1
A High-Level Comparison between the NIST
Cyber Security Framework and the ISO
27001 Information Security Standard
Prameet P. Roy
BE (E&C, MIT Manipal), MS (Information Management, University of Washington, Seattle,
US) Information Security & Risk Management Consultant, Bangalore, INDIA
prameetroy.manipal@gmail.com
Abstract—This paper provides a high-level comparison
between the National Institute of Standards and Technology's
(NIST) Cyber Security Framework and the ISO 27001
Information Security Standard. Pros, cons and the advantages
each framework holds over the other and how an organization
would select an appropriate framework between CSF and ISO
27001 have been discussed along with a detailed comparison of
how major security controls framework/guidelines like NIST
SP 800-53, CIS Top-20 and ISO 27002 can be mapped back to
each.
Keywords—Cyber Security, Risk Management Framework,
Information Security, Risk Assessment, Risk Treatment
I. INTRODUCTION
(Overview: Pros and Cons of NIST's CSF and
ISO 27001)
The main point that comes to the forefront when talking
about NIST's Cyber Security Framework is that it is
voluntary and hence can be suitably used by any
organization that looks to deal with cyber threats and
information breaches, especially in a technology-heavy
environment. NIST CSF is also more suited towards
technology-oriented companies due its emphasis on
technological controls. According to Kosutic in [1], the
CSF framework was originally designed keeping in mind
the needs of U.S companies that were part of the critical
infrastructure of the U.S government and hence arises its
suitability for any organization due to its voluntary nature.
Now carrying on from the previous point, the same
voluntary nature of the framework gives it a disadvantage
that it doesn’t replace proper risk management. It is not
suitable to be implemented as a long-term replacement for
information security management frameworks but rather it
can be used more as a guideline implementing risk
management frameworks for organizations. Ochel says in
[3] that the framework is a not a one-size-fits-all approach
to tackle cyber threats and breaches because organizations
are complex and face a complex and large variety of
threats, vulnerabilities etc. Hence how the methodology is
translated and implemented will also have to vary
according to the nature of the threat and security posture
of the company.
Guinn contends in [4] that while the NIST Cyber
Security Framework is by no way a fool proof cyber
security methodology, its advantages and benefits may be
Authorized licensed use limited to: University of Exeter. Downloaded on June 19,2020 at 13:50:35 UTC from IEEE Xplore. Restrictions apply.
missed by those who choose to forgo or postpone
implementation of the voluntary guideline, in part or in
whole. That’s because the Framework comprises leading
practices from various standards bodies that have proved
to be successful when implemented, and it also may
deliver regulatory and legal advantages that extend well
beyond improved cyber security and risk management for
organizations that adopt it early.
ISO/IEC 27001 on the other hand is an information
security standard first published in 2005 by the
International Organization for Standardization as
mentioned by Kosutic in [2]. Although not a compulsory
to follow framework, it is widely regarded and used as the
default cyber security or risk management framework in
most organizations in almost all countries of the world. It
describes the information security management system,
and it places security within the context of the overall
management and processes in a company, according to
Kosutic in [1].
ISO 27001 also has the added advantage of providing
the most ROI or Return of Investment amongst the
common cyber security frameworks and provides a
methodology that can provide the most competitive edge
in the market to organizations because of the lowering of
expenses. Usually cyber security is considered as just a
burden of budget with no tangible way to measure its
profits. But by lowering the expenses involved by
providing an optimized methodology, ISO 27001 gives an
excellent return on investment.
II. NIST CSF vs. ISO 27001: HIGH LEVEL
COMPARISON
Similarities between CSF and ISO 27001
As stated by Kosutic (2014), both Cyber Security
Framework and ISO 27001 provide robust methodologies
on cyber/information security that deal with threats and
breaches. In all probability and actually in reality, one
could implement either one of these methodologies and
achieve excellent results in dealing with security. They
both aim to ensure the 3 pillars of confidentiality, integrity
and availability. Both ISO 27001 and NIST CSF help to
provide guidelines, policies and procedures to build a
structured Information Security Management System
(ISMS) that can be supplemented with other guidelines
like CIS-20, SP 800-53 (security controls), SP 800-37

(risk management guidelines), ISO 27002 (implementing
controls), 27004 (metrics) and 27005 (risk management).
Both frameworks are relatively technology-independent as
in they can be implemented in organizations with varying
degrees of technology although CSF’s security postures
are better suited for tech-companies due to its emphasis on
log analytics, incident analytics and technical controls
while the ISO 27001 is better suited for commercial
companies because of its inclusion of rigorous
documentation which are divided into mandatory
documents (statement of applicability, risk assessment
methodology guideline, scope of ISMS, risk treatment,
access control policy, etc.) and non-mandatory documents
(password policy document, BYOD policy, change
management policy etc.).
