How to use the NIST SP800 series of standards for ISO 27001 implementation?

Comentários · 781 Visualizações

Although ISO 27001 Certification in Qatar, an international standard for information security management, provides control objectives and controls that cover a wide range of security issues,

Although ISO 27001 Certification in Qatar, an international standard for information security management, provides control objectives and controls that cover a wide range of security issues, they are not exhaustive. Thus, ISO 27001 clauses 6.1.3 b) and c) note that an organization can go beyond the standard’s controls to set proper security levels, by developing its own solutions or using other knowledge sources. This article will show you an alternative to ISO 27002 as guidance to support ISO 27001 controls implementation: the NIST SP 800 series. You will see what they are about and their general structure compared to those of ISO 27001 and ISO 27002

The NIST SP 800 series

The NIST SP 800 series is a set of free-to-download documents from the United States federal government, describing computer security policies, procedures, and guidelines, published by the NIST (National Institute of Standards and Technology), containing more than 130 documents.

NIST SP 800 series documents for information security management and risk assessment Like the ISO 27001 in Iraq series, the SP 800 series provides information covering management and operational information security practices, but in a greater number of documents. To provide specific guidance for integrating information security risk management with organizational operations, the NIST 800 SP series has the document SP 800-39 – Managing Information Security Risk. For risk assessment, the SP 800 series has a documentation set created using a six-step risk methodology:

  • Categorize: prioritization of information systems based on impact assessment. Detail is found in the document SP 800-60 rev.1.
  • Select: definition of controls to be used, based on the impact assessment and baselines. SP 800-53 Rev.4 is the reference document for this step.
  • Implement: implementation of the controls and document elaboration. Detail is found in the document SP 800-160.
  • Assess: confirmation that controls are implemented correctly, operate as intended, and produce the desired outcomes. Detail is found in the document SP 800-53 A rev.4.
  • Authorize: acceptance of the risk scenario, and authorization for information systems operation and use. Detail is found in the document SP 800-37 rev.1.
  • Monitor: accompaniment on an ongoing basis of information systems and operational environment to determine controls’ effectiveness and compliance. Detail is found in the document SP 800-137.

 NIST SP 800 series documents for ISO 27001 consultant in Chennai controls implementation

The SP 800 series has numerous standards that cover 256 safeguards. This is where SP800-53 is very useful, because it organizes all those safeguards into 18 categories:

  • SP 800-61 rev. 2: guidelines for detecting, analyzing, prioritizing, and handling incidents to respond to them effectively and efficiently (supporting ISO 27001 A.16).
  • SP 800-50: guidelines for designing, developing, implementing, and evaluating an awareness and training program (supporting ISO 27001 consultant in Chennai7.2.2).
  • SP 800-116: risk-based approach for selecting appropriate authentication mechanisms to manage physical access (supporting ISO 27001 A.11.1.2).
  • SP 800-46 rev. 1: practices for mitigating the risks associated with technologies used for telework (supporting ISO 27001 consultant in Iraq 6.2.2).
  • SP 800-122: orientations for protecting the confidentiality of personally identifiable information (PII) in information systems (supporting ISO 27001 A.18.1.4).
  • SP 800-161: guidance on identifying, assessing, selecting, and implementing risk management and controls to manage ICT supply chain risks (supporting ISO 27001 Certification in Philippines 15).
  • SP 800-92: guidance on developing, implementing, and maintaining effective log management practices (supporting ISO 27001 A.12.4).
  • SP 800-88 rev.1: recommendations for implementing a media sanitization program, considering techniques and controls for sanitization and disposal of sensitive information (supporting ISO 27001 A.8.3.2 and A.11.2.7).
  • SP 800-83 rev.1: guidance on preventing malware incidents and responding to malware incidents (supporting ISO 27001 A.12.2.1).
  • SP 800-64 rev.2: description of key security roles and responsibilities required in development of information systems, and information about the relationship between information security and the Software Development Life Cycle (supporting ISO 27001 A.14.2).
  • SP 800-45 rev.2: provides security practices for designing, implementing, and operating email systems on public and private networks (supporting ISO 27001 A.13.2.3).
  • SP 800-44 rev.2: presents security practices for designing, implementing, and operating publicly accessible Web servers and related network infrastructure (supporting ISO 27001 A.14.1.2).
  • SP 800-41 rev.1: provides guidance on developing firewall policies and selecting, configuring, testing, deploying, and managing firewalls (supporting ISO 27001 A.13.1).
  • SP 800-34 rev.1: provides information about information system contingency planning and other types of security and emergency contingency plans (SDLC) (supporting ISO 27001 Implementation in Lebanon 17).

Improve your options through multiple knowledge sources

The security implementation must have a holistic view to be effective, and for that, the more input to define the controls the better.

how to get ISO 27001 Consultants in South Africa?

If you are wondering how to get ISO 27001 Consultants in South Africa, never give it a second thought approaching Certvalue with a 100% track record of success without any fail in the certification process. ISO 27001 services in South Africa are easy and simple with Certvalue. You can easily reach Certvalue by simply visiting www.certvalue.com where you can chat with an expert or you can also write an enquiry to contact@certvalue.com so that one of our experts shall contact you at the earliest to provide the best possible solution available in the market.

 

 

 

Comentários