A few months ago, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cyber security, commonly known as Cybersecurity Framework. This framework came with many doubts if you are already familiarized with ISO 27001.
Cybersecurity Framework was initially intended for U.S. companies that are considered part of critical infrastructure. Nevertheless, it is suitable for use by any organization that faces cyber security risks.
ISO/IEC 27001 is a cyber security standard published in 2005 and revised in 2013. Even if is not mandatory, it is accepted in most countries as a main framework for data security implementation. It describes the data security management system, and it places in the context of the overall management and processes in a company.
Cybersecurity Framework and ISO 27001 gives you the methodology on how to implement cyber security in an organization. You could implement either of these. Possibly the biggest similarity is that both are based on risk management: this means that they both require the safeguards to be implemented only if cyber security risks were detected.
Cybersecurity Framework clearly it is better structured when it comes to planning and implementation.
Framework Core is divided into Functions; Identify, Protect, Detect, Respond, and Recover, and then into 22 related Categories, for example, Asset Management, Risk Management, etc. similar to sections in ISO 27001. 98 Subcategories, and for each Subcategory several references are made to other frameworks like ISO 27001, COBIT, NIST SP 800-53, ISA 62443, and CCS CSC. This way, it is very easy to see what the requirements and where to find out how to implement them.
Framework Implementation Tiers are; Partial, Risk Informed, Repeatable and Adaptive. This way, a company can easily decide how far they want to go with their implementation, taking into account requirements.
Then is the Framework Profile; Current Profile, Target Profile and others help to pictures where the organization is right now, related to the categories and subcategories from Framework Core, and where it wants to be. Further, Framework Profiles could be used for setting the minimum requirements for other organizations like suppliers or partners. This doesn’t exist in ISO 27001.
Overall, Cybersecurity Framework enables both the top management but also engineers and other IT staff to understand easily what is to be implemented, and where the vulnerabilities are.
One of the greatest advantages of ISO 27001 is that companies can become certified by it, this means that a company can prove to its clients, partners, shareholders, government agencies, and others that it can indeed keep their information safe.
Further, ISO 27001 is an internationally recognized and accepted standard , if a company wants to prove its ability to its clients, partners, and governments outside of their country, ISO 27001 will be much better.
ISO 27001 focuses on protecting all types of information, not just information processed in IT systems. It is true that paper-based information has less and less importance, but for some companies such information might still pose significant risks. ISO 27001 defines which documents and records are needed, and what is the minimum that must be implemented.
Finally, whereas the Framework focuses only on how to plan and implement data security, ISO 27001 takes a much wider approach, its methodology is based on the Plan-Do-Check-Act (PDCA) cycle, which means it builds the management system that maintains and improves the whole system. Without constant measurement, review, audit, corrective actions, and improvements, such a system will gradually deteriorate and ultimately lose its purpose.
Which one is better
It is not have to be a question of one or other; it seems to me that it would be best to combine the two. Actually Cybersecurity Framework suggests it can easily complement with other program or system, and ISO 27001 has proved to be a very good umbrella framework for different data security methodologies.
So, I think the best results can be achieved if the design of the whole data security would be set according to ISO 27001 and to use Cybersecurity Framework when it comes to risk management and implementation of the particular cyber security areas and safeguards.