Last Updated on February 2, 2022
Many companies serve US federal government customers, suppliers to the government, and/or firms in sectors designated as “critical infrastructure” such as financial services, healthcare, information technology, manufacturing or defense. Based on emerging US government cybersecurity policy that aims to protect controlled unclassified information (CUI), it’s likely that most such organizations—and therefore yours as well—will be mandated within the next 9 to 36 months to comply with the NIST SP 800-171 cybersecurity framework, which identifies the minimum set of controls needed to safeguard CUI.
Especially for organizations that are pursuing or have already achieved ISO 27001 certification or a SOC 2 based program, this new regulatory requirement creates a business-critical concern: What is the best way for my company to incorporate NIST 800-171 compliance into our current cybersecurity program?
On a recent “special briefing” episode of The Virtual CISO Podcast, John Verry, Pivot Point Security CISO and Managing Partner, offers guidance on this critical question. After framing the “big picture” and why the requirement to protect CUI is impacting so many organizations, John outlines three different approaches that organizations can take to incorporate NIST 800-171 compliance into an ISO 27001 information security management system (ISMS), or vice versa.
Approach #1: Cross-reference NIST 800-171 controls within ISO 27001
Two critical factors that make this “incorporation” process easier whatever your starting point are the broad overlap between NIST 800-171 and ISO 27001 controls (about two-thirds) plus the flexibility of the ISO 27001 standard.
“If you were moving towards ISO 27001 right now, it would probably be a good idea to take a little bit more time, and perhaps spend a few more dollars, but get to a point where you’re actually both NIST 800-171 and ISO 27001 conforming—provably so—at the end of that process.”
One way to get there, even if you’re already ISO 27001 certified, is to “just account” for NIST 800-171. This involves basically continuing to leverage your ISO 27001 ISMS, but also cross-referencing or mapping your ISO 27001 policies (which are most likely aligned with the controls in Annex A/ISO 27002) against NIST 800-171. Mappings that illustrate how ISO 27001 controls map to NIST 800-171 controls are available as a starting point. John estimates that this additional cross-referencing work will add less than 10% to your total compliance effort.
At the end of this cross-referencing process, what you’re left with is a mapping that documents how your ISO 27001 policies cover the NIST 800-171 controls. Will that be good enough to “prove” NIST 800-171 conformance to all stakeholders? Hopefully… but it’s not the strongest play. Also, there might be some gaps in controls coverage.
Approach #2: Cross-reference and update your ISO 27001 ISMS to incorporate NIST 800-171
If Approach #1 isn’t adequate for your organization, John recommends taking the additional step of updating your ISO 27001 ISMS to verifiably incorporate NIST 800-171 controls where necessary.
“Because of the way ISO 27001 works, and the fact that it’s what we refer to as a risk-based framework, ISO 27001 does not mandate the implementation of a control,” John explains. “ISO says, ‘You should consider this control.’ Then, based on your risk appetite, and based on your organizational context—the types of data you process, who your customers are, what your client contractual and legal obligations are, etc., ISO says, ‘Understand all that context and then implement controls that … achieve your risk acceptance criteria.’”
“So, it’s possible that you’ve implemented an ISO 27001 control in a way that is ISO conforming at that point in time based on your context, but it’s not yet NIST 800-171 conforming,” John continues. “Be aware of that, and what you might want to do [in those situations] is actually rather than just cross-reference, cross-reference and update [your ISO 27001 ISMS].
Updating your controls to verifiably conform with NIST 800-171 will obviously be more work than just cross-referencing policies per Approach #1. But this method will yield a provably secure result that should satisfy stakeholders across the board.
Approach #3: Build Your ISO 27001 ISMS on a NIST 800-171 Foundation
John calls this the “really cool way” to achieve provable compliance with both ISO 27001 and NIST 800-171.
“If you’re starting on ISO 27001 from the beginning and you don’t have a lot of your controls well documented, what most organizations would typically do is begin to document their policies, standards and procedures using the Annex A controls within ISO 27001,” describes John. “But there’s something within ISO 27001 called the Statement of Applicability. It’s a document that says, ‘I considered these 114 controls in Annex A and here are the ones I implemented, and here are the ones I didn’t, and here’s why.’”
“What most people don’t realize is you don’t have to use the Annex A controls as the basis of your control set for ISO 27001,” John relates. “So, what you can do—and we’re doing this with a couple of clients right now—is we’re actually documenting their controls not using ISO 27001 [Annex A]. In one case we’re using NIST 800-53, which defines a broad base of cyber controls; and in the other case we’re using NIST 800-171, which are the controls specific to CUI, as the basis of the cybersecurity program.”
With this approach, your ISO 27001 certification effectively becomes an attestation that the ISMS, which uses the NIST 800-171 controls underneath, is operating properly.
Not only our US national defense, but our ability to remain an important player in the world economy, depends on our government agencies and the critical companies in our economy being secure. The US government clearly recognizes this and is taking steps to enforce that vision of robust security across a wide spectrum of companies. If yours is likely among them, now is the time to prepare.
To hear this “special edition” 20-minute podcast briefing on “NIST versus ISO” with John Verry end-to-end, click here: LINK
To get expert guidance on the best approach to align your current security program with NIST 800-171, contact Pivot Point Security.