<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=5770639346379704&amp;ev=PageView&amp;noscript=1">

    Everything You Need to Know About ISO 27001 VS NIST CSF

    Everything You Need to Know About ISO 27001 VS NIST CSF

    Which One is Right for Your Business?

    John Bassett - EVP of Managed Services

    When it comes to security planning, there are two guiding methodologies:   ISO 27001 and NIST CSF.  Both have a place in this world and choosing the right one (or a mix) for your business can be challenging.

    The NIST Cyber Security Framework (NIST CSF) is a United Stated developed solution that is followed by many companies.  Its strength’s lies in execution phases, making is somewhat more understandable than ISO to implement.  Its weakness is in the planning stage.  It's also primarily designed for US based companies.

    ISO 27001 is an international, Information Systems Management System framework, from the same people that bring you ISO 9000/1.   If you are a manufacturing company, with divisions around the world and/or a company that has already implemented ISO 9001, then this probably is the better solution for your company.   Its strengths are in the planning stage where you define the coverage context of your organization, outlining and defining risks and coming up with a risk mitigation strategy.  However, NIST CSF has a much stronger execution of the framework than ISO.  Another strength is that your company can get a certification that is has passed an ISO 27001 audit, which can be a marketing win strategy.

    Some companies choose a mixture of the two:  Combining the planning of ISO 27001 and the strength of the execution phase of NIST CSF.  Although you might not get the ISO certification, you can take advantage of both frameworks.

    Click here for more information on GSI's Cybersecurity Services.

    Meet the Author

    John Bassett - EVP Managed Services

    Certified ISO 27001 Implementation Lead

    John Bassett Portrait