Scribd
Upload
14 views1 page

How To Understand The NIST CSF If You Prefer ISO 27001

The document compares the NIST Cybersecurity Framework (CSF) with ISO 27001:2022, highlighting the relationship between their terms and concepts. It outlines key components such as cybersecurity goals, governance, core functions, and implementation examples, emphasizing their respective roles in information security management. Additionally, it discusses the frameworks' approaches to organizational profiles and maturity levels, providing insights for those familiar with ISO 27001 to understand NIST CSF better.

Uploaded by

Suchitra Das
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views1 page

How To Understand The NIST CSF If You Prefer ISO 27001

The document compares the NIST Cybersecurity Framework (CSF) with ISO 27001:2022, highlighting the relationship between their terms and concepts. It outlines key components such as cybersecurity goals, governance, core functions, and implementation examples, emphasizing their respective roles in information security management. Additionally, it discusses the frameworks' approaches to organizational profiles and maturity levels, providing insights for those familiar with ISO 27001 to understand NIST CSF better.

Uploaded by

Suchitra Das
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

How to understand the NIST CSF if you prefer ISO 27001?

Relationship of terms
10.08.2023

NIST CSF 1.1 / 2.0 (draft) ISO 27001:2022


Information security, cybersecurity and privacy
The NIST Cybersecurity Framework
protection — Information security management
systems — Requirements
Cyber Security: The ability to protect or defend Information Security: preservation of confidentiality,
the use of cyberspace from cyber attacks. integrity and availability of information.
Not used in the document: Note 1 to entry: In addition, other properties, such as authenticity,
Information Security: The protection of information and accountability, non-repudiation, and reliability can also be involved.
information systems from unauthorized access, use, disclosure, Not used in the document:
disruption, modification, or destruction in order to provide Cybersecurity: safeguarding of people, society, organizations and
confidentiality, integrity, and availability. nations from cyber risks

Cybersecurity program Information Security Management System


IT Security Program: a program established, implemented, and (ISMS)
maintained to assure that adequate IT security is provided for all Management System: set of interrelated or interacting elements of an
organizational information collected, processed, transmitted, organization to establish policies and objectives and processes to
stored, or disseminated in its information technology systems. achieve those objectives.
Synonymous with Automated Information System Security
Note to entry: The system elements include the organization’s
Program, Computer Security Program, and Information Systems
structure, roles and responsibilities, planning and operation.
Security Program.

Stakeholder Interested party


Cybersecurity goals Information Security Objectives
Cybersecurity Governance 5. Leadership
(5.1 Leadership and commitment, 5.2 Policy, 5.3 Organizational roles,
responsibilities and authorities)

Core Functions Cybersecurity concepts (attributes, ISO 27002:2022)


Govern (GV), Identify (ID), Protect (PR), Detect (DE), Respond Cybersecurity concepts is an attribute to view controls from the
(RS), and Recover (RC) perspective of the association of controls to cybersecurity concepts
defined in the cybersecurity framework described in ISO/IC TS 27110.
Attribute values consist of Identifv, Protect, Detect, Respond and
Recover.

Categories and Subcategories Control objectives


The Framework Core provides a set of cybersecurity outcomes Control Objective: statement describing what is to be achieved as a
(arranged by Function, Category, and Subcategory), examples of result of implementing controls.
how those outcomes might be achieved (Implementation
Examples), and references to additional guidance on how to
achieve those outcomes (Informative References).

Implementation Examples Controls


Implementation Examples provide notional examples of concise, Control: measure that is modifying risk.
action-oriented steps to help achieve the outcomes of the Note 1 to entry: Controls include any process, policy, device, practice,
Subcategories in addition to the guidance provided by or other actions which modify risk.
Informative References. The examples are not a comprehensive
list of all actions that could be taken by an organization to
achieve an outcome, nor do they represent a baseline of
required actions to address cybersecurity risk.

Framework Profile Statement of applicability (SoA)


• Notional organizational profile template Information Security Risk Treatment Plan (RTP)
• Notional action plan template Continuous Improvement Plan
The Framework’s mechanism for describing an organization’s (a current state and plans)
current or target cybersecurity posture in terms of the
Core’s outcomes is called a Framework Profile (Profile).

Tiers There is no equivalent, but the Maturity Levels are


Tier 1: Partial, Tier 2: Risk Informed, Tier 3: Repeatable, Tier 4: often used
Adaptive

Cybersecurity measurement and assessment 9. Performance evaluation

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001


www.patreon.com/AndreyProzorov

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy