The International Organization for Standardization (ISO) is a Geneva-based NGO which has published some of the most well-known standards in the world. These standards are both known to consolidate industry best-practices into clear, consistent, easy-to-understand frameworks. ISO has released about 22,000 standards, including ISO 27001, their standard for developing information security management systems (ISMS). ISO 27001 outlines very specific set of strategies and checklists for creating strong security measures across an organization
The National Institute for Standards in Technology (NIST) is a non-regulatory agency housed in the U.S. Department of Commerce. NIST has published a number of standards related to cybersecurity, including documentation related to FedRAMP (the US federal government’s regulations related to security in cloud computing environments), NIST password guidelines, and the popular Cybersecurity Framework (CSF). NIST CSF is one of the most popular and well-regarded standards for designing and implementing security systems. Along with ISO 27001, NIST CSF provides very clear guidelines and checklists for designing strong cybersecurity systems across a wide variety of industries. If you’re considering whether to pursue NIST vs. ISO compliance, the overlap between the two is quite significant.
The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2006 by five major credit card companies (American Express, Discover, JCB International, MasterCard and Visa Inc.) to create a central standard for collecting, transmitting, and storing users’ card payment information and sensitive data. The PCI DSS is focused on protecting credit card data specifically, much like HIPAA with PHI. Security measures focus on vendor behaviors, physical tools like card readers, encrypting card data, and data storage limits.