FIPS statunitense equivalente di ISO 27001?

Non esiste un singolo documento all'interno di FISMA che mappa con ISO27k1. Invece ci sono diverse pubblicazioni che possono essere utilizzate per ottenere lo stesso come con ISO27k1. Si noti che generalmente lo scopo di ISO27k1 è focalizzato sul business. Penso che sia meno specifico di FISMA, è più orientato al business. Dai un'occhiata a questo documento da ATSEC . Di seguito è riportato un estratto pertinente:

Here we compare how the two differ in some fundamental aspects. The scheme developed by NIST is used by Federal Agencies, their contractors and those involved as part of the critical infrastructure including utilities (electrical, nuclear, gas and oil, dams), transportation (air, road, rail, port, waterways), Public Health Systems/Emergency Services, Information and Telecommunications, National Defense, Banking and Finance, Postal and Shipping, Agriculture/Food/Water, and the Chemical industry in order to meet their mandatory requirements under the Act. To date a great many systems have been certified and accredited under the scheme. The suite of FISMA standards is close to completion and includes a risk assessment methodology (SP 199) and a detailed controls list (SP 800-53) with objective assessment criteria (SP 800-53A). Originally it was characterized as adopting somewhat of a “bottom up” approach as the technical focus is firmly on the operational and technical aspects of the IT system. The focus of the framework is on the IT systems, and on their certification and accreditation to operate.

• FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems
• FIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information Systems
• NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems
• NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
• NIST Special Publication 800-30, Risk Management
• NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
• NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
• NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System
• NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories

As the FISMA related standards and guidelines have matured they have emphasized the importance of a risk management framework that can be used to augment the baseline control set approach.

On the other hand, the ISO/IEC 27001 standard is aligned with ISO/IEC 9001 (the Quality Management System) and draws from the lessons learned in the career of that standard, meeting needs in the non-Government arena for scalability and needs to ensure that an organizations management system meets a basic best-practices management system. It’s paradigm is, that by ensuring that the organization has an appropriately defined risk management process and assessment methodology, then the treatment of identified risks will mean that appropriate controls can be applied and hence assurance can be gained that the organization’s systems are also properly secured. This standard focuses on making sure that the organization has a management system that is capable of managing information security, a necessary approach for the non-government arena where a very wide variety of organizations need to be serviced. Hence, it adopts more of a “top down” approach. The standards included in the ISO/IEC 27000 family include:

• ISO/IEC 27000 Fundamentals and principles
• ISO/IEC 27001 ISMS requirements
• ISO/IEC 27002 Security controls (Code of Practice for Information Security Management)
• ISO/IEC 27003 ISMS implementation guidance ISO/IEC 27004 Information security management metrics and measurements ISO/IEC 27005 ISMS risk