Educause Security Discussion mailing list archives
Re: ISO27001 vs NIST 800-171
From: "Penn, Blake C" <blake.penn () SECURITY GATECH EDU>
Date: Tue, 4 Sep 2018 18:07:16 +0000
Chris, There is no comparison. The two are enormously different. NIST 800-171 is a data security standard designed to protect CUI. NIST 800-171 is much closer to something like the PCI DSS (another data security standard) than ISO 27001. ISO 27001 is an information security management standard. It is not designed to protect data – its purpose is to provide a framework for a strong information security program and is the only globally recognized standard for this – that is, it is the gold standard for running a cybersecurity program. A much misunderstood part of ISO 27001 are the controls in Appendix A. None of these controls are mandatory – ISO 27001 has no mandatory controls, none. In ISO 27001, controls exist to treat risk per clause 6.1.3. The controls in Appendix A are simply common controls used to treat cybersecurity risk. The list was designed in order to ensure that common controls available to treat risk were not missed (clause 6.1.3 c), but again, none of them are required – the only requirement is to consider these controls in the treatment of risk. ISO 27001 allows you to design your own controls to treat risk and/or to borrow them from control frameworks (clause 6.1.3 b). Controls that exist without an associated risk within ISO 27001 are even actually considered a deficiency. So, your ISO 27001 auditor could actually issue a finding in an ISO 27001 audit if you had a control in place and hadn’t mapped that to some risk(s) that the control was treating. ISO 27001 is an excellent standard by which to incorporate regulatory requirements as all regulatory requirements have associated regulatory compliance risks. Managing these risks in ISO 27001 is handled like any other cybersecurity risk with regulatory compliance risks being listed and managed within the risk register. You can incorporate GRC tools and techniques within ISO 27001 to manage a multiplicity of regulatory requirements and multi-map/reuse controls. NIST 800-171 is a regulatory requirement, ISO 27001 is not. NIST 800-171 can be managed within ISO 27001. ISO 27001 cannot be managed within NIST 800-171. We’ve all seen those spreadsheets that map multiple regulatory compliance requirements together – when these include ISO 27001 controls it shows a fundamental misunderstanding of that standard, as again, none of the controls in that standard are mandatory. I’d be glad to discuss the nuances in more detail with you (or anyone else for that matter) if you are interested. I’m a former ISO 27001 principle auditor, so I’ve had this discussion many times before. Blake Penn Information Security Policy and Compliance Manager Cyber Security Georgia Institute of Technology (404) 385-5480 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Davis, Chris Sent: Friday, 31 August, 2018 09:21 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] ISO27001 vs NIST 800-171 Can anyone provide me a quick and dirty compare/contrast between the two? Which is more appropriate for a higher education setting seeking to comply with the various regulatory requirements typically found in higher ed? Thanks! Chris Christopher Davis, Ph.D. Chief Information Officer Assistant Professor of Education Apple Teacher Lourdes University 6832 Convent Blvd | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu<mailto:cdavis () lourdes edu> CyberAware – Be aware. Stay Secure! Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For more information please visit lourdes.edu/cyberaware. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Current thread:
- ISO27001 vs NIST 800-171 Davis, Chris (Aug 31)
- Re: ISO27001 vs NIST 800-171 James Farr (Aug 31)
- Re: ISO27001 vs NIST 800-171 Don Murdoch (Aug 31)
- Re: ISO27001 vs NIST 800-171 Joanna Grama (Aug 31)
- Re: ISO27001 vs NIST 800-171 Penn, Blake C (Sep 04)
- Re: ISO27001 vs NIST 800-171 James Farr (Aug 31)