which is addressed generally in the ISO/IEC 27001 outline. In addition, requirements in ISO/IEC 27001 from clause four to clause ten, which relate mostly to the running of well-documented risk and security management systems such as requirements for clear objectives, competent resources, continual improvement, management reviews, and internal audits are not included in the NIST publication (Frisken, 2015). Nevertheless, the NIST publication still addresses some of these aspects within its framework implementation tiers defined loosely under section 2.2 with regards to measuring the maturity of organizations. The NIST publication does not address process maturity and only sets a minimum baseline to guide implement functioning security management systems. It is possible that the presence of documentation requirements and other aspects in the ISO/IEC 27001 outline and their absence in the NIST publication is the reason why the former is more widely used as the main cyber-security framework (Frisken, 2015).
The NIST program has several strengths over the ISO standard, including the division of its framework core into various functions including protect, identity, respond, detect, and recover; and further into 22 related categories, 98 subcategories, and various references to other frameworks such as COBIT and ISO 27001 (Jašek et al., 2015). This eases the process of identifying cyber-security requirements and determining their implementation. In addition, the NIST publication has framework implementation tiers that explain how deeply the organization should pursue cyber-security implementation. As a result, the organization can decide more easily on the extent to which they want to implement cyber-security features while taking the requirements of interested parties into account. Another strength of the NIST publication is the presence of a framework profile, which can easily picture the organization’s current position and maturity in relation to the framework core’s subcategories and categories, as well as where the organization wishes to be (Jašek et al., 2015). As such, the NIST publication makes it easier to identify cyber-security gaps and to develop action plans for plugging the gaps.
However, the NIST publication has several weaknesses compared to the ISO/IEC 27001 outline including the fact that organizations cannot be certified against the NIST publication (Jašek et al., 2015), unlike the ISO/IEC 27001 outline which provides organizations with the capacity to prove to the safety of its information. In addition, the NIST publication is not internationally accepted and recognized unlike the ISO/IEC 27001 outline, which enables organizations to prove their ability to partners, clients, and foreign governments. Thirdly, the NIST publication only focuses on how to protect information processed or stored in the IT system, unlike the ISO/IEC 27001 outline that focuses on the protection of all information types. Fourthly, unlike the ISO-IEC 27001 outline, the NIST publication does not clearly define the records and documents that are required and the minimum features that should be implemented. Finally, the NIST publication only focuses on the planning and the implementation of cyber-security (Jašek et al., 2015). This is unlike the ISO/IEC 27001 outline which has a broader approach based on the Plan—Do-Check-Act cycle that also includes the maintenance and improvement of the cyber-security system on top of its planning and implementation.
While this discussion has shown that the NIST publications have some missing areas compared to the ISO/IEC 27001, as well as several weaknesses in comparison to the latter, it would seem that the best way forward is to integrate the two security models. Indeed, the ISO/IEC 27001 may act as an umbrella framework within which the organization can also implement the NIST framework as a complementary model.