28 November, 2007

FISMA vs. ISO 27000

I've been working lately with security models, specifically how you strategically approach security in organizations. Models such as FISMA/NIST and ISO 27000 (just two of many) are designed to help organizations approach this complex problem. After working with these two I wanted to share some observations and comparisons of these and perhaps get your perspective. Just some quick background. FISMA is actually not a model but a law passed in 2002 requiring US government organizations to implement certain information security standards. NIST defines those standards through documents, such as the SP800 series (of which there are over a hundred). ISO 27000 is originally based on the British Standards Institute BS7799 (parts 1-3). ISO now manages this model and standardized the 2700X numbering system.

Readability: First, how easy is it to read and understand the overall documentation and model? ISO 27000 wins this hands down. First, its ordered in a relatively easy to understand fashion. You start with 27001 which is the overall plan (called an ISMS). You then move onto ISO 27002 which gets a bit more detailed (controls, but at a high level). You then have several other 2700X documents to help you (such as with risk assessments). These have not been officially approved yet by ISO. FISMA unfortunately is much more haphazard. NIST has just published SP800-39 to help give an overview, but then you also need to read FIPS-199 and FIPS-200. There are also various other SP800 documents you can read to help get things started. The other problem is how they are written. I'm sure the fine folks at NIST meant well, but their documentation is written in painful government/academic speak, something I've never worked well with. ISO 27000 in comparison is written from a business perspective, much simpler and cleaner. ISO 27000 wins here hands down.

Availability: Okay, this is where NIST shines. Everything is organized by one organization, at one location, and its all for free! ISO 27000 on the other hand, while developed and approved by ISO, is not for free. Each ISO document costs several hundred dollars and can be purchased at various locations (I find the ANSI site to be the cheapest, its in American dollars :). NIST wins this one.

Strategic: This is where I really like ISO 27000. ISO 27001 focuses on how you will manage your strategic security plan (Plan, Do, Act, Check), ISO 27002 is your strategic plan. The NIST documentation simply jumps right in and has you start with IMPACT assessments on your information and information systems. They call it their Risk Management Framework, but its not. There is no analysis of risk, only impact. There doesn't seem to be any real high level plan, strategic goals, organizational reviews, etc. Its confusing and too tactical focused. Its also highly structured, its almost as if the authors do not trust the security professionals involved. ISO 27000 gives much more trust and flexibility. ISO 27000 wins this one.

Tactical: This is where I think NIST shines. While I'm not impressed by its strategic approach, it has a wealth of tactical knowledge. There are numerous SP800 documents (almost a hundred) that focus on just the technical details and recommended controls, such as mobile forensics, intrusion detection systems, or wireless. These standards can greatly help organizations. Also, NIST is just now kicking off their checklist series of documentation. The US government is moving to standardized, secure builds. While the concept of standardize builds is not new, what makes this VERY exciting is the US government is forcing all vendors to support these builds. You want the US government to buy your software, you have to support secured systems. This has already been done for WinXP and Vista and takes effect early next year. NIST wins here.

So, overall which is better? Neither. My preference is use ISO 27000 model for a strategic approach. However, once you get into the details the SP800 series can help. However I suggest staying away from SP800-39, FIPS-200, FIPS-199 I really think that their strategic approach is taking people down the wrong path. I'm interested in your input. Let me know if you agree or disagree with this assessment, and if so why. What is your preferred model or strategic approach to information security?

10 comments:

Danny Lieberman said...

Lance

Good review of ISO versus FISMA.

It's a little annoying why you have to pay for a vendor-neutral standard like ISO 27001, isn't it?

Anyhow - the best and also free game in town for ISO 27001 is called PTA (Practical Threat Analysis for ISO 27001). PTA is a great free software tool (for qualified risk and security professionals) for quantitative risk assessment that comes built in with a database and reports.

I came across PTA seaching for good tools for ISO on the Net and I found it about a year ago. I think they are a group of professional developers based in Israel.

At any rate - you can read more about what we've done with PTA and ISO 27001 at http://www.controlpolicy.com

Best regards
Danny Lieberman

Fred said...

Lance,

I agree with Danny, this is a good review of ISO vs. FISMA, and would add that it is also a good overview of the ISO standards. Having been in the Technology Auditing arena for over 20 years, I am glad to see ISO attempting to address the big picture for IT Security and environmental issues.

Without universally accepted standards, we end up with "Standards silos". For instance the FFIEC (Federal Financial Institutions Examination Counsel) sets standards that Banks & Financial institutions must comply with, by requiring the regulators (Federal Reserve Board, FDIC, OTS etc) to audit to their 9 domains. Governmental agencies must beat to the FISMA drummer, and pre ISO 27001, ISO 27002, & ISO 27006 industries had to rely on the COBIT model for guidance. The PCAOB has gone along with the COBIT/COSO model as a standards basis for Sarbanes-Oxley compliance and not yet recognized the ISO standards, but this may change as SOX like measures are adopted globally (e.g. JSOX). For now, all public companies, at least for SOX purposes, use COSO/COBIT, and the Banks will continue to use the FFIEC model. That said solid internal controls that are derived from a comprehensive business risk assessment, and verified as to their functionality will meet any standard.

Simply put the strategic implications of IT security standards, and which standard to apply are greatly impacted by the governance/compliance/regulatory needs of the business entity. In my opinion, SOX compliance costs could be significantly reduced by using the ISO 27000 series, and we FDC Associates, LLC applaud your efforts to move the awareness of security standards forward. Best Regards,Frederick Cox
fcox@fdcassociates.com

Anonymous said...

Great article!

Bernard said...

This was a great comparison of the FISMA compliance highlights and ISO 2700X. I would be great to see a traceability matrix that depicts the similarities and deltas between the two "standards". It would be helpful to all auditor/reviewers in the long-run.

Anonymous said...

Hi
Thanks for clarify it.

SP800-53 rev2
APPENDIX G
SECURITY CONTROL MAPPINGS
RELATIONSHIP OF SECURITY CONTROLS TO OTHER STANDARDS AND CONTROL SETS.

Does the mapping.

Tlex said...

Thanks for this great post, stating the difference. I was not aware till now that FISMA does exist. Again thanks for the info dude.

ISO 9000 certification chennai

Justyn Hornor said...

Wonderful post and well stated. We just recently went through an audit to be sure we were FISMA compliant and are pursuing ISO 27000.

This article tied it all together. After having gone through this process for the first time and seeing the different standards we should/can pursue, I couldn't agree more withMr. Cox's quote:
That said solid internal controls that are derived from a comprehensive business risk assessment, and verified as to their functionality will meet any standard.

Thanks again!
Justyn Hornor

ISO 27001 Certification said...

Get your company certified by the ISO 27001 Certification to get better approach in market. So , Global Manager Group is one such name in the USA, Canada, UK, UAE, Qatar, Kuwait, Saudi Arabia, Indonesia, France, Malaysia, Switzerland, UAE, Belgium, Singapore, South Africa, India, Australia and more. Where you can rely for all your ISO 27001 standard needs.

Global Consultant said...

Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.

ISO 27001 Documentation

certificationcemark said...

Nice post, I bookmark your blog because I found very good information on your blog, Thanks for sharing

ISO27001 Certification Documents