I'll never forget the board meeting where this question came up. The CFO leaned back in his chair and asked the million-dollar question: "We're already spending $400,000 on ISO 27001 certification. Why are our customers now asking for NIST Cybersecurity Framework compliance? Aren't these the same thing?"
The room went silent. The CISO looked at me—I was the external consultant brought in for exactly these moments. I knew my answer would shape the company's security strategy for the next three years and influence a budget that would either be approved or slashed.
Here's what I told them, and here's what I've learned after implementing both frameworks across dozens of organizations over the past fifteen years.
The Tale of Two Frameworks: Origins Matter
To understand NIST CSF versus ISO 27001, you need to understand why each exists. It's like asking whether you should use a hammer or a screwdriver—the answer depends on what you're trying to build.
ISO 27001: The Global Gold Standard
I worked with a German automotive supplier in 2017 who needed to do business across 47 countries. They asked me which security framework would open the most doors globally.
The answer was obvious: ISO 27001.
ISO 27001 was born from international collaboration. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it represents decades of consensus among security professionals worldwide. It's not just a framework—it's a certifiable standard with a formal audit process.
Think of ISO 27001 as the "Good Housekeeping Seal" of information security. When you're certified, you're telling the world: "An independent auditor verified that we meet internationally recognized security standards."
NIST CSF: The Flexible American Framework
Fast forward to 2019. A healthcare startup needed something different. They weren't ready for full ISO 27001 certification, but they needed to demonstrate mature security practices to venture capitalists and enterprise customers.
We implemented the NIST Cybersecurity Framework.
NIST CSF emerged from a specific need: protecting critical infrastructure after high-profile attacks on American utilities, financial systems, and government networks. Presidential Executive Order 13636 in 2013 directed NIST to develop a voluntary framework that organizations could use to manage cybersecurity risk.
The beauty of NIST CSF? It's not pass/fail. It's not certifiable. It's a risk management approach that organizations can adopt at their own pace, customizing implementation based on their unique risk profile.
"ISO 27001 asks: 'Are you compliant?' NIST CSF asks: 'How mature is your cybersecurity program?' Both questions matter, but they're measuring different things."
The Head-to-Head Comparison
Let me break this down with the clarity I wish I'd had fifteen years ago when I first encountered these frameworks.
Framework Philosophy: Certification vs. Assessment
Aspect | ISO 27001 | NIST CSF |
|---|---|---|
Primary Purpose | Certifiable security management standard | Risk management framework for self-assessment |
Approach | Prescriptive: "Implement these controls" | Descriptive: "Consider these outcomes" |
Verification | Third-party certification required | Self-assessment or voluntary third-party review |
Global Recognition | Internationally certified standard | Primarily recognized in North America |
Flexibility | Structured with mandatory requirements | Highly flexible, outcome-focused |
Update Cycle | Every 3-5 years (latest: 2022) | Continuous updates (latest: CSF 2.0 in 2024) |
I worked with a financial services company in 2020 that was choosing between these frameworks. Their international clients demanded ISO 27001 certification. Their American regulators wanted to see NIST CSF alignment. We ended up implementing both—I'll tell you how later.
Structure: How They're Organized
ISO 27001 Structure:
The framework consists of:
10 clauses (4-10 contain requirements)
93 controls across 4 themes in Annex A
ISMS (Information Security Management System) requirements
Here's the clause structure:
Clause | Focus Area | What It Covers |
|---|---|---|
4 | Context of the Organization | Understanding internal/external issues, stakeholder needs |
5 | Leadership | Management commitment, security policy, roles/responsibilities |
6 | Planning | Risk assessment, risk treatment, security objectives |
7 | Support | Resources, competence, awareness, communication, documentation |
8 | Operation | Operational planning, risk assessment/treatment implementation |
9 | Performance Evaluation | Monitoring, measurement, analysis, internal audit, management review |
10 | Improvement | Nonconformity, corrective action, continual improvement |
NIST CSF Structure:
The framework consists of:
6 Core Functions (Govern, Identify, Protect, Detect, Respond, Recover)
23 Categories under those functions
108 Subcategories with specific outcomes
4 Implementation Tiers (Partial, Risk-Informed, Repeatable, Adaptive)
Core Function | Purpose | Example Activities |
|---|---|---|
Govern | Establish context, priorities, risk strategy | Risk management strategy, supply chain security, cybersecurity roles |
Identify | Understand assets, risks, threats | Asset inventory, risk assessment, threat intelligence |
Protect | Implement safeguards | Access control, data security, training, protective technology |
Detect | Identify cybersecurity events | Continuous monitoring, detection processes, anomaly analysis |
Respond | Take action during incidents | Response planning, communications, analysis, mitigation |
Recover | Restore capabilities after incidents | Recovery planning, improvements, communications |
I remember working with a manufacturing company that loved NIST's function-based approach. Their COO told me: "I finally understand our security program. Govern, Identify, Protect, Detect, Respond, Recover—I can remember that. I couldn't tell you what ISO clause 8.2 covers without looking it up."
