Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

What Is
A Comprehensive Guide

What is NIST?

The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency operating within the U.S. Department of Commerce.  NIST plays a key role in setting standards and guidelines for the U.S. technology industry and promoting the safe and secure use of technology in both the private and public sectors.  

What is NIST CSF?

NIST covers a wide range of areas, including information security, where it develops and maintains a number of frameworks and guidelines that are widely used by organisations to improve their cybersecurity practices.  Notably, these include the NIST Cybersecurity Framework (CSF), which provides a set of best practices for managing cybersecurity risks, and the NIST Special Publication (SP) 800 series, which includes detailed guidance on a range of cybersecurity topics, including risk management, identity and access management, and incident response.

When was NIST CSF last updated?

On 26 Febraury 2024, NIST released v2.0 of the CSF, which introduces a 6th Function, Govern, to the Framework Core.  The Framework has also been expanded in scope to extend beyond the protection of critical infrastructure (as was the aim of the previous version) in order to explicitly include all organisations in any sector.

How does the NIST CSF differ from ISO 27001?

Whilst both standards are focused on protecting information, key differences include:

  1. As a non-regulatory US federal agency, NIST focuses specifically on developing standards and guidelines for the U.S. technology industry.  In comparison, ISO 27001 is more general in nature and can be applied to any organisation, regardless of location or industry.  Whilst the primary focus of NIST is the US technology industry, the CSF is widely regarded as reliable and comprehensive and is often used globally with other standards to improve an organisation’s cyber security posture.  NIST CSF is a flexible and adaptable framework that helps organisations manage their cybersecurity risks and improve their cybersecurity posture.  It is intended to be used by organisations of all sizes and in all sectors, and it can be tailored to the specific needs and resources of each organisation.
  2. Whilst organisations can certify to ISO 27001, the intention of NIST is to provide guidance and best practices in order that organisations can improve their cybersecurity posture.  The  CSF was developed for voluntary adoption by owners and operators of critical infrastructure and there is no third party, or independent, attestation or certification process.  However, the overall level of effort required for its implementation is likely to be comparable to that for ISO 27001.
  3. On the whole, NIST standards and guidelines are often more specific and detailed than ISO 27001 and other information security standards.  The NIST CSF, and NIST SP 800 series are both known for their detail and specific guidance.
  4. There is also the more obvious difference that NIST is cyber focussed, whereas ISO 27001 has a wider information security remit.

What are the main components of NIST CSF?

  • Core
  • Implementation Tiers
  • Profiles


This is the foundation of the NIST CSF and consists of three main parts:

  • The Framework Core:  This is a set of cybersecurity activities, outcomes and references that are common to all organisations.  It comprises 6 functions and 22 categories.
    The 6 functions are:
    Govern – Establish, communicate and monitor your organisation’s cybersecurity risk management strategy, expectations and policy
    Identify – Understand cybersecurity risks by identifying your assets, vulnerabilities and threats
    Protect – Implement controls and safeguards to prevent, detect and mitigate attacks
    Detect – Implement processes and technologies to identify anomalies and suspicious activity
    Respond – Implement processes and procedures for incident response and recovery
    Recovery – Implement processes and procedures for restoring systems and services.
  • The Framework Profiles: This is a comparison of your organisation's current cybersecurity posture with your desired or targeted cybersecurity posture.  It is created by identifying your organisation's assets, vulnerabilities and threats, and then comparing the current controls and safeguards in place to the ones that are recommended in the Framework Core.
  • The Framework Implementation Tiers: This is a system for describing your organisation's approach to managing cybersecurity risk.  It consists of four tiers (Partial, Risk Informed, Repeatable, and Adaptive) that describe the level of formality and sophistication of your risk management processes.

Implementation Tiers

Implementation Tiers are used to help your organisation understand and communicate your approach to managing cybersecurity risk.  The tiers provide a common language for describing your risk management practices and help you assess your risk management processes and identify areas for improvement.


Profiles are used to help you understand your current cybersecurity posture and identify areas for improvement. Profiles also provide a snapshot of your current controls and safeguards and can be used to identify gaps and vulnerabilities that need to be addressed.