Even though they have different layouts, both
frameworks have similarities that can map back to each
other. Kosutic writes in [1] that the "Framework Core is
divided into Functions (Identify, Protect, Detect, Respond,
and Recover), and then into 22 related Categories (e.g.,
Asset Management, Risk Management, etc. – very similar
to sections in ISO 27001 Annex A), 98 Subcategories
(very similar to controls in ISO 27001 Annex A), and for
each Subcategory several references are made to other
frameworks like ISO 27001, COBIT, NIST SP 800-53,
ISA 62443, and CCS". This bifurcation into categories
and subcategories gives added flexibility and adaptability,
bridges the gap between technical, administrative and
policy-related controls in a seamless manner and also
makes it very easy to map various controls from different
standards against the CSF categories.
III. ADVANTAGES OF CSF OVER
ISO 27001
The main advantage that NISTS's Cyber Security
Framework has over ISO 27001 is its structured and
planned format which makes it easier for organizations to
implement it at an enterprise level. This structured format
of NIST CSF can also be considered more user friendly
and streamlined especially for higher management. It
essentially divides all cyber risk activities into 5 domains:
Identify, Protect, Detect, Respond, and Recover. These 5
functions provide a systematic way to categorize security
risks which makes it easier to implement controls.
Another important advantage that CSF hold is that most of
the categories and sub-categories use references to other
frameworks like ISO 27001, COBIT etc. which helps the
CSF to combine several of the important features of
various frameworks. As written in the National Institute of
Standards and Technology (U.S), in [6], these informative
references are “detailed technical references that are
meant to provide organizations with a starting point for
implementing practices to achieve the Framework's
desired outcomes described in the associated
Subcategory”. CSF is also better suited for implementing
a control scheme like CIS-20 controls which lays a lot of
emphasis on defence-in-depth approach to security.
CSF also implements the concept of having current
and target profiles for the evaluation of overall security
Authorized licensed use limited to: University of Exeter. Downloaded on June 19,2020 at 13:50:35 UTC from IEEE Xplore. Restrictions apply.
2
posture of an organization. "Framework Profile (e.g.,
Current Profile, Target Profile) easily pictures where the
organization is right now, related to the categories and
subcategories from Framework Core, and where it wants
to be. This way, it is very easy to see where the gaps are,
and then Action plans can be developed for closing these
gaps", writes Kosutic in [1]. Therefore, to reiterate, this
concept of simplifying the framework by dividing it into
separate functional blocks and profiles enables not only
the top management but only also middle level managers
and engineers to use the framework.
IV. ADVANTAGES OF ISO 27001 OVER
CSF
ISO 27001 is one of the most well-recognized and
renowned as well as widely implemented methodologies
in not only organizations in US but all over the world. Its
reputation speaks for itself and hence any organization
that wants to go for a safe and fool proof framework to
showcase stakeholders will always go for ISO 27001. As
Kosutic mentions in [1], writes, "One of the greatest
advantages of ISO 27001 is that companies can become
certified against it". This means any organization using
this standard can effectively convince its clients, partners
and other stakeholders that it is capable of providing a
safe and effective risk management framework. Its
mechanism is based on the tried and tested PDCA (Plan-
Do-Check-Act) Cycle. Disterer elaborates in [9], that the
focal point of ISO 27001 is based on the PDCA
methodology which is based on the requirement for
planning, implementation, and continuous monitoring of
the implemented ISMS and continuous improvement
through corrective actions. Even though the PDCA
methodology is not expressed as specifically in the latest
revision of the standard, it’s still has to be followed. The
one thing where ISO 27001 really stands out over NIST
CSF is that companies can get certified against it, thereby
gaining competitor advantage and client confidence which
can be used as a huge leverage in business deals.
Another advantage that ISO 27001 holds is the
extremely rigorous and structured emphasis it lays on
documentation, both mandatory and non-mandatory
making it very stream-lined for high-level analysis by
management. Kosutic in [1] writes, "unlike Cyber Security
Framework, ISO 27001 clearly defines which documents
and records are needed, and what is the minimum that
must be implemented". ISO 27001 also has the advantage
that it forces organizations to clearly define
responsibilities and who is responsible which asset and
information which adds clarity and structure to an
organization and its information security. As stated earlier,
ISO 27001 lays a strong emphasis on documentation that
covers incident management, change management, BYOD
policy, password policy, access control policy etc. This
makes it more suitable as a guideline for building one’s
own ISMS (Information Security Management System).