Control Coverage: What They Actually Require
Here's where it gets interesting. Let me share a comparison table I created after mapping both frameworks for a healthcare technology company:
Security Domain | ISO 27001 Coverage | NIST CSF Coverage | Overlap |
|---|---|---|---|
Access Control | A.5 (9 controls) | PR.AC (7 subcategories) | 85% |
Cryptography | A.8 (2 controls) | PR.DS (8 subcategories) | 70% |
Physical Security | A.7 (14 controls) | PR.PT (5 subcategories) | 60% |
Operations Security | A.8 (14 controls) | PR.IP, PR.MA (12 subcategories) | 75% |
Communications Security | A.8 (7 controls) | PR.DS, PR.AC (10 subcategories) | 80% |
System Development | A.8 (8 controls) | PR.IP (12 subcategories) | 65% |
Supplier Relationships | A.5 (8 controls) | ID.SC (5 subcategories) | 90% |
Incident Management | A.5 (7 controls) | RS.* (23 subcategories) | 85% |
Business Continuity | A.5 (4 controls) | RC.* (12 subcategories) | 70% |
Compliance | A.5 (2 controls) | Embedded throughout | 60% |
Key Insight: There's approximately 70-80% overlap in what both frameworks want you to accomplish. The difference is in how they ask you to prove it.
Documentation Requirements: The Paper Trail
This is where organizations often struggle. Let me be brutally honest about documentation expectations:
ISO 27001 Documentation:
ISO 27001 is documentation-heavy. For certification, you must have:
Required Document | Purpose | Typical Page Count |
|---|---|---|
Information Security Policy | High-level commitment | 3-5 pages |
Risk Assessment Methodology | How you assess risks | 8-12 pages |
Risk Treatment Plan | How you address risks | 15-30 pages |
Statement of Applicability (SoA) | Which controls apply and why | 20-40 pages |
Risk Assessment Report | Identified risks and analysis | 25-50 pages |
Asset Inventory | What you're protecting | 10-100 pages |
93 Control Procedures | How you implement each control | 200-500 pages total |
Internal Audit Reports | Self-assessment evidence | 15-30 pages per audit |
Management Review Records | Leadership oversight evidence | 10-20 pages per review |
I've seen organizations spend 6-9 months just creating documentation for ISO 27001 certification. One client had a dedicated technical writer for four months doing nothing but documentation.
NIST CSF Documentation:
NIST CSF is more flexible:
Recommended Document | Purpose | Typical Page Count |
|---|---|---|
Framework Profile | Current and target state | 5-15 pages |
Risk Assessment | Risk identification and prioritization | 10-25 pages |
Implementation Plan | Roadmap to target state | 8-20 pages |
Tier Assessment | Maturity evaluation | 3-5 pages |
Control Evidence | Proof of implementation | Varies widely |
A fintech startup I worked with implemented NIST CSF with about 60 pages of core documentation. They weren't pursuing certification—they were demonstrating mature practices to investors and customers.
"ISO 27001 documentation proves compliance to auditors. NIST CSF documentation guides your risk management decisions. Both are valuable, but they serve different masters."
Real-World Implementation: War Stories from the Trenches
Let me share three case studies that illustrate when to use which framework—or both.
Case Study 1: The Global SaaS Company
Situation: 200-employee software company selling to enterprises in North America, Europe, and Asia Pacific.
