ISO 27001

 ISO 27001

 The ISO 27000 Series CSF is published by the International Organization for Standards. As with NIST and CIS, it is a series of categories and controls. In this case, 14 categories and a total of 114 controls.  As an international standard, it is recognized globally and certification may be required to do business with many international enterprises. Although certification is not required to complete compliance, most organizations implementing ISO 27001 are doing so with certification in mind.

ISO 27001 is more focused on the implementation and maintenance of a functioning Information Security Management System (ISMS)  than the actual controls themselves. In fact, the latest revision of the standards does not require the organization to implement the controls as defined but rather demonstrate that they have adequately mitigated the risk in some way. As an on-going process the organization must demonstrate the ISMS is continuing to function and must recertify every three years.

Whereas NIST and CIS frameworks are free and self-assessment is possible, ISO 27001 certification can be costly. Typically, organizations implementing ISO 27001 have already achieved a higher level of operational maturity.