Non esiste un singolo documento all'interno di FISMA che mappa con ISO27k1. Invece ci sono diverse pubblicazioni che possono essere utilizzate per ottenere lo stesso come con ISO27k1. Si noti che generalmente lo scopo di ISO27k1 è focalizzato sul business. Penso che sia meno specifico di FISMA, è più orientato al business. Dai un'occhiata a questo documento da ATSEC . Di seguito è riportato un estratto pertinente:
Here we compare how the two differ in some fundamental aspects. The
scheme developed by NIST is used by Federal Agencies, their
contractors and those involved as part of the critical infrastructure
including utilities (electrical, nuclear, gas and oil, dams),
transportation (air, road, rail, port, waterways), Public Health
Systems/Emergency Services, Information and Telecommunications,
National Defense, Banking and Finance, Postal and Shipping,
Agriculture/Food/Water, and the Chemical industry in order to meet
their mandatory requirements under the Act. To date a great many
systems have been certified and accredited under the scheme. The suite
of FISMA standards is close to completion and includes a risk
assessment methodology (SP 199) and a detailed controls list (SP
800-53) with objective assessment criteria (SP 800-53A). Originally it
was characterized as adopting somewhat of a “bottom up” approach as
the technical focus is firmly on the operational and technical aspects
of the IT system. The focus of the framework is on the IT systems, and
on their certification and accreditation to operate.
- FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems
- FIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information Systems
- NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems
- NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
- NIST Special Publication 800-30, Risk Management
- NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
- NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
- NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System
- NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories
As the FISMA related standards and guidelines have matured they have
emphasized the importance of a risk management framework that can be
used to augment the baseline control set approach.
On the other hand, the ISO/IEC 27001 standard is aligned with ISO/IEC
9001 (the Quality Management System) and draws from the lessons
learned in the career of that standard, meeting needs in the
non-Government arena for scalability and needs to ensure that an
organizations management system meets a basic best-practices
management system. It’s paradigm is, that by ensuring that the
organization has an appropriately defined risk management process and
assessment methodology, then the treatment of identified risks will
mean that appropriate controls can be applied and hence assurance can
be gained that the organization’s systems are also properly secured.
This standard focuses on making sure that the organization has a
management system that is capable of managing information security, a
necessary approach for the non-government arena where a very wide
variety of organizations need to be serviced. Hence, it adopts more of
a “top down” approach. The standards included in the ISO/IEC 27000
family include:
- ISO/IEC 27000 Fundamentals and principles
- ISO/IEC 27001 ISMS requirements
- ISO/IEC 27002 Security controls (Code of Practice for Information Security Management)
- ISO/IEC 27003 ISMS implementation guidance ISO/IEC 27004 Information security management metrics and measurements ISO/IEC
27005 ISMS risk