comparision of iso with nist and cobit framework
TRANSCRIPT
iFour Consultancy
Comparison of Different Standards
In terms of Information Security - They both agree on the basic definition of information security.
ISO Preservation of confidentiality, integrity and availability of information.
NIST The protection of information and information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to provide confidentiality, integrity, and availability
Comparing ISO with NIST
Software Outsourcing Companies in India
In terms of Risk management – ISO
Coordinated activities to direct and control an organization with regard to risk. Risk management generally includes risk assessment, risk treatment, risk acceptance, risk
communication, risk monitoring and risk review.
NIST The process of managing risks to agency operations, agency assets, or individuals resulting from the
operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of
security controls; and the formal authorization to operate the system.
Comparing ISO with NIST
Software Outsourcing Companies in India
In terms of RiskISO
Information Security Risk: potential that a threat will exploit a vulnerability of an asset or group of assets and thereby. cause harm to the organization
Risk: combination of the probability of an event and its consequence.
NIST The level of impact on agency operations (including mission, functions, image, or reputation), agency
assets, or individuals, resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Comparing ISO with NIST
Software Outsourcing Companies in India
In terms of Risk Treatment/Mitigation - Different terms, same meaning
ISO Risk Treatment- Process of selection and implementation of measures to modify risk. It is documented in a Risk Treatment Plan.
NIST Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing
controls recommended from the risk assessment process. Documented in the Risk Assessment Report and the Plan of Actions and Milestones.
Comparing ISO with NIST
Software Outsourcing Companies in India
In terms of Focus
ISO Implementation of security controls, stress on risk— management approach
COBIT Business orientation and IT governance in its entirety
In terms of Paradigm
ISO Information security management system
COBIT Planning of IT Processes
Comparing ISO with COBIT
Software Outsourcing Companies in India
In terms of ScopeISO
Standalone guidance for security.
COBIT Complete IT governance of organization, including security planning. It is an integrated solution.
In terms of Structure ISO
11 sections with 36 objectives which are further divided into sub-objectives
COBIT 34 IT processes grouped in 4 domains: Plan and organize, Acquire and Implement, Deliver and support,
Monitor
Comparing ISO with COBIT
Software Outsourcing Companies in India
In terms of Organizational model ISO
Management, IS departments.
COBIT All stakeholders
In terms of Certification ISO
IS Certifiable
COBIT Is not certifiable for organizations
Comparing ISO with COBIT
Software Outsourcing Companies in India
https://qatar.cmu.edu/media/assets/CPUCIS2010-1.pdf
http://www.federalcybersecurity.org/CourseFiles/WhitePapers/ISOvNIST.pdf
References :
Software Outsourcing Companies in India
Visit our websites :
http://www.ifour-consultancy.com http://www.ifourtechnolab.com
For more details :
Software Outsourcing Companies in India