Contact the NIST Experts Today

Having assisted over 400 organisations to implement an ISMS and then achieve ISO 27001 certification since the Standard’s establishment in 2005, we at URM are the ideal experts and partners to help you certify.  With our fully-tailored approach, we can support you through each stage of the ISO 27001 management system lifecycle, offering guidance specific to your organisation’s unique requirements.  

Get in touch with our information security experts today to find out more.

Contact Us

How can URM assist you?

Since 2002, URM can support your organisation by assisting with each of the 7-step CSF implementation process or specific steps as follows:

Step 1 – Prioritise and scope.  The first step is to identify your business objectives and high-level priorities.  This information helps inform the scope of the systems and assets which support the business processes, as well as making strategic decisions concerning cybersecurity implementation.  It is crucial that all of your critical systems and assets are identified so that their protection can be prioritised.

Step 2 – Orient.  After defining the scope of your cybersecurity programme, URM will assist you in identifying the relevant systems and assets, regulatory requirements and the overall risk approach.  This is followed by the identification of threats and vulnerabilities which relate to the systems and assets identified in the scope.

Step 3 – Create a current profile.  With this step you need to identify your current profile specifying what security controls have been implemented and what outcomes have been achieved.  When looking at the outcomes, you will need to use the Categories and Subcategories from the Framework Core to define which outcomes are being fully or partially achieved.  This baseline will help you plan the next steps.

Step 4 – Conduct a risk assessment.  Having created a current profile, URM will help you conduct a risk assessment analysing the impact and likelihood of a cybersecurity breach.

Step 5 – Create a target profile. You will now be in a position to create a Target Profile.  Here, URM will support you focussing on your Categories and Subcategories and setting targets for your desired cybersecurity outcomes incorporating your organisation’s risk appetite.  

Step 6 – Determine, analyse and prioritise gaps.  This step includes the creation of a prioritised action plan to close the control gaps between your Current and Target Profiles, reflecting your organisation’s drivers, costs, benefits and risks.  You will also need to decide on what resources will be needed to close the gaps.

Step 7 – Implement action plan.  Having set priorities for addressing gaps between your Current and Target Profiles, it is now a case of implementing security controls and control activities in order to achieve the target profile.  The target profile comprises 108 Subcategories which are outcome-driven statements that reflect the improvement of your organisation’s cybersecurity programme.

Why URM for NIST?

Track record

URM has a 17-year track record of providing high-quality consultancy and training support, assisting organisations improve their information and cyber security, as well as information governance posture and capabilities.  A particular niche skill is helping organisations to conform or certify to ‘best practice’ international (IS) standards such as SOC 2 and ISO 27001.  URM is particularly adept at developing existing frameworks to meet the requirements of these standards or building on existing ISO 27001 ISMS’ to achieve NIST conformance.  Having assisted over 400 organisations to achieve world-recognised standards, URM has worked with organisations of all sizes from micro businesses to multi-national organisations and from all the major market sectors.

Tailored approach

URM is renowned for adopting a highly tailored and bespoke service where its consultants are constantly striving to deliver sustainable solutions that meet both the current and future needs of the client organisation.

Flexible delivery

When transferring knowledge on meeting the requirements of NIST, URM can deliver this through various delivery mechanisms, i.e., through one-to-one support, workshops or training courses.  Furthermore, when delivering remediation services to address gaps, URM’s support is tailored and flexible, based on the client’s requirements, internal knowledge and available resources.  Support can be delivered on an activity-per-activity basis or where a consultant is allocated on a recurring basis, e.g., 1 day a week.   As such, the engagements help to ensure that remediation activities are followed through, remain compliant and that sufficient evidence for the audit is generated.

NIST Consultancy Services

Solutions & Products

One the key requirements of ISO 27001 is the need for robust risk assessment which can produce repeatable and comparable results.  With its proven, best practice methodology, URM’s information security risk management software, Abriska 27001, enables you to meet this requirement.   We can also assist you to increase awareness among your staff with our expertly designed and engaging learning management system (LMS), Alurna.

View Products

ISO 27001 & InfoSec Training Courses

Our information security and ISO 27001 training courses can help you learn how to effectively manage information security.  Our Certificate in Information Security Management Principles (CISMP) training course will prepare you to take the BCS (Chartered Institute for IT) administered exam, enabling you to gain an industry-recognised qualification.  Meanwhile, our Introduction to ISO 27001 Course and ISO/IEC 27001:2022 Transition Course will significantly enhance your ISO 27001 knowledge and professional skillset.

