ISO 27001 and NIST CSF 2.0
ISO 27001 (2022) and NIST CSF (2.0) are two of the most trusted security standards in the world. Both with a different purpose, but their goals align and the standards complement each other well.
This makes that using both strengthens a cyber security strategy. To understand how the standards complement we need to take three other standards into account. These contain the related security controls:
- ISO 27002 (2022)
- NIST SP 800-53 (Rev 5)
- NIST SP 800-53A (Rev 5)
Comparing the two with AI
A simple AI-prompt gives a quick overview of the five standards
Create a matrix:
- conditions:
- output on screen csv
- use ✅ for yes
- use ❌ for no
- use 🟠 for partial
- add clarification to every icon, avoid comma’s
- horizontal:
- ISO 27001
- ISO 27002
- NIST CSF 2.0
- NIST SP 800-53
- NIST SP 800-53a
- vertical:
- is detailed control catalog
- is security roadmap
- is technical implementation guide
- is assessment guide
- defines mandatory controls
- defines mandatory requirements
- certification
AI Response
The prompt gives a matrix with a lot of detail. Below is the simplified and curated version of the AI response:
| ISO 27001 | ISO 27002 | NIST CSF 2.0 | NIST SP 800-53 | NIST SP 800-53a | |
|---|---|---|---|---|---|
| is control catalog | ❌ | ✅ | ❌ | ✅ | ❌ |
| is security roadmap | ❌ | ❌ | ✅ | ❌ | ❌ |
| is technical guide | ❌ | ✅ | ❌ | ❌ | ✅ |
| is assessment guide | ❌ | ✅ | ❌ | ❌ | ✅ |
| defines mandatory federal controls | ❌ | ❌ | ❌ | ✅ | ❌ |
| defines mandatory requirements | ✅ | ❌ | ❌ | ❌ | ❌ |
| certification | ✅ | ❌ | ❌ | ❌ | ❌ |
From the matrix it is clear how the two standards complement. The CSF is a roadmap on managing cyber risk and ISO 27001 complements by adding a structured system and certification.
Both standards have detailed controls defined in a separate standard. For ISO 27001 this is ISO 27002 and for NIST CSF this is NIST SP 800-53.
ISO 27001 Annex A contains 93 controls that map directly to ISO 27002 controls
The official SP 800-53 catalog lists 1.189 controls, a crosswalk exists that maps to NIST CSF
Advantages
Using both gives the advantages that both standards offer. The standards have in common that they are well known and recognized around the world. The standards also both provide a clear common cyber security language especially useful for larger organizations.
These are some of the major advantages for each of them.
ISO 27001 specific advantages
- Part of an Integrated Management System that integrates with many other useful standards like ISO 9001, ISO 14001 and ISO 45001
- Structured system for controlling risks and proving control
- Systematic way of identifying, assessing, and treating information security risks
- Certification possible
- Plan-Do-Check-Act cycle, promoting improvement
NIST CSF specific advantages
- Maps to many other standards, see NIST Crosswalks
- Provides a practical roadmap
- Designed to be flexible
- Outcome focused
- Provides a full set of cyber security capabilities and business functions
- CSF Tiers for cyber security risk governance and management
- Jacco Meijer
- |
- Jun 27, 2025
NIST CSF Tiers for cyber security risk governance and management
NIST CSF 2.0 contains useful tiers for Capability Maturity Modeling in Enterprise Architecture
Enterprise Architecture
One of the advantages of NIST CSF is that the core functions from the standard map to Enterprise Architecture (EA) capabilities. The CSF categories and subcategories translate to a useful set of EA business functions.
These functions are useful in many cyber security EA views. The advantage of the standard being well known contributes to clearly defined and well documented business functions.
The capabilities and business functions are shown in the EA model below. By example the capabilities are mapped to four of the control measures defined by ISO 27002.
How the standards strengthen each other
Besides the theory on how the two standards complement earlier in this post, the capability mapping shows in detail how the standards complement and how they strengthen each other.
Mapping CSF capabilities to ISO controls is a useful exercise that gives insights in the way the standards were designed individually, how the standards differ and how the standards team up.
ISO 27002 Annex A
ISO 27002 Annex A defines five example attributes of which one is 'cyber security concepts'.
These concepts are defined as #Identify, #Protect, #Detect, #Respond and
#Recover which correspond exactly to the five capabilities defined by NIST
CSF. The Govern capability is missing because this was added to NIST CSF with
the release of version 2.0.
Other mappings
Supplementary material for NIST SP 800-53 contains a crosswalk that maps 800-53 controls to ISO 27002. This is not a one on one mapping, a single control from one standard maps to multiple controls in the other and vice versa.
NIST SP 1800-13 on 'Mobile Application Single Sign-On' contains Appendix A that titles 'Mapping to Cyber Security Framework Core'.
Mapping CSF business functions
For organizations that are ISO 27001 certified it makes sense to map each business function to one or more ISO 27002 controls. No formal mapping exists, but setting it up is not too hard. ISO 27002 Annex A helps by subdividing the ISO controls into five categories that match NIST CSF. Even though AI still hallucinates quite a bit on this topic, it can be used to setup a basic mapping. Start by using the prompt below for example.
map each NIST CSF Category to a ISO 27002 control
Conclusion
The fact that ISO 27002 Annex A maps to NIST CSF make that the two standards reliably can be used together with little effort. This provides certification, a roadmap, common security language and a well known set of business functions to be used in Enterprise Architecture.
Archimate security elements
For reference, the Archimate 'Control Measure' element used for the ISO 27001 control is explained in the post blow.
- Jacco Meijer
- |
- Jun 20, 2025
Archimate risk assessment elements
A few simple specializations for working with risk assessments in Archimate
Security principles
The related post below shows how security principles can be added.
- Jacco Meijer
- |
- Jun 13, 2025
Security principles in Enterprise Architecture
Adding security principles to Enterprise Architecture for NIST CSF and ISO 27001
Add threat modeling and Enterprise Architecture
Combining ISO 27001, NIST CSF and threat modeling with Enterprise Architecture strengthens all elements.
- Jacco Meijer
- |
- Jul 25, 2025
Threat modeling, security frameworks and Enterprise Architecture
Combining ISO 27001, NIST CSF and threat modeling with Enterprise Architecture strengthens all elements
