NIST CSF vs. Other Cybersecurity Frameworks
With the new SEC Cybersecurity Disclosure Rule requiring both the reporting of material cybersecurity events and the disclosure of cybersecurity programs for public companies, those affected are taking a closer look at cybersecurity frameworks that—while previously considered optional or “nice to have”—could help their organization meet the new regulatory requirements.
One in particular—the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)—is getting a lot of attention right now, having become a popular choice for organizations seeking to improve their cybersecurity posture (and meet that new SEC Rule).
As cybersecurity experts who have been conducting assessments against a wide range of different standards for over 20 years, we agree that the NIST CSF presents a potentially good avenue for you. To help you discern whether it’s right for you, we’re going to explore the key differences between the NIST CSF and some other popular framework options you have.
Maybe the NIST CSF is the best path for your organization, or maybe it’s not, but after reading your decision will be much better informed because we're about to really geek out on frameworks.
What is the NIST CSF?
The NIST CSF is a voluntary framework designed to provide a flexible, risk-based approach to managing cybersecurity risks. The framework consists of three main parts:
Framework Component |
Details |
---|---|
Core |
The NIST CSF contains five functions with their own set of categories and subcategories of controls supporting your ability to:
|
Implementation Tiers |
When you’re assessed, you will receive a level of cybersecurity risk management practices—these range from Partial to Adaptive based on how well you’ve addressed the five core functions. |
Profiles |
Profiles are used to align your cybersecurity activities with your business objectives, risk tolerance, and available resources |
Given its holistic approach and the associated benefits, the NIST CSF has become a widely recognized and adopted framework that provides a common language for communicating cybersecurity risks and practices. Its popularity should continue to climb, as—when implemented correctly—it addresses each aspect of the new SEC requirements and positions companies well to adhere to the cybersecurity disclosure rule.
But is it the right framework and assessment for your organization? Let’s compare how it stacks up against other, similar standards.
ISO/IEC 27001 vs. the NIST CSF
Having been pursued for decades and now one of the most popular security frameworks, ISO 27001 is an international standard for information security management that—like the NIST CSF—provides a systematic approach to managing sensitive company information so that it remains secure. Both frameworks are also well admired for their ability to be tailored to the uniqueness of each organization.
Despite both being designed to provide a comprehensive and integrated approach to managing information security risks, there is one key difference between ISO 27001 and NIST CSF—the measurement of implementation and controls:
Key Difference |
|
---|---|
ISO 27001 |
NIST CSF |
Pass/fail, outlining specific programmatic requirements that must be implemented to achieve adequate cybersecurity, and—as a result—certification. |
Maturity-based, in that it measures how well you’ve implemented a control so that you can see where you stack up and where you can improve—not whether you achieve a particular milestone. |
Further, ISO 27001 compliance generally must be certified by an external assessor as proof of advanced security, whereas the NIST CSF can be used just to guide you to more secure environments based on its standards (though you can also have your NIST CSF efforts assessed should you so choose).
All that being said, ISO 27001 certification may be more appropriate for organizations that have a specific customer request to undergo a third-party certification assessment whereas the NIST CSF may be most appropriate for those looking to satisfy internal requests or requirements such as from a board of directors who not only want to see where your organization stands but to track growth over time.
Regarding the SEC Cybersecurity Disclosure Rule: |
---|
The NIST CSF holds an advantage over ISO 27001 here, as several aspects of the framework directly relate to the disclosure rule, including the “Respond” Function that helps prepare companies for responding and reporting material cyber events. Plus, the suite of the 5 functions together makes up the elements for the annual disclosure. |
Center for Internet Security’s (CIS) Controls Framework vs. NIST CSF
The CIS Controls Framework is another standard that shares some similarities with NIST CSF in that it also contains a set of prioritized cybersecurity best practices designed to help you improve your cybersecurity posture.
But again, there are also some key differences between the two frameworks:
Key Differences |
CIS Critical Security Controls |
NIST CSF |
---|---|---|
Focus |
Primarily concentrates on technical controls—such as vulnerability management, secure configurations, and access controls—as part of its practical approach to preventing cyber-attacks and mitigating the effects of breaches. |
Guides on how to manage cybersecurity risk across your organization more broadly, including recovery and response measures. |
Implementation |
Designed to be implemented in a specific order, with each control building on the previous one so as to ensure that you focus on the most critical security controls first. |
Because it’s more flexible regarding implementation, allows you to customize the framework to your specific needs. |
In comparison with NIST CSF, the CIS Cybersecurity Framework may be more appropriate for organizations that want a more technically focused approach to their compliance program while you may choose the NIST CSF if you’re looking for guidance and more flexibility around implementing stronger cybersecurity measures.
