logo of en:National Institute of Standards and...
Image via Wikipedia

FISMA Certification & Accreditation Handbook

The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.

Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.

Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.

The management of day to day risks is a key element in an organization’s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.


Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.

Reblog this post [with Zemanta]