NIST 800-37 rev 2 is the latest guiding document for the risk management framework (RMF) for federal information systems. Outlines a 6 step process based on NIST 800-53 rev 5 similarities & differences between iso and nist 1) ISO uses the terms "context" and "scope" to define the system purpose and functionality, while NIST uses the terms "system categorization" and "system description. 2) ISO focuses more on the external and internal environment of the organization and system, while NIST focuses more on system boundaries and components. Information Types: ![[pic1.png]] The four informmation types according to ISO 27002: personal, sensitive, confidential, public