{"id":9061,"date":"2016-05-02T20:16:32","date_gmt":"2016-05-02T20:16:32","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=9061"},"modified":"2025-04-11T09:02:40","modified_gmt":"2025-04-11T09:02:40","slug":"how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2016\/05\/02\/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation\/","title":{"rendered":"How to use the NIST SP800 series of standards for ISO 27001 implementation"},"content":{"rendered":"<p>Although\u00a0<a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, an international standard for information security management, provides control objectives and controls that cover a wide range of security issues, they are not exhaustive. Thus, ISO 27001 clauses 6.1.3 b) and c) note that an organization can go beyond the standard\u2019s controls to set proper security levels, by developing its own solutions or using other knowledge sources.<\/p>\n<p>This article will show you an alternative to\u00a0<a href=\"\/27001academy\/knowledgebase\/iso-27001-vs-iso-27002\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27002<\/a>\u00a0as guidance to support ISO 27001 controls implementation: the NIST SP 800 series. You will see what they are about and their general structure compared to those of ISO 27001 and ISO 27002.<\/p>\n<h3 style=\"padding-bottom: 5px;\"><strong>The NIST SP 800 series<\/strong><\/h3>\n<p>The NIST SP 800 series is a set of free-to-download documents from the United States federal government, describing computer security policies, procedures, and guidelines, published by the NIST (National Institute of Standards and Technology), containing more than 130 documents.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-9063 size-full\" src=\"\/wp-content\/uploads\/\/sites\/5\/2016\/05\/NIST_documentation_structure_figure.png\" alt=\"NIST_documentation_structure_figure\" width=\"624\" height=\"162\" srcset=\"\/wp-content\/uploads\/sites\/5\/2016\/05\/NIST_documentation_structure_figure.png 624w, \/wp-content\/uploads\/sites\/5\/2016\/05\/NIST_documentation_structure_figure-300x78.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/p>\n<p style=\"text-align: center;\"><em><span style=\"font-size: 14px;\">Figure:\u00a0NIST documentation structure<\/span><\/em><\/p>\n<h2><strong>NIST SP 800 series documents for information security management and risk assessment<\/strong><\/h2>\n<p>Like the ISO 27000 series, the SP 800 series provides information covering management and operational information security practices, but in a greater number of documents.<\/p>\n<p>To provide specific guidance for integrating information security risk management with organizational operations, the NIST 800 SP series has the document <strong>SP 800-39 &#8211; Managing Information Security Risk<\/strong>.<\/p>\n<p>For risk assessment, the SP 800 series has a documentation set created using a six-step risk methodology:<\/p>\n<ul>\n<li><strong>Categorize:<\/strong> prioritization of information systems based on impact assessment. Detail is found in the document <strong>SP 800-60 rev.1<\/strong>.<\/li>\n<li><strong>Select:<\/strong> definition of controls to be used, based on the impact assessment and baselines. <strong>SP 800-53 Rev.4<\/strong> is the reference document for this step.<\/li>\n<li><strong>Implement:<\/strong> implementation of the controls and document elaboration. Detail is found in the document <strong>SP 800-160<\/strong>.<\/li>\n<li><strong>Assess:<\/strong> confirmation that controls are implemented correctly, operate as intended, and produce the desired outcomes. Detail is found in the document <strong>SP 800-53 A rev.4<\/strong>.<\/li>\n<li><strong>Authorize:<\/strong> acceptance of the risk scenario, and authorization for information systems operation and use. Detail is found in the document <strong>SP 800-37 rev.1<\/strong>.<\/li>\n<li><strong>Monitor<\/strong>: accompaniment on an ongoing basis of information systems and operational environment to determine controls\u2019 effectiveness and compliance. Detail is found in the document <strong>SP 800-137<\/strong>.