Educause Security Discussion mailing list archives
Re: ISO27001 vs NIST 800-171
From: Don Murdoch <dmurdoch () REGENT EDU>
Date: Fri, 31 Aug 2018 13:54:34 +0000
James, I used to work for a Virginia consulting firm, and we did some work for a few U’s on the eastern seaboard. All of the work was centered around 800-171. To comply, we need to understand who the assessor is and what they would assess against – That’s 171 for CUI. For getting the job done in a more comprehensive fashion that should “wrap 171”, you could follow the IS0 std. It would be in your best interest to start w/ the objectives of 171 to make sure that you cover what you are likely to be assessed against, get those gap’s ID’d, and then expand out to the ISO control objectives / points. Some useful resources https://www.pivotpointsecurity.com/blog/achieving-nist-800-171-using-iso-27001/ - true this is attempting to sell services but you can get an idea of the thought process in what’s there https://security.vt.edu/policies/critical_security_controls.html - look at the mappings item https://export.virginia.edu/controlled-unclassified-information - nice CUI info From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Farr Sent: Friday, August 31, 2018 9:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] ISO27001 vs NIST 800-171 Chris, This email is not a direct answer, but have you looked at the Information Security Program Assessment Tool? https://library.educause.edu/resources/2015/11/information-security-program-assessment-tool This can help you map your progress to NIST and ISO. Any framework is better than no framework. James Farr ’05 G’12 Director of Information Security and Network Specialist Utica College jfarr () utica edu<mailto:jfarr () utica edu> 315-223-2386 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Davis, Chris Sent: Friday, August 31, 2018 9:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] ISO27001 vs NIST 800-171 Can anyone provide me a quick and dirty compare/contrast between the two? Which is more appropriate for a higher education setting seeking to comply with the various regulatory requirements typically found in higher ed? Thanks! Chris Christopher Davis, Ph.D. Chief Information Officer Assistant Professor of Education Apple Teacher Lourdes University 6832 Convent Blvd | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu<mailto:cdavis () lourdes edu> CyberAware – Be aware. Stay Secure! Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Current thread:
- ISO27001 vs NIST 800-171 Davis, Chris (Aug 31)
- Re: ISO27001 vs NIST 800-171 James Farr (Aug 31)
- Re: ISO27001 vs NIST 800-171 Don Murdoch (Aug 31)
- Re: ISO27001 vs NIST 800-171 Joanna Grama (Aug 31)
- Re: ISO27001 vs NIST 800-171 Penn, Blake C (Sep 04)
- Re: ISO27001 vs NIST 800-171 James Farr (Aug 31)