Regarding the SEC Cybersecurity Disclosure Rule: |
---|
While NIST CSF is likely more commonly used, both frameworks are expected to be leveraged to help with adherence to the SEC Rule. |
COBIT vs. the NIST CSF
Another option you have is COBIT, which is a framework designed to guide processes in a way that enables business executives to implement major policies and procedures across various areas such as:
- Strategy;
- Innovation;
- Risk management; and
- Asset management.
Like the NIST CSF, COBIT is also organized into five domains—each of which represents a specific area of IT governance:
- Evaluate
- Direct
- Monitor
- Align
- Plan
One advantage that COBIT does bring to the table is its historical alignment with Sarbanes Oxley and COSO, a framework generally recognized by the SEC. However, unlike the NIST CSF—as well as the aforementioned ISO 27001 and CIS Controls that all focus heavily on IT—COBIT instead emphasizes the implementation and sustainability of a governance program through the completion of risk management objectives.
COBIT vs. NIST CSF: What Organizations Need Which? |
|
---|---|
COBIT |
NIST CSF |
Better suited for organizations that need a more holistic approach to IT governance. |
More appropriate for organizations that are primarily concerned with cybersecurity. |
Still, given these differences in what they address, aligning to both COBIT and NIST CSF would provide a more robust cyber risk management approach that you may be seeking.
Regarding the SEC Cybersecurity Disclosure Rule: |
---|
Aligning to only COBIT could help in preparing for the SEC Rule, and be recognized as a “known quantity” with the SEC, but as NIST CSF holds a greater focus on cybersecurity, we recommend it between the two in this regard. (There is mapping between the two, so COBIT could also serve as a stepping stone to NIST CSF.) |
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) vs. the NIST CSF
A comprehensive set of guidelines that provides a structured framework for organizations to assess the overall security risks and maturity of their cloud services, the CSA CCM is a popular cybersecurity framework used by organizations that operate in the cloud.
The NIST CSF—with its scalable approach to managing cybersecurity risk—can also be used by cloud service providers to improve their security posture. In another important similarity, if you were to opt for CSA STAR certification, the CCM requirements that would be tested would also be given a maturity score like the NIST CSF, allowing you to measure the improvements to their security over time.
This puts START Certification in the unique category with the NIST CSF as a standard that measures improvements or change over time, but despite these important similarities, the CSA CCM and NIST CSF do take different approaches:
Key Differences |
CSA CCM |
NIST CSF |
---|---|---|
Focus |
Specifically designed to address the unique challenges of cloud security. |
Designed to apply to a wide range of organizations and environments. |
Domains vs. Functions |
Organized into 17 domains that cover a wide range of security topics, including compliance, data privacy, and encryption that concern the cloud. |
Organized around five core functions of your cybersecurity program with separate and specific categories and subcategories of recommended cybersecurity improvements. |
Given this, the CSA CCM may be more appropriate for organizations that operate primarily in the cloud, while the NIST CSF may be better suited for organizations that need a more general cybersecurity framework.
Regarding the SEC Cybersecurity Disclosure Rule: |
---|
Between these two, NIST CSF is generally the recommended framework for adherence to the SEC Rule, but CSA CCM may be more appropriate for cloud providers. |
Moving Forward with Your Cybersecurity
Cybersecurity threats are becoming more sophisticated, complex, and frequent, posing significant risks to businesses of all sizes and across all sectors, making security frameworks all the more important. The trouble usually comes in deciding which standard is right for your organization, and the NIST CSF is a good option for most—especially those now particularly concerned with meeting the new SEC rule’s transparency and oversight mandates.
But whichever way you choose, keep in mind that a combination of frameworks may actually be the strongest route to improving your cybersecurity posture. Now that you understand—at a base level—the strengths and weaknesses of a few different frameworks, you can more easily choose the one or the combination that’s best suited to your comprehensive cybersecurity strategy and aligns with your business goals and objectives.
If you’re interested in getting an expert opinion, please reach out to us so we can answer your questions regarding your cybersecurity goals. In the meantime, check out our other content that can further point you in the right direction:
About Kate Weber
Kate Weber is a Senior Manager over New Services with Schellman based in Chicago, IL. Prior to joining Schellman in 2023, Kate worked in consulting for 5+ years in the IT security and data analytics spaces. While focused on IT security, Kate specialized in Sarbanes-Oxley (SOX) 404 internal audits, ISO 27001 internal audits, HITRUST readiness, and SOC reporting. Kate is a Certified Information Systems Auditor (CISA), ISO 27001 Lead Implementer, and ISO 9001 Lead Implementer. She also previously held the HITRUST Certified CSF Practitioner (CCSFP) and Certified HITRUST Quality Professional (CHQP) certifications.