<\/li>\n<\/ul>\n<p>Since ISO 27001 requires, but does not prescribe any methodology (clause 6.1.2), this one can be adopted by your organization. If your organization already has a risk assessment methodology, you can keep it and use only the document\u2019s security <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=statement-of-applicability\" target=\"_blank\" rel=\"noopener\">control<\/a>\u00a0catalogue.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2><strong>NIST SP 800 series documents for ISO 27001 controls implementation<\/strong><\/h2>\n<p style=\"text-align: left;\">The SP 800 series has numerous standards that cover 256 safeguards. This is where SP800-53 is very useful, because it organizes all those safeguards into 18 categories:<\/p>\n<table class=\"table\" style=\"text-align: left; width: 100%;\" border=\"0\" cellspacing=\"2\" cellpadding=\"2\">\n<thead>\n<tr>\n<td style=\"width: 50%; text-align: center;\"><strong>Family<\/strong><\/td>\n<td style=\"width: 10%; text-align: center;\"><strong>Num. of controls<\/strong><\/td>\n<td style=\"width: 30%; text-align: center;\"><strong>Family<\/strong><\/td>\n<td style=\"width: 10%; text-align: center;\"><strong>Num. of controls<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Access Control<\/td>\n<td style=\"text-align: center;\">25<\/td>\n<td style=\"width: 25%;\">Media Protection<\/td>\n<td style=\"width: 25%; text-align: center;\">8<\/td>\n<\/tr>\n<tr>\n<td>Awareness and Training<\/td>\n<td style=\"text-align: center;\">5<\/td>\n<td style=\"width: 25%;\">Physical and Environmental Protection<\/td>\n<td style=\"width: 25%; text-align: center;\">20<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=internal-audit&amp;doc=internal-audit-checklist\" target=\"_blank\" rel=\"noopener\">Audit<\/a>\u00a0and Accountability<\/td>\n<td style=\"text-align: center;\">16<\/td>\n<td style=\"width: 25%;\">Planning<\/td>\n<td style=\"width: 25%; text-align: center;\">9<\/td>\n<\/tr>\n<tr>\n<td>Security Assessment and Authorization<\/td>\n<td style=\"text-align: center;\">9<\/td>\n<td style=\"width: 25%;\">Personnel Security<\/td>\n<td style=\"width: 25%; text-align: center;\">8<\/td>\n<\/tr>\n<tr>\n<td>Configuration planning<\/td>\n<td style=\"text-align: center;\">11<\/td>\n<td style=\"width: 25%;\">Risk Assessment<\/td>\n<td style=\"width: 25%; text-align: center;\">6<\/td>\n<\/tr>\n<tr>\n<td>Contingency Planning<\/td>\n<td style=\"text-align: center;\">13<\/td>\n<td style=\"width: 25%;\">System and Services Acquisition<\/td>\n<td style=\"width: 25%; text-align: center;\">22<\/td>\n<\/tr>\n<tr>\n<td>Identification and Authentication<\/td>\n<td style=\"text-align: center;\">11<\/td>\n<td style=\"width: 25%;\">System and Communication Protection<\/td>\n<td style=\"width: 25%; text-align: center;\">44<\/td>\n<\/tr>\n<tr>\n<td>Incident Response<\/td>\n<td style=\"text-align: center;\">10<\/td>\n<td style=\"width: 25%;\">System and Information Integrity<\/td>\n<td style=\"width: 25%; text-align: center;\">17<\/td>\n<\/tr>\n<tr>\n<td>Maintenance<\/td>\n<td style=\"text-align: center;\">6<\/td>\n<td style=\"width: 25%;\">Program Management<\/td>\n<td style=\"width: 25%; text-align: center;\">16<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><em><span style=\"font-size: 14px;\">Table:\u00a0Security control families and number of controls per family<\/span><\/em><\/p>\n<p>Some useful documents in the SP 800 series that are referenced by SP 800-53 Rev.4 controls are:<\/p>\n<ul>\n<li><strong>SP 800-61 rev. 2:<\/strong> guidelines for detecting, analyzing, prioritizing, and handling incidents to respond to them effectively and efficiently (supporting ISO 27001 A.16).<\/li>\n<li><strong>SP 800-50:<\/strong> guidelines for designing, developing, implementing, and evaluating an awareness and training program (supporting ISO 27001 A.7.2.2).<\/li>\n<li><strong>SP 800-116:<\/strong> <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=risk-treatment-plan\" target=\"_blank\" rel=\"noopener\">risk<\/a>-based approach for selecting appropriate authentication mechanisms to manage physical access (supporting ISO 27001 A.11.1.2).<\/li>\n<li><strong>SP 800-46 rev. 1:<\/strong> practices for mitigating the risks associated with technologies used for telework (supporting ISO 27001 A.6.2.2).