When you consider national and global cybersecurity, a handful of names stand out. Two of the largest are NIST and ISO/IEC. Both of these organizations have issued plenty of rulings and frameworks for securing digital systems, and in a sense, they can be viewed as competitors. So, what’s the difference, where is the overlap, and which option is right for your business?
What is NIST?
NIST stands for the National Institute of Standards and Technology. It’s the United States government’s institute, and it’s responsible for an immense number of standards. There are thousands of publications produced and maintained by the NIST on an ongoing basis. While a large number of them – 1,421, to be precise – are dedicated to various aspects of cybersecurity, that’s far from the only subject that the NIST covers.
Other subjects in the NIST publications list include general Information Technology, Manufacturing, and Buildings & Construction. They also have categories for more specific niches, like Fire, Polymers, Biomaterials, and Ceramics.
Not all of the NIST publications are standards or frameworks, of course. Some of the cybersecurity publications are things such as:
- NIST Risk Management Framework Small Enterprise Quick Start Guide
- Assessing the Benefits and Risks of Quantum Computers
- Spanish Translation of the NIST Cybersecurity Framework 2.0
- Non-Fungible Token Security
- Design Trends in Lightweight Ciphers
Many of these are of specific interest to a narrow selection of individuals and professionals. Some are clarifications of other publications, some are updates to older publications, and some are translations. Some are even just internal reports, not really meant for much use outside of the NIST beyond keeping the general public informed on what the NIST is thinking about.
Broadly speaking, the NIST is a bureau of the overall Department of Commerce. While their jurisdiction and their influence is primarily aimed at the United States government and to businesses operating in the USA – especially government contractors – their overall influence can be felt around the world.
What is ISO/IEC?
ISO/IEC is the joint name of the International Organization for Standardization and the International Electrotechnical Commission.
And no, the abbreviation of IOS being ISO is not a mistake:
“Because ‘International Organization for Standardization’ would have different acronyms in different languages (IOS in English, OIN in French), our founders decided to give it the short form ISO. ISO is derived from the Greek word isos (ίσος, meaning “equal”). Whatever the country, whatever the language, the short form of our name is always ISO.”
The ISO/IEC group is in many ways similar to NIST, but rather than being associated with any one country or government, it’s associated with the international community. ISO standards are broadly available and meant to be a universal standard that is equally applicable whether you’re operating in the United States, in Britain, in Uruguay, in Cambodia, or anywhere else in the world. Officially, the ISO publications are supported in English, French, and Russian.
Unlike NIST, ISO/IEC has a relatively small number of publications; also unlike NIST, the ISO/IEC publications are paid publications.
What is the NIST and the Cybersecurity Framework?
The NIST develops a document that is the set of standards published to maintain up to date guidelines for infosec, cybersecurity, digital threat awareness, continuous monitoring, surface hardening, and more. It’s a set of comprehensive security controls encompassing over 400 different elements of security, ranging from the physical security of computer hardware to user login authentication to encryption and more. While numerous NIST publications are involved, the most important is NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations.
Before going further, it’s important to clarify something. When referring to NIST in a cybersecurity context, it’s important to recognize the role the NIST plays in the US government’s cybersecurity frameworks.
NIST is not a certifying body. NIST does not evaluate or audit companies or agencies looking to prove their security. NIST does what its name says it does: it sets the standards. It is then up to other organizations, such as the Joint Authorization Board, the FedRAMP program management office, the Department of Defense, and others, to use those standards to develop their own frameworks.
For example, FedRAMP is the Federal Risk and Authorization Management Program, and it’s a framework designed to use NIST security controls to build a framework that businesses, contractors, and agencies can use to audit themselves and earn certification for security. FedRAMP is more comparable to ISO 27001 (which we’ll discuss in a moment) than NIST itself, even the NIST CSF. In fact, we have a more direct comparison between FedRAMP and ISO 27001 here.
The NIST CSF, also known as the Cybersecurity Framework, is a simple version of these other frameworks and is developed as primarily a guidance document, used by everyone from company executives to IT directors to risk management teams to guide their security efforts. The CSF focuses more on outcomes than specific controls, and more on the themes of security than on the specifics. You can read the full document of their current 2.0 revision here.
So, when comparing NIST publications with something like ISO 27001, you have to decide if you’re comparing something like the CSF, or just the root NIST SP 800-53, or a NIST-derived framework like FedRAMP. All are generally based on the same understanding of cybersecurity, but approach the issue in different ways and for different audiences.
What is ISO 27001?
ISO 27001 is the go-to cybersecurity publication for international audiences. It’s officially called the Information Security, Cybersecurity, and Privacy Protection – Information Security Management Systems – Requirements framework.
Among everything else we’ve mentioned, ISO 27001 is most broadly comparable to FedRAMP. It’s a framework that, critically, can be certified, unlike something like the NIST CSF or the SP itself.
ISO 27001 is based on three core principles: confidentiality, information integrity, and availability of data. These are effectively the same as the three principles of confidentiality, integrity, and availability that are reflected across numerous US-focused security frameworks as well.
