Re: [External] [SECURITY] ISO27001 vs NIST 800-171

["Shankar, Anurag" <ashankar () IU EDU>]

Hi Chris,

 

The biggest difference from my view is that, while ISO 27001 has a hundred-odd controls set, it is really a framework 
aimed at measuring/improving the high-level cybersecurity management structure for an organization (to protect data 
confidentiality, integrity, and availability).  NIST 800-171 is a more typical physical, admin, and technical control 
set (also around a hundred) designed to protect data confidentiality only.

 

As for which is more appropriate, it depends on what the relevant compliance regimes are in your case and the effort 
you are willing to expend.  The primary ones affecting EDU with specific cybersecurity requirements in my opinion are 
HIPAA, DFARS, (for DoD contracts), CMS, and FISMA (for certain govt. contracts).  NIST 800-171 is a good place to start 
if you don’t have a lot of resources, but if you want to use a single framework to cover all cyber compliance, I’d 
establish a NIST risk management framework (which uses NIST 800-53, the superset of 800-171) that also addresses 
integrity and availability.  That is what we do here at IU.  I’d be more than happy to talk to you in more detail if 
you are interested.

 

Regards,

 

Anurag

 

---

Anurag Shankar,  Ph.D.  Email: ashankar [at] iu.edu  Phone: +1 (812) 856-6978

Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University

2719 E. 10th Street, Suite 231, Bloomington, IN 47408

 

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () listserv educause edu> on behalf of "Davis, Chris" 
<CDavis () LOURDES EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () listserv educause edu>
Date: Friday, August 31, 2018 at 9:20 AM
To: "SECURITY () listserv educause edu" <SECURITY () listserv educause edu>
Subject: [External] [SECURITY] ISO27001 vs NIST 800-171

 

This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from 
external sources.



Can anyone provide me a quick and dirty compare/contrast between the two?  Which is more appropriate for a higher 
education setting seeking to comply with the various regulatory requirements typically found in higher ed? 

 

Thanks!

 

Chris

 

 

Christopher Davis, Ph.D.
Chief Information Officer
Assistant Professor of Education
Apple Teacher
Lourdes University
6832 Convent Blvd | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu

CyberAware – Be aware. Stay Secure!
Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that 
asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security 
numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu. For more information please visit 
lourdes.edu/cyberaware. 

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) 
and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not 
the intended recipient of this message or their agent, or if this message has been addressed to you in error, please 
immediately alert the sender by reply email and then delete this message and any attachments. If you are not the 
intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its 
attachments is strictly prohibited.

Attachment: smime.p7s
Description: