In this assignment, students will review the NIST cybersecurity framework and ISO 270001 certification process. In a visual format (such as table, diagram, or graphic) briefly explain the differences, similarities, and intersections between the two. Then, present the following in 750-1,000 words:
A brief description of the NIST Cybersecurity framework
A brief description of the ISO 270001 certification process
The number of controls/sub-controls used in the NIST CSF and ISO 270001 certification process framework to support the protections around computer and cyber forensics
An explanation as to why organizations should seek this framework and/or certification to base their security program strategy and decisions upon
An explanation as to why ISO 270001 has rapidly become an industry best practice/standard against which organizations are basing their cybersecurity programs (including value-add, cost, and pros/cons)
Make sure to reference academic or NIST official publications (most current year available via the Internet) or other relevant sources published within the last 5 years.
Prepare this assignment according to the guidelines found in the APA Style Guide, located in the Student Success Center.
This assignment uses a rubric. Please review the rubric prior to beginning the assignment to become familiar with the expectations for successful completion.
Cyber threats have become rampant given the technological advancement that is occurring which forces the need to protect computer systems. Whether personal, business or organizational, data within the computer systems need to be kept safe and free from theft and damage. The government has put in place cybersecurity policies, standards, and regulations which must be followed by users of the computer systems in order to enhance data safety and integrity.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) is a cybersecurity framework that was designed by the United States government. NIST provides a policy framework that provides computer security guidance regarding the manner through which organizations in the private sector can assess and enhance their ability to identify, prevent, and quickly respond to cyberattacks (Barrett, 2018). Its establishment in 2014 was a response to improve the critical infrastructure cybersecurity as a standardized framework within the United States.
The NIST is organized into three different parts namely; the framework core, the implementation tiers, and the framework profiles (Almuhammadi & Alsaleh, 2017). The framework Core comprises of a set of cybersecurity activities, outcomes, and reference that are significant across various sectors and critical infrastructure. The framework profiles enable organizations to align their cybersecurity activities with their goals and resources. Implementation Tiers work as a mechanism through which organizations can view and understand the nature of their cybersecurity approach.
The NIST cybersecurity framework is organized into five different main functions that work concurrently in representing a cybersecurity lifecycle. The first function involves identification where an organizational understanding of cybersecurity risk management in relation to its business context and resources is developed. Protection then follows as a step to support the ability to limit the impact of cybersecurity on the organization. The third function is Detection which enables timely identification of cyber threats. The response function then follows to contain the impact of a cybersecurity incident. Recovery comes last as a function to support a timely return to normal operations and minimize the impact of cyber threat (NIST, 2019).
The International Standard for Organization (ISO) functions as an independent non-governmental organization which focuses on the creation of safe, reliable, and high-quality products and services. ISO 27001 falls under the information security management system whereby an ISMS serves as a framework that provides policies and procedures involved in the information risk management processes of an organization (ISMS, 2019). The certification to ISO 27001 process involves 10 steps (Valdevit et al., 2009). Step 1 is the preparation by establishing a gap analysis that is useful in providing a reliable business case. Step 2 is the establishment of context, scope, and objectives which helps to identify both internal and external threat factors. Step 3 is the establishment of a management framework describing processes needed to meet the implementation objectives of ISO27001. Step 4 is basically all about conducting risk assessment followed by Step 5 where controls are developed to mitigate the risks. Step 6 involves training the staff on the application of the ISO standards. Step 7 involves reviewing and updating the required documentation followed by measuring, monitoring, and reviewing the performance of the ISMS as Step 8. Step 9 involves conducting an internal audit to ensure that the registration is globally recognized. Step 10 is the certification audit which involves verifying the legality of the ISO Standards 27001, then an organization may receive their certification after all is confirmed.
Why organizations should consider a framework
The NIST framework is a very significant tool for organizations as it helps to complement the existing business and cybersecurity operations. It enables business partners to an organization to identify the existing gaps within the cybersecurity operations hence making it possible to set up privacy programs. Target profiles enable an organization to make informed decisions regarding the purchase of products and services since it involves constant communication on cybersecurity requirements with stakeholders and using a set of cybersecurity requirement on the supplier (Teodoro et al., 2015). The organization then gets to make a choice from the list of suppliers based on the cybersecurity requirements.
Why ISO is considered best-practice
ISO 27001 has grown to become among the most desirable standards due to its ability to minimize information security and data protection risk. Through being ISO 27001 certified, an organization demonstrates its adherence to regulatory authorities and its seriousness to information security matters (Disterer, 2013). The fact that ISO 27001 is recognized as the best-practice, making use of the standard enables an organization to attract new clients and also to retain the existing business relations hence generating more income.
Comparison of NIST CSF versus ISO 27001
Characteristic NIST CSF ISO 27001
Similarities Involves establishment of information security controls Involves establishment of information security controls
Differences Has five overarching functions in its cybersecurity measures Contains 10 clauses in its regulations
Intersection Provides organizations with extensive guidance and protection from cyber threats Provides organizations with extensive guidance and protection from cyber threats
Number of controls used to support cybersecurity and cyber forensic Has 10 controls divided into 5 core functions Has 114 control sets of Annex A divided into 14 categories
NIST Cybersecurity Framework (NIST CSF) helps to improve the security operations and governance for both the private and public organizations. It provides guidelines through which the security posture and risk management of organizations may be transformed by using a proactive approach rather than a reactive approach. ISO 27001 is technology neural and it makes use of a top-down approach when it comes to risk assessment and management. Certification to the ISO 27001 standard is necessary; however, it is not compulsory. It is essential when it comes to assuring clients and customers that the recommendations have been duly followed.
Almuhammadi, S., & Alsaleh, M. (2017). Information Security Maturity Model for Nist Cyber Security Framework. Computer Science & Information Technology, 51.
Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology, Gaithersburg, MD, USA, Tech. Rep.
Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management.
ISMS. (2019). ISO 27001 Information Security Management System. Retrieved from https://www.isms.online/iso-27001/
NIST. (2019). Framework Documents. Retrieved from https://www.nist.gov/cyberframework/framework
Teodoro, N., Gonçalves, L., & Serrão, C. (2015). NIST CyberSecurity Framework Compliance: A Generic Model for Dynamic Assessment and Predictive Requirements. In 2015 IEEE Trustcom/BigDataSE/ISPA (Vol. 1, pp. 418-425). IEEE.
Valdevit, T., Mayer, N., & Barafort, B. (2009). Tailoring ISO/IEC 27001 for SMEs: A guide to implementing an information security management system in small settings. In European Conference on Software Process Improvement (pp. 201-212). Springer, Berlin, Heidelberg.