<\/li>\n<li><strong>SP 800-122:<\/strong> orientations for protecting the <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=information-classification-policy\" target=\"_blank\" rel=\"noopener\">confidentiality of personally identifiable information<\/a>\u00a0(PII) in information systems (supporting ISO 27001 A.18.1.4).<\/li>\n<li><strong>SP 800-161:<\/strong> guidance on identifying, assessing, selecting, and implementing risk management and controls to manage ICT supply chain risks (supporting ISO 27001 A.15).<\/li>\n<li><strong>SP 800-92:<\/strong> guidance on developing, implementing, and maintaining effective log management practices (supporting ISO 27001 A.12.4).<\/li>\n<li><strong>SP 800-88 rev.1:<\/strong> recommendations for implementing a media sanitization program, considering techniques and controls for sanitization and disposal of sensitive information (supporting ISO 27001 A.8.3.2 and A.11.2.7).<\/li>\n<li><strong>SP 800-83 rev.1:<\/strong> guidance on preventing malware incidents and responding to malware incidents (supporting ISO 27001 A.12.2.1).<\/li>\n<li><strong>SP 800-64 rev.2:<\/strong> description of key security roles and responsibilities required in development of information systems, and information about the relationship between information security and the Software Development Life Cycle (supporting ISO 27001 A.14.2).<\/li>\n<li><strong>SP 800-45 rev.2:<\/strong> provides security practices for designing, implementing, and operating email systems on public and private networks (supporting ISO 27001 A.13.2.3).<\/li>\n<li><strong>SP 800-44 rev.2:<\/strong> presents security practices for designing, implementing, and operating publicly accessible Web servers and related network infrastructure (supporting ISO 27001 A.14.1.2).<\/li>\n<li><strong>SP 800-41 rev.1:<\/strong> provides guidance on developing firewall policies and selecting, configuring, testing, deploying, and managing firewalls (supporting ISO 27001 A.13.1).<\/li>\n<li><strong>SP 800-34 rev.1:<\/strong> provides information about information system contingency planning and other types of security and emergency contingency plans (SDLC) (supporting ISO 27001 A.17).<\/li>\n<\/ul>\n<h2><strong>Improve your options through multiple knowledge sources<\/strong><\/h2>\n<p>The security implementation must have a holistic view to be effective, and for that, the more input to define the controls the better.<\/p>\n<p>The SP 800 series documents provide a free alternative source of additional information to perform the risk assessment process and to design, implement, and manage security controls that can be matched to those of ISO 27001 and ISO 27002 and help your organization to better prepare its environment to face risks in a more reliable and cost-effective way.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To implement ISO 27001 easily and efficiently,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a><span class=\"notion-enable-hover\" data-token-index=\"2\">\u00a0<em>of Conformio, the leading ISO 27001 compliance software.<\/em><\/span><!-- notionvc: bb67e49d-fa67-493c-a672-3a5b8bc88d02 --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Although\u00a0ISO 27001, an international standard for information security management, provides control objectives and controls that cover a wide range of security issues, they are not exhaustive. Thus, ISO 27001 clauses 6.1.3 b) and c) note that an organization can go beyond the standard\u2019s controls to set proper security levels, by developing its own solutions or &#8230;<\/p>\n","protected":false},"author":41,"featured_media":9062,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,879,1056],"class_list":["post-9061","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-security-controls","tag-nist-sp-800"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9061","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=9061"}],"version-history":[{"count":3,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9061\/revisions"}],"predecessor-version":[{"id":103882,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9061\/revisions\/103882"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/9062"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=9061"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=9061"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=9061"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}