Implementing NIST Cyber Security Framework Using ISO 27001 Is an Organic Process

A part of the United States Department of Commerce, the National Institute of Standards and Technology (NIST) serves as support for a broad variety of information and technology properties, making cybersecurity critical.

The organization launched the NIST Cybersecurity Framework (CSF) in 2014 to ensure the reliable functioning of the critical infrastructure with the goal of securing the nation’s economy, security and public safety and health. Per a 2013 Executive Order issued by President Obama, it was also crucial that efficiency, innovation and economic prosperity were not sacrificed within the cyber environment in the pursuit of optimal security.

Everyone involves continually works to improve the original 2014 CSF release, followed up with the 2018 update and now a new implementation of the NIST Cybersecurity Framework using ISO 27001.

A Brief Review of NIST CSF Basics

Also known as the Framework for Improving Critical Infrastructure Cybersecurity (the Framework), the Framework establishes the fundamental controls and necessary processes for top-notch cybersecurity for organizations in all sectors, government-based and otherwise. All sizes of businesses—from the smallest startups to the largest corporations—can adopt and apply risk management principles and best practices.

The Framework was designed to allow a variety of organizations to regularly upgrade security strategies while building and maintaining a tough but resilient critical infrastructure for easy and thorough management of cybersecurity risks.

The Framework includes the following five key functions:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

1. Identify.

The Identify Function lets you create an organizational understanding of cybersecurity risk management for your organization’s systems, assets, data and general capabilities. The five key categories covered by the Identify Function are Asset Management, Business Environment, Governance, Risk Assessment and Risk Management Strategy.

2. Protect.

Once all the steps of the Identify Function are complete, the Protect Function helps you outline various safeguards needed to ensure effective delivery and proper functioning of critical infrastructure services. The Protect Function is important for limiting and containing a negative impact resulting from a cybersecurity event. The six categories for the Protect Function include Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenace and Protective Technology.

3. Detect.

The Detect Function is simple and to the point, serving to identify the occurrence of a cyber event and features three categories, which are Anomalies and Events, Security Continuous Monitoring and Detection Processes.

4. Respond.

The Respond Function lays out all possible actions your team might take during a cyber event. There are five categories within this Function, which are Response Planning, Communications, Analysis, Mitigation and Improvements.

5. Recover.

The Recover Function gives you a chance to identify the best methods of achieving and maintaining plans for organization resilience, in general and after a cyber event. The three most important categories in the Recover Function are Recovery Planning, Improvements and Communications.

The April 2018 Update of the NIST CSF Made Some Big Improvements

While the original Framework had been effective, President Trump signed a second Executive Order to make additional improvements and turn it into an official government policy. With its official recognition as a sound set of cybersecurity best practices, the Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 was released on April 16, 2018.

Version 1.1 did not remove any of the intent or content of the original release, and only reinforced its effectiveness. This version of the Framework provided even more tools and best practices to assist business leaders for matters like effectively prioritizing cybersecurity resources, assessing risk, making the best decisions in unpredictable scenarios, and taking meaningful action to avoid and mitigate risk.

What Is ISO 27001 and How Does It Correspond with NIST CSF?

Developed by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 offers enterprises a series of management standards.

Some of the matters covered in ISO 27001 include project planning, interviews with process owners to better understand the operating environment, analysis of the results, and issuance of a security assessment report to the business’s management team.

Can ISO 27001 Help Make Your Organization’s NIST Cybersecurity Framework Compliant?

Businesses that have a vertical described as “critical infrastructure” are subject to maintaining consistent compliance with the NIST Cybersecurity Framework and may find that adherence to the requirements of ISO 27001 and its corresponding certification audit.

Since much of the Framework relies on best practices, standards and guidance that includes those of ISO 27001, the chances are strong you could use ISO 27001 for implementation.

Using ISO 27001 in conjunction with the NIST Cybersecurity Framework can help you with matters such as the following:

Scope.

Defining what is critical to protect in your organization.

Risk Management.

Regularly evaluating risks and developing the best Risk Treatment Plans to help thwart risks.

Assess.

Monitor and assess the environment to ensure efficacy and work toward continuous improvement.

Governance.

Senior management should set out to establish reasonable risk tolerance and acceptance.

How Can You Implement NIST Cybersecurity Using ISO 27001?

The NIST Framework was designed to be flexible and voluntary, and as a way for you to create more accountability within your operation. This fact alone makes it fairly easy to use ISO 27001 to implement NIST CSF, providing ready-made best practices and guidelines. Use the previously mentioned matters of scope, risk management, assess and governance to lead the way.

Our Team Can Help You Achieve Compliance in the NIST Cybersecurity Framework and ISO 27001

The idea of combining two certifications may seem complex to you at this point. Our experience I.S. Partners, LLC. team is here and happy to help you understand the nuances and how implementing ISO 27001 can make it so much simpler to achieve NIST Cybersecurity Framework compliance.

Call us at 215-675-1400, or request a quote so we can break down the implementation process even further.

About The Author

Anthony Jones

Anthony has over 20 years of experience and has worked with a variety of industries, including Health Care Insurance, Banking and Financial Services, Information and Analytics, Telecom, and Utilities. Anthony has extensive knowledge in IT Security consulting; he is also a Certified Information Systems Auditor (CISA), and Project Management Professional (PMP) designation holder with expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans and cultivate longstanding client relationships. Anthony’s area of expertise consists of MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance Banking and Financial Services, Manufacturing and Utilities. Prior to joining IS Partners, LLC Anthony spent 12 years with PWC as a Senior Manager in Business Risk Solution (BRS) Practice advising Fortune 100 financial services, manufacturing, Insurance and utility companies. Anthony graduated Saint Joseph’s University. Anthony received his MBA from SJU Haub School of Business.
Anthony Jones frequently blogs for I.S. Partners, LLC.