 3
TABLE I. COMPARISION easily complement some other program or system, and
ISO 27001 has proved to be a very good umbrella
NIST CSF ISO 27001
framework for different information security
Core divided into 5 11 sections (0-3 methodologies".
functions, 22 being non- Kosutic in [1] also mentions that Cyber Security
STRUCTURE categories and 98 mandatory, 4-10 Framework is better when it comes to structuring the areas
subcategories, 4 being
implementation tiers
of security that are to be implemented and when it comes
mandatory),
Annex A to defining exactly the security profiles that are to be
CERTIFIABLE No Yes achieved whereas ISO 27001 is better for painting a
Scope of the ISMS, rigorously well-defined picture for designing a system
Information
security policy and
within which security can be managed long term.
objectives, Risk Combining the two would effectively fill-up deficiencies
assessment and risk in each.
treatment So, to get the best possible results, we can build and
methodology,
Statement of
implement the ISMS or the security management system
MANDATORY Applicability, Risk as per ISO 27001 (including metrics which have been
Not specified
DOCUMETS treatment plan, efficiently detailed in ISO 27004) and to use the Cyber
Risk assessment Security Framework to map the safeguards we have
report, Security
roles and
implemented back to the 5 functions and the
responsibilities, corresponding categories and subcategories. In this way
Inventory of assets, we can ensure that all facets are covered. Safeguards or
Access control control measures are also detailed in ISO 27002 and can
policy document
[10] be used as reference while using controls from NIST SP
Risk Management Risk Management 800-53. There’s a lot of overlap when we analyse the two
BASIS based based frameworks and choice should be solely a function of
Non-voluntary, available resources of the company and the risk appetite it
Optional, self-
MECHANISM independent audit
certification
based. wants to inculcate.
Information
Optional guidelines, security standard REFERENCES
best-practices and that describes how [1] Kosutic, D. (n.d.). Cybersecurity Framework vs. ISO 27001 – Which
standards for to implement an oneto choose? [online] 27001Academy. Available at:
SCOPE
implementing and ISMS (Information https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-
improving cyber- Security with-cybersecurity-framework-or-iso-27001/
security programs Management [2] Kosutic, D. (n.d.). ISO 27001 checklist: 16 steps for the
System) implementation. [online] 27001Academy. Available at:
https://advisera.com/27001academy/knowledgebase/iso-27001-
TECHNOLOGY
Yes Yes implementation-checklist/
NEUTRALITY
[3] Ochel, David (2014). Comparing NIST's Cybersecurity Framework
with ISO/IEC 27001
Retrieved from http://www.secuilibrium.com/news/comparing-isoiec-
V. CONCLUSION 27001-with-nists-cybersecurity-framework
Instead of choosing one framework over the other, the [4] Guinn, Jim (May 2014). Why you should adopt the NIST
Cybersecurity Framework
best approach would be to combine the best practices and Retrieved from https://www.pwc.com/us/en/increasing-it-
points of both. Modern day risk management is a complex effectiveness/publications/assets/adopt-the-nist.pdf
concept where malicious attackers have access to state-of- [5] Esage, Alisa (February 2018). Cybersecurity Framework or ISO
the-art resources and a massive variety of attack vectors. 27001
[6] National Institute of Standards and Technology (U.S.), (2014).
Risk assessment is perhaps the crucial component of any Framework for improving critical infrastructure cybersecurity.
organization and project's success. Risk can be defined as [7] DeNisco Rayome, A. (2019). How to choose the right cybersecurity
not only the probability of an unwanted event occurring framework. Retrieved from https://www.techrepublic.com/article/how-
but also the frequency with which it might happen. Hence to-choose-the-right-cybersecurity-framework/
[8] The ISO 27001 Risk Assessment. (2019). Information Security Risk
in a way, there is no tangible way to measure the Management for ISO 27001/ISO 27002, Third Edition, 87–93. doi:
effectiveness of a risk management framework since the 10.2307/j.ctvndv9kx.11
risk is all about probability of occurrences and a function [9] G. Disterer, "ISO/IEC 27000, 27001 and 27002 for Information
Security Management," Journal of Information Security, Vol. 4 No. 2,
of threat actors and vulnerability both of which can be
2013, pp. 92-100. doi: 10.4236/jis.2013.42011
potentially infinite sets. Hence combining both ISO and [10] Kosutic, D. (n.d.). List of ISO 27001 mandatory documents and
CSF enable an organization to better plan for unexpected records. [online] 27001Academy. Available at:
catastrophes and events. A primary concern that might https://advisera.com/27001academy/knowledgebase/list-of-mandatory-
documents-required-by-iso-27001-2013-revision/
arise is the compatibility of the two frameworks but the
concern seems to be unfounded as contended in [1] by
Kosutic, "Cyber Security Framework suggests it can

Authorized licensed use limited to: University of Exeter. Downloaded on June 19,2020 at 13:50:35 UTC from IEEE Xplore. Restrictions apply.