NIST (the National Institute of Standards and Technology) is a physical sciences laboratory, and a non-regulatory agency of the United States Department of Commerce. Its CSF (Cybersecurity Framework) offers a risk-based approach to managing cybersecurity risk, and is designed to complement existing business and cybersecurity operations. Primarily aimed at critical infrastructure organizations, the CSF can be implemented by any organization in any part of the world.
There are three components to the framework: the core, implementation tiers, and profiles.
• The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes
• The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management
• Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization
Combining ISO 27001 and ISO 22301
Adaptable frameworks like the CSF make it easy to implement existing frameworks into a new cybersecurity framework.
ISO 27001 is the international standard that describes best practice for an ISMS (information security management system). A best-practice ISMS generally focuses on protecting the organization’s information assets, and as such aligns primarily with the ‘identify, protect and detect’ functions, and applies processes relevant to the respond function.
Effective cybersecurity, and therefore an effective ISMS, is founded on three ‘pillars’: people, processes, and technology. Ultimately, while having the right technology in place is critical to security, that technology has to be managed and maintained by people, who need to follow defined processes. This is part of the systematization of information security: ensuring full coverage at any point that information could be compromised.
ISO 27001 also has a number of principles that align with the CSF’s suggestions. These include:
- Risk management
- Top management oversight
- Continual improvement
ISO 22301 provides specifications for a best-practice BCMS (business continuity management system). A BCMS is designed to help your organization survive any disruptions and return as quickly as possible to the status quo after such an event – in other words, it is designed to help make your organization as resilient as possible. As such, an ISO 22301-conformant BCMS primarily aligns to the ‘respond and recover’ functions.
A BCMS aligned with ISO 22301 will reflect core practices. They include:
- Management support
- BIA (business impact analysis)
- Risk management
- Business continuity planning
IT Governance Publishing believes that implementing existing security frameworks, such as an ISO 27001 ISMS and an ISO 22301 BCMS, is the best approach to cybersecurity and resilience, and maximizes your ability to survive an attack. This framework can also be paired with COBIT® 5, ANSI/ISA 62443, and NIST SP 800-53.
Both standards provide good guidance and have the advantage of already providing broad coverage of the functions outlined by the NIST CSF.
They also apply several common processes that can be coordinated or combined to reduce the actual workload, such as training and awareness, document control, internal audits, and regular management review. These processes further support the CSF’s aims by promoting good practice that benefits cybersecurity generally.
- NIST Pocket Guide by Alan Calder, a leading author on information security and IT governance, is available to pre-order with a 15% discount.
- An Introduction to Information Security and ISO27001:2013 – A Pocket Guide by Steve Watkins. Get up to speed with ISO 27001 and keep your information secure.
- ISO22301 – A Pocket Guide by Tony Drewitt. Understand international business continuity best practice with this handy reference and minimize the impact of a disaster on your organization.
IT Governance Publishing toolkits will help you achieve certification/comply with specific standards, frameworks, and regulations.