View Training Courses

Webinars & Events

URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations  looking to improve their information security, risk management, data protection etc. The webinars  are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR.  All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.

WebinarTransitioning to ISO 27001:2022

This webinar is unique in that it brings together BSI, UK’s leading certification body and URM, leading ISO 27001 consultancy organisation.

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarTransitioning to ISO 27001:2022

URM shares it's experiences of transitioning from the 2013 to the 2022 version of the ISO 27001 Standard

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarISO 27001 vs SOC 2

In this webinar, URM will be sharing its extensive experiences of supporting organisations to certify/attest to these two standards.

Read more
Listen to recording
USB stick, Padlock, Keys

ISO 27001 FAQs

How long does it take to implement ISO 27001?

There is no straightforward answer to this question as it depends on the size and complexity of your organisation, what systems and processes are already in place and what resources are available.  However, in URM’s experience it typically takes between 6 and 9 months for a small, low complexity organisation to fully implement ISO 27001.  

With larger, more complex environments, 9 to 18 months is closer to the norm for fully establishing an ISMS. This naturally assumes that the appropriate resources are made available to achieve the desired outcomes.

Apart from the existing maturity of operational practices and controls and availability of in-house resource, another key determinant in how long an ISO 27001 implementation will take place will be the support and involvement of senior management.  URM has seen organisations achieve very aggressive timescales in implementing and achieving ISO 27001 certification where Senior Management has prioritised the project, often associated with being awarded a significant client project.

Is there a legal requirement to comply with or be certified to ISO 27001?

There is, generally, no direct legal requirement for compliance as such, indicating why many people choose to use the word conformance rather than compliance.  Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so. However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders.  

There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by virtue of a contract.

What does ISO 27001 require you to do?

A key requirement of ISO 27001 is that you adopt a risk-based approach when implementing your ISMS.  You are also required to ensure that certain processes are in place to ensure effective and proactive management and continuous improvement.  

These requirements are broken down into 7 major clauses, which deal with context of the organisation, leadership, planning, support, operation, performance evaluation and improvement.  These clauses are consistent with other ISO Management system standards such as ISO 9001 and ISO 22301, and is known as the harmonised structure.

When was ISO 27001 last updated?

The current version of the Standard, ISO/IEC 27001:2022 replaced the 2013 version of the Standard on 25 October 2022.  As of 1 May 2024, all initial and recertification assessments must be conducted against ISO 27001:2022 and, on 31 October 2025, all ISO 27001:2013 certificates will be withdrawn.  Whilst the management system clauses received a relatively minor makeover in order to harmonize ISO 27001 with other standards, the information security controls contained within Annex A were completely restructured with some controls being merged with others as well as 11 new ones being introduced.

Read more
Information Security FAQISO 27001 FAQ

Speak to a NIST Expert

Having assisted over 400 organisations to implement an ISMS, URM is particularly adept at developing existing frameworks to meet the requirements of security standards or building on existing ISO 27001 ISMS’ to achieve NIST conformance.

Speak to one of our experts for more information on how we can help you certify. Simply call 0118 206 5410 or request a call back using the form below.

Common Pitfalls Identified in Organisations Seeking ISO 27001 Certification

Published on

URM’s blog discusses the common pitfalls of the ISO 27001 implementation and certification process, and how you can avoid making the same mistakes.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
Planning Your ISO 27001 Audit Programme

URM’s blog drills down into ISO 27001 audits, offering advice on how to effectively develop and implement an ISO 27001 conformant audit programme.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
How to Meet the ISO 27001 Requirements Around Interested Parties

URM’s blog provides advice and guidance on how you can meet the ISO 27001 requirements around interested parties and their needs and expectations.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
Lessons Learnt from Early ISO 27001:2022 Transitions

URM’s blog, produced in collaboration with BSI, discusses common mistakes we have seen in early ISO 27001:2022 transitions, and how to avoid them.

Read more
URM were super helpful and knowledgeable, talking and walking me through each one of the tests and providing some useful information on security and how to improve things in the future.