Regulation is one of the methods used by authorities to monitor the activities of any business. Regulation can be defined as an attempt that is sustainable and focused, which has the aim of altering others’ behavior according to the defined standards and purposes, with an expected result of producing broadly defined outcomes. ISO certification and NIST Cybersecurity Framework are two main regulations used globally in implementing information security management systems.
NIST is a publication that gives a set of security controls that are comprehensive, security baselines, which are low, moderate, and high impact, and various ways of tailoring the best baseline to specific needs regarding the mission, technologies used, and environmental operation of the organization. A cybersecurity framework was implemented to improve critical infrastructure concerning cybersecurity for companies. It is mostly recommended for use by organizations facing cybersecurity risks.
On the other hand, ISO 270001is a set of international standards for establishing, implementing, and continually making improvements to the information security management system within the organization’s context. It was published in 2005 and revised in 2013 by the International Organization for Standardization. Many countries accept the framework in their cybersecurity implementation.
Both two methods offer a platform for the implementation of methodologies concerning information security and cybersecurity in a firm. In reality, information security can be implemented using one of the methods and achieve good results. All the two methods are technology neutral and can be implemented by any organization which has an aim of achieving benefits in their businesses. The main similarity between both methods is that they are based on risk management, which means that in the case of detection of cybersecurity risks, both of them require safeguards for implementation.
Since it is risk-based, it comprises three parts, namely the framework profiles, the framework implementation tiers, and the framework core. The framework core is the activities involved in cybersecurity that many critical infrastructure sectors use. Core presents practices, guidelines, and industry standards in a manner to allow cybersecurity activities to communicate (Allodi & Massacci, 2017, 1620). Functions contained in the Framework Core are identified, recovered, protected, responded to, identified, and detected. All the functions produce high-level functions when considered together.
Framework implementation tiers provide an organization with a context of the ways to view cybersecurity risks and the various ways to manage them (Contreras, 2015, 60). How an organization exhibits the defined framework for solving the cybersecurity risks arising is defined as tiers. Threat environment, business objectives, legal and regulatory requirements, risk management practices, and organizational constraints are the methods of tier selection.
The framework profile shows the results concerning the needs of a business that a firm has selected from categories and sub-categories of the Framework. Features of the profile are practices to the Framework core and alignment of standards. They can be used for improvements in the cybersecurity posture by identifying opportunities and comparing the target profile with the current profile.
Every organization or individual owning electronic information faces information security threats. The threats are usually loose and automated on the internet. Any data is faced with many dangers, such as theft, internal corruption, and external attacks (Gray, Anand & Roth, 2014, 380). Therefore, organizations have a goal of establishing a formal information security management system that offers compliance and certification. Information security is mostly viewed as a technological issue by many people. They also tend to think that all the issues associated with securing data and protecting systems from threats should only be done by technological specialists. The truth is that the user of the computer decides on the threats to be protected from. Computer security experts should give technological solutions to cater to the threats.
Any organization should design and implement an ISMS that meets the minimal requirements of any organization. Every organization has objectives, business models, unique selling features, and different appetite risks (Boiral, 2014, 650). That means that a threat to one organization can be an opportunity to another. For ISO 27001, there are no specific methods used for identifying risks. It only sets out the various approaches that an organization should use in building its ISMS project.
Many companies prefer ISO 27001because it allows organizations to become certified. That means an organization has a chance to prove to government agencies, shareholders, partners, clients, and others that their information is safe. All types of information in the systems are protected by this method. A framework is only concerned with planning and implementing cybersecurity, but ISO gives a broader approach as it gives the methodology on the Plan-Do-Check-Act (PDCA) cycle. ISO builds, maintains, and improves the whole system.
Wrapping up, the two main regulatory methods used globally are ISO and NIST. The cybersecurity framework was implemented to improve critical infrastructure concerning cybersecurity for companies and is mostly recommended for use by organizations facing cybersecurity risks. Both two methods offer a platform for the implementation of methodologies concerning information security and cybersecurity in a firm. ISO gives more advantages than NIST, which makes it attractive to many companies.
Differences between NIST and ISO
| NIST | ISO |
| Rudimentary maturity tiers | Clear documentation requirements |
| Even basic requirements are optional | Mandatory management system requirements |
| Potential for agility | Exclusion of controls requires justification |
| IT security awareness and training | Established certification schemes |
| System policies and procedures | Well-defined terminology |
| Standard operation procedures | Risk assessment |
| Personal security | |
| System rules of behavior of security environment | |