Which GRC Framework is better suited for your Cybersecurity Program NIST CSF or ISO 27001 ISMS?

Mark E.S. Bernard, CISO, CIO, PSCO, PM, Architect, Chairman Mark E.S. Bernard, CISO, CIO, PSCO, PM, Architect, Chairman

Mark E.S. Bernard, CISO, CIO, PSCO, PM, Architect, Chairman

Building Sustainable & Resilient Cybersecurity Programs in America, Canada, EMEA, APAC, LATAM

发布日期: 2021年12月26日
+ 关注

Based on a simple requirement for explicit documentation listed within the auditable specification, we compared GRC Frameworks NIST CSF to ISO/IEC 27001 ISMS. Documentation is necessary to validate that the methods selected can produce comparable and reproducible results in support continual improvement. Considering that the capability and maturity of any program begins with the documentation of policies, procedures, and standards, we evaluated the NIST Cybersecurity Framework created in 2014, and ISO/IEC 27001 Information Security Management System Framework published in 2005. Within the NIST CSF, it was interesting to note that there are only four explicit requirements for documentation. Whereas, in contrast, ISO 27001 ISMS has twenty-two explicit requirements for documentation. Based on our evaluation, there can be no doubt that the ISO/IEC 27001 ISMS is the superior GRC Framework for Cybersecurity programs.?


NIST CSF

  • Clause ID.RA.1 - Identify - Risk Assessment.
  • Clause ID.RA.3 - Identify - Risk Assessment.
  • Clause PR.PT.1 - Protect - Protective Technology.
  • Clause RS.MI.3 - Respond - Mitigation.

领英推荐


ISO/IEC 27001 ISMS

  • Clause 5.2 - Policy.
  • Clause 6.1.2 - Information Security Risk Assessment.
  • Clause 6.1.3 - Information Security Risk Treatment.
  • Clause 6.2 - Information security objectives and planning to achieve them.
  • Clause 7.2 - Competence.
  • Clause 7.5 - Documented Information (The document control procedure).
  • Clause 8.1 - Operational Planning and Control.
  • Clause 8.2 - Information Security Risk Assessment.
  • Clause 8.3 - Information Security Risk Treatment.
  • Clause 9.1 - Monitoring, measurement, analysis, and evaluation.
  • Clause 9.2 - Internal audit.
  • Clause 9.3 - Management review.
  • Clause 10.1 - Nonconformity and corrective action.
  • Clause A.8.1.3 - Acceptable use of assets.
  • Clause A.9.1.1 - Access control policy.
  • Clause A.12.1.1 - Documented operating procedures.
  • Clause A.13.2.4 - Confidentiality or nondisclosure agreements.
  • Clause A.14.2.5 - Secure system engineering principles.
  • Clause A.15.1.1 - Information security policy for supplier relationships.
  • Clause A.16.1.5 - Response to information security incidents.
  • Clause A.17.1.2 - Implementing information security continuity.
  • Clause A.18.1.1 - Identification of applicable legislation and contractual requirements.

要查看或添加评论,请登录

更多精彩文章

社区洞察

其他会员也浏览了