Recently I had an interesting call from a client that is getting ready for their ISO 27001 certification audit. Their business is in a vertical that would be considered “critical infrastructure” (CI) and therefore subject to the NIST Cybersecurity Framework (NCsF).
They wanted to understand whether they were already “compliant” with the NCsF given that they’ll soon be ISO 27001 compliant. And if not, what else would they have to do to become NCsF compliant. I have a strong suspicion that this is a question we will hear a lot over the next few years.
The good news is that an ISO 27001 certifiable organization would also likely be NCsF compliant, as the NCsF framework relies on existing standards, guidance, and best practices—including ISO 27001. Much like ISO the NCsF can be summarized simply, as follows:
- Scope: Understand what it is that you need to protect
- Risk Management: Assess risks and develop appropriate Risk Treatment Plans to mitigate risks.
- Assess: Monitor and assess to validate efficacy and continuously improve.
- Governance: Senior Management needs to govern the Risk Management process, most notably establishing risk tolerance/acceptance.
Now let’s look at each of these key elements in a bit more detail, in terms of how ISO 27001 and NCsF compliance intersect.
Assuming your ISO 27001 scope is fully aligned with your NCsF scope, you should be covered. Unfortunately, I think there will be instances where this is not the case. For example, in the banking industry the information security management system (ISMS) scope may have been specifically developed to provide assurance to key stakeholders that clients’ personally identifiable information (PII) is being secured in a manner that is consistent with prevailing best practices. From a CI perspective, PII is important, but so is the firm’s ability to maintain its operations during a Cyber Security Incident of note. This Disaster Recovery/Business Continuity component may not have been part of the ISO 27001 focus, but likely would need to be addressed for NCsF.
As ISO 27001 is about Information Security Risk Management, the process of becoming certified validates the effectiveness of the Risk Assessment Methodology leveraged (whether it is ISO 27005, NIST SP 800-30, or OCTAVE). The process of establishing Risk Acceptance Criteria and developing a Risk Treatment Plan to achieve it is the same as developing a Framework Profile in NCsF. If you are going to be both ISO 27001 certified and NCsF compliant, your Policies, Standards and Procedures must be cross-referenced to both to simplify the process.
This is especially true with respect to the Identify, Protect, Detect, Respond, Recover Function “taxonomy” introduced in the NCsF. The taxonomy “maps” to ISO 27001 roughly as follows.
- Identify – ISMS Scoping and Risk Assessment
- Protect – Risk Treatment Plan and Statement of Applicability
- Detect – ISMS Internal Audit, Security Metrics and Security Monitoring
- Respond – Incident Response Plan
- Recover – Incident Learning, Disaster Recovery and Business Continuity
Integral to any proper ISMS is integrating the mechanisms necessary to ensure that the ISMS is operating as intended. In the ISO world, this is largely accomplished by ISMS Internal Audit and detecting, responding to, and learning from security incidents. It is further enhanced by Management Review. Interestingly, I believe this is an area where NCsF is a little bit weak, in that it doesn’t require any internal auditing to validate the efficacy. Assessment is limited to the monitoring mechanisms required within the Detect function.
Without “tone at the top” (e.g., senior management’s unwavering support for the information security function) no information security framework will be successful. ISO 27001 mandates and validates “top leadership’s” commitment to the ISMS, requiring evidence of their involvement in establishing “acceptable risk.” NCsF requires that “Senior Management understands its roles and responsibilities” but does not engage management in the information security risk management process to the extent that ISO 27001 does.
At the risk of oversimplifying it, ISO 27001 is a superset of NCsF with a more rigorous and defined set of requirements imposed by the certification process. So as long as your ISO 27001 scope is the same as your NcSF scope, if you are ISO 27001 certified you should be NCsF compliant. I would recommend that you cross-reference your documentation to reflect the NCsF Identify, Protect, Detect, Respond, Recover taxonomy. The process of doing so will give you the ability to quickly identify if any of your risk acceptance criteria “scoped out” a control that is required by the NCsF. It will also simplify the process of demonstrating your NCsF compliance to stakeholders.