Re: [External] [SECURITY] ISO27001 vs NIST 800-171

[WALTER KERNER <walter_kerner () FITNYC EDU>]

Let me add that in a previous role in an international company, colleagues
in other countries were much more comfortable with the ISO than NIST
standard just because it was perceived as being less US-centric.







Walter Kerner

Assistant Vice-President and CISO

[image: blue]

333 7th Avenue, 13th Floor

New York, NY 10001

Voice: 212-217-3415



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Shankar, Anurag
*Sent:* Friday, August 31, 2018 9:58 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] [External] [SECURITY] ISO27001 vs NIST 800-171



Hi Chris,



The biggest difference from my view is that, while ISO 27001 has a
hundred-odd controls set, it is really a framework aimed at
measuring/improving the high-level cybersecurity management structure for
an organization (to protect data confidentiality, integrity, and
availability).  NIST 800-171 is a more typical physical, admin, and
technical control set (also around a hundred) designed to protect data
confidentiality only.



As for which is more appropriate, it depends on what the relevant
compliance regimes are in your case and the effort you are willing to
expend.  The primary ones affecting EDU with specific cybersecurity
requirements in my opinion are HIPAA, DFARS, (for DoD contracts), CMS, and
FISMA (for certain govt. contracts).  NIST 800-171 is a good place to start
if you don’t have a lot of resources, but if you want to use a single
framework to cover all cyber compliance, I’d establish a NIST risk
management framework (which uses NIST 800-53, the superset of 800-171) that
also addresses integrity and availability.  That is what we do here at IU.
I’d be more than happy to talk to you in more detail if you are interested.



Regards,



Anurag



---

Anurag Shankar,  Ph.D.  Email: ashankar [at] iu.edu  Phone: +1 (812)
856-6978

Center for Applied Cybersecurity Research, Pervasive Technology Institute,
Indiana University

2719 E. 10th Street, Suite 231, Bloomington, IN 47408



*From: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () listserv educause edu> on behalf of "Davis, Chris" <
CDavis () LOURDES EDU>
*Reply-To: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () listserv educause edu>
*Date: *Friday, August 31, 2018 at 9:20 AM
*To: *"SECURITY () listserv educause edu" <SECURITY () listserv educause edu>
*Subject: *[External] [SECURITY] ISO27001 vs NIST 800-171



This message was sent from a non-IU address. Please exercise caution when
clicking links or opening attachments from external sources.



Can anyone provide me a quick and dirty compare/contrast between the two?
Which is more appropriate for a higher education setting seeking to comply
with the various regulatory requirements typically found in higher ed?



Thanks!



Chris





*Christopher Davis, Ph.D.*
Chief Information Officer
Assistant Professor of Education
Apple Teacher
Lourdes University
6832 Convent Blvd | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu

*CyberAware – Be aware. Stay Secure!*
Lourdes University will never ask you to send sensitive information
through unsecure channels. Report any message that asks you to provide
or confirm personal information such as credit card and/or bank
account numbers, Social Security numbers, passwords, etc. or any
other suspicious activity to infosec () lourdes edu. For more information
please visit lourdes.edu/cyberaware.

*CONFIDENTIALITY NOTICE: *The contents of this email message and any
attachments are intended solely for the addressee(s) and may
contain confidential and/or privileged information and may be
legally protected from disclosure. If you are not the intended recipient of
this message or their agent, or if this message has been addressed to
you in error, please immediately alert the sender by reply email and then
delete this message and any attachments. If you are not the intended
recipient, you are hereby notified that any use, dissemination, copying, or
storage of this message or its attachments is strictly prohibited.