The Official (ISC)2 CISSP CBK Reference. Aaron Kraus
security programs.
As of this writing, the most recent revision to ISO/IEC 27001 was in 2013, though its parent, ISO/IEC 27000, was revised in 2018. ISO 27001:2013 contains 114 controls across 14 domains, as follows:
Information security policies
Organization of information security
Human resource security
Asset management
Access control
Cryptography
Physical and environmental security
Operations security
Communications security
System acquisition, development, and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance
ISO/IEC 27002
ISO/IEC 27002 (again, often referred to as just ISO 27002) is titled “Security Techniques — Code of practice for information security controls.” This standard builds on ISO 27001 by providing guidelines for organizations to select, implement, and manage security controls based on their own security risk profile. In other words, ISO 27002 is a bit more prescriptive than ISO 27001, as it provides best-practice recommendations for organizations to build and maintain their ISMSs.
NIST 800-53
The National Institute of Standards and Technology is a nonregulatory agency of the U.S. Department of Commerce, whose mission is to promote innovation and industrial competitiveness by advancing standards and technologies. NIST publishes and manages a variety of special publications related to information security, cloud computing, and other technologies. NIST 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” is NIST's massive security control framework. Though NIST 800-53 was initially created to aid U.S. government agencies in managing their security programs, it is widely regarded as one of the most comprehensive baselines of security controls and is referenced across many industries around the globe. NIST 800-53 defines hundreds of security controls across the following 18 control families:
Access control (AC)
Awareness and training (AT)
Audit and accountability (AU)
Security assessment and authorization (CA)
Configuration management (CM)
Contingency planning (CP)
Identification and authentication (IA)
Incident response (IR)
Maintenance (MA)
Media protection (MP)
Physical and environmental protection (PE)
Planning (PL)
Personnel security (PS)
Risk assessment (RA)
System and services acquisition (SA)
System and communications protection (SC)
System and information integrity (SI)
Program management (PM)
NOTE The latest revision of NIST 800-53, Rev. 5, was released in September 2020.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF), first published in 2014, is a collection of standards, guidelines, and best practices to manage cybersecurity risk. As of this writing, NIST CSF v1.1 is the current version and was released in 2018. NIST CSF was initially developed with a focus on industries considered “critical infrastructure” — industries such as banking, energy, and communications. It has since become a go-to controls framework for companies of all sizes and across all business sectors.
The NIST CSF aligns with controls and best practices in NIST 800-53 and other control frameworks, but was designed to be a more flexible and understandable option for private-sector companies to adapt. The NIST Cybersecurity Framework consists of five core functions, each with multiple subdivisions NIST calls categories. (See Figure 1.2.)
FIGURE 1.2 NIST Cybersecurity Framework
The five core functions within NIST CSF are intended to be performed simultaneously and continuously to form a culture of assessing and addressing cybersecurity risk. NIST defines the purpose of each of the five core functions as follows:
Identify (ID): Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
Protect (PR): Develop and implement appropriate safeguards to ensure delivery of critical services.
Detect (DE): Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
Respond (RS): Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
Recover (RC): Develop and implement appropriate activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity incident.
The five core functions are divided into 23 categories, and these categories are further divided into a total of 108 subcategories. Each subcategory describes a specific security control or desired outcome. Visit www.nist.gov/cyberframework for the complete list of subcategories and additional guidance on using the NIST Cybersecurity Framework.
CIS Critical Security Controls
The CIS Critical Security Controls (or CIS Controls) is a publication of 20 best-practice guidelines for information security. The publication was initially created by SANS Institute but was transferred to the Center for Internet Security (CIS) in 2015. Today, you may see these 20 critical controls labeled CIS CSC, CIS 20, Sans Top 20, or other variants.
CIS Controls v7.1 was released in April 2019, and identifies the basic, foundational, and organizational controls that CIS recommends mitigating the most common attacks against networks and systems. According to the Center for Internet Security, the 20 Critical Security Controls are as follows:
CIS Control 1: Inventory and Control of Hardware Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Continuous Vulnerability Management
CIS Control 4: Controlled Use of Administrative Privileges
CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
CIS Control 7: Email and Web Browser Protections
CIS Control 8: Malware Defenses
CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
CIS Control 10: Data Recovery Capabilities