Framework vs Standard
Hello,
Just after some clarification regarding the above, I understand (I think!) concept in that a Framework is the collective term for a policy, standard, procedures and guidelines (please correct if wrong!).
What I am a little confused about is that, at least in my head is taking the ISO27000 vs ISO27001 as an example, to me the 27000 series is just that, a series which points towards different frameworks, 27001 been the PCI industry best practice framework, is that the case or is the 27000 a standard as well?
If the 27000 is a standard, can you please advise of the relevant framework for this?
Thanks!
Just after some clarification regarding the above, I understand (I think!) concept in that a Framework is the collective term for a policy, standard, procedures and guidelines (please correct if wrong!).
What I am a little confused about is that, at least in my head is taking the ISO27000 vs ISO27001 as an example, to me the 27000 series is just that, a series which points towards different frameworks, 27001 been the PCI industry best practice framework, is that the case or is the 27000 a standard as well?
If the 27000 is a standard, can you please advise of the relevant framework for this?
Thanks!
Comments
-
TheFORCE Member Posts: 2,297 ■■■■■■■■□□All 27xxx are standards, thats why they are called the 27000 series of standards. 27001 is a standard also, not a framework. A framework is something vague that provides guidelines on how to do something, like best practices and you do not have to follow it. However a standard is something that is defined very well and you have to follow it. There are many standards that the ISO has created and maintains, from IT standards to electrical standards to building standards.
-
ArdenUK Member Posts: 14 ■□□□□□□□□□Thanks Force!
That's useful! Appreciate the clarification, That is what I thought but a few youtube videos were defining the ISO series as Frameworks..
Thanks,
Paul -
636-555-3226 Member Posts: 975 ■■■■■□□□□□Frameworks are vague & don't tell you what to do. Very popular but (IMO) a waste of time for all but the largest orgs. nist cybersecurity framework is an example - it says you need to do things that help ID, protect, detect, respond, & recover to events, but it doesn't actually tell you what to do, how to start, what to measure, etc. too vague
standards give you a minimum level of things to do. they say you have to at least do x, y, and z. can also be vague, but not normally as vague as frameworks.