This is no coincidence. There’s a lot of cross-integration between NIST and ISO/IEC; they can see what each other is doing, and when new technologies evolve and new threats are discovered, both organizations work to address them in the most effective way possible.
There are, to put it simply, a limited number of skilled and intelligent cybersecurity experts in the world, and they often collaborate, across both organizations. It’s all coming from the same place of security, with the same goal of promoting cybersecurity globally, and with the same mechanisms at their disposal to do so.
What Do ISO 27001 and NIST Have in Common?
In broad strokes, the NIST and the groups behind ISO/IEC 27001 are the same. They have the same goals, the same methods, the same tools, and largely the same results. While the contents of ISO 27001 and the contents of NIST SP 800-53 are largely the same, they are not identical and don’t necessarily have 1:1 matches with each other. About half of what the NIST recommends is almost verbatim in ISO 27001, and a lot of the rest of what ISO 27001 mentions is reflected in NIST documents.
They are both dedicated to the goal of promoting standardized cybersecurity and resilience to digital threats, whether those threats operate on a small-scale basis or on a nation-state level.
Beyond that, there isn’t actually a ton of commonality between these two. As mentioned, NIST is a standards organization comparable to ISO/IEC; ISO 27001 is a specific framework.
What Are the Differences Between ISO 27001 and NIST?
This is where we can start to compare NIST projects and ISO 27001 and identify the key differences.
ISO 27001 is a specific set of security controls and implementation guides, all with the core goal of building a resilient cybersecurity presence for an organization, no matter how large or small that organization is.
NIST’s SP 800-53 is a similar set of controls, but does not come with an implementation guide. It’s more like a toolbox and a checklist.
NIST’s cybersecurity framework, meanwhile, is a self-guided document meant to help businesses and enterprises find their way to cybersecurity without needing to undergo a complex, costly, and time-consuming certification process. As such, it does not have an associated certification or auditing process involved. It’s a framework in the technical sense and not in the specifics.
NIST-derived cybersecurity frameworks also exist, and include things like FedRAMP, CMMC, FISMA, and more. All of these are much more comparable to ISO 27001, in that they are all tangible frameworks with specific goals and specific processes to obtain certification. You can’t be NIST-certified; you can be FedRAMP-certified.
Another significant difference is the price involved in all of these options.
NIST’s documentation is entirely public. ISO 27001 is locked behind a paywall to access the most recent documentation. While you don’t technically need to purchase that document to be compliant, you’ll have a harder time managing it if you don’t have the guidance of a professional organization that is intimately familiar with ISO 27001 guidelines.
There are, of course, plenty of other costs associated with any security certification. The costs of having audits performed, the costs of application fees, the costs of actually identifying and implementing changes, and the costs of employee training are a lot. It also varies hugely by the size of the organization involved; a small business might be much more agile and more able to adapt in just a small budget and a short amount of time, whereas a huge enterprise might spend half a year and several million dollars achieving the same results.
Speaking of, if you’re a huge organization with millions of dollars to spend on implementing a cybersecurity framework, here at Ignyte, we developed the Ignyte Platform specifically to help. Not only can we help save you some of that budget, we can assist with streamlining the entire process through collaboration and deep knowledge of the entire process, inside and out.
Which is More Relevant to You: NIST or ISO 27001?
The final concern many of you have is simply this: which should you care about? Is NIST more relevant, or can you focus on ISO?
This comes down primarily to your goals and the size of your organization.
If you’re a small business and you have no desire to work with the United States federal government or any of its agencies, you can pick and choose whatever you want to do. The NIST Cybersecurity Framework is often the best option, as a mostly DIY guidebook to help achieve a level of security without all of the red tape and bureaucracy of auditing and certification. It also puts you in a good position if you do want to further achieve certification down the line.
If you’re a larger business, the CSF is probably too low-tier and free-form for your needs. In this case, it largely comes down to this: do you intend to be a contractor for the US Federal Government, or do you primarily intend to work in the non-governmental space and with international companies and commerce?
If you want to work with the US government, you will generally need to pursue some level of certification, whether it’s FedRAMP, HITRUST for HIPAA, CMMC, or another standard. This can also depend on what level of information you handle, what agency you work with, and other details. The government is working on making this clearer with CMMC, but it’s still a work in progress.
Meanwhile, ISO 27001 is the go-to certification for most of the rest of the world. If you need certified cybersecurity and aren’t working with the US government, ISO is the way to go.
While there’s some mirroring between all of these, there’s no real reciprocity. If you’re ISO 27001 certified, it means you have a head start on something like FedRAMP certification, but you’re not guaranteed to have achieved it out of the box. Similarly, if you have FedRAMP Moderate or High certification, you’re in a good place, but ISO 27001 has enough differences that you will still need to comb over everything for the purposes of ISO certification.
When it comes to US government certifications, we’re here for you. The Ignyte Platform is an excellent way to help track security controls in a collaborative environment, and as a certified assessment organization, we have deep knowledge and can help answer the questions you may have. Request a demo or reach out today!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.