Challenge: European customers demanded ISO 27001. American customers wanted SOC 2. Government prospects asked about NIST CSF alignment.
Solution: We implemented ISO 27001 as the foundation, then mapped it to NIST CSF.
Timeline:
Month 1-3: Gap analysis and planning
Month 4-9: Control implementation
Month 10-12: Documentation and preparation
Month 13-14: Stage 1 and Stage 2 audits
Month 15: Certification achieved
Cost: $285,000 (consulting, tools, audit fees, internal labor)
Outcome:
ISO 27001 certification opened European market
NIST CSF mapping satisfied US government prospects
Used both frameworks in RFP responses
Won $4.2M in new contracts first year post-certification
The CTO told me: "The frameworks were expensive and time-consuming. But we calculate a 12:1 ROI just from contracts we couldn't have bid on before."
Case Study 2: The Healthcare Provider Network
Situation: 15-hospital network, primarily US-based, facing increasing cyber threats and regulatory scrutiny.
Challenge: Board wanted "best practice" security but wasn't sure what that meant. CFO was concerned about certification costs. CISO needed a roadmap.
Solution: We implemented NIST CSF without pursuing ISO 27001 certification.
Why NIST:
Flexible implementation aligned with existing HIPAA program
Self-assessment approach avoided expensive certification audits
Risk-based methodology resonated with healthcare risk management culture
Could start with critical systems and expand incrementally
Timeline:
Quarter 1: Current state assessment (Tier 1-2)
Quarter 2-4: Priority implementation (moved to Tier 2-3)
Year 2: Continued maturity improvement
Year 3: Target Tier 3 across all functions
Cost: $180,000 first year, $60,000 annually thereafter
Outcome:
Cyber insurance premiums decreased 35%
Incident response time improved from 4.2 hours to 45 minutes
Successfully defended against two ransomware attempts
Board gained confidence in security posture
The CISO's perspective: "NIST gave us a roadmap without the overhead of certification. For a healthcare provider, that flexibility was exactly what we needed."
Case Study 3: The Manufacturing Company (Both Frameworks)
Situation: Industrial equipment manufacturer with 1,200 employees, global operations, and diverse customer base.
Challenge:
European automotive clients required ISO 27001
US defense contractors wanted NIST 800-171 (based on NIST CSF)
Asian partners accepted either framework
Internal operations needed consistent security standards
Solution: Implemented both frameworks as integrated program.
Integration Strategy:
Phase | Activity | Timeline | Investment |
|---|---|---|---|
1 | ISO 27001 gap analysis | Month 1-2 | $45,000 |
2 | NIST CSF current state assessment | Month 2-3 | $35,000 |
3 | Unified control mapping | Month 3-4 | $50,000 |
4 | Shared control implementation | Month 4-12 | $320,000 |
5 | Framework-specific requirements | Month 10-15 | $180,000 |
6 | ISO 27001 certification audit | Month 15-16 | $65,000 |
7 | NIST CSF maturity assessment | Month 16-17 | $35,000 |
Key Integration Points:
Single asset inventory satisfied both frameworks
Unified risk assessment met ISO requirements and informed NIST profile
Common control implementation addressed overlapping requirements
Integrated documentation reduced redundant paperwork by 60%
Combined training program educated staff on both frameworks
Outcome:
ISO 27001 certified (satisfied 85% of requirements)
NIST CSF Tier 3 maturity (target was Tier 2-3)
Total cost: $730,000 over 18 months
Estimated savings vs. separate implementation: $340,000
Opened $12M in new market opportunities
The CEO's take: "We thought running both frameworks would be twice the work. With proper integration, it was maybe 1.4 times the work of doing one. And the market access made it a no-brainer."
The Integration Blueprint: How to Run Both Frameworks Efficiently
After integrating these frameworks for multiple organizations, I've developed a proven methodology. Here's the blueprint:
Step 1: Build Your Control Universe (Months 1-2)
Create a master spreadsheet mapping controls:
Control Domain | ISO 27001 Reference | NIST CSF Reference | Implementation Method | Evidence Required |
|---|---|---|---|---|
Multi-Factor Authentication | A.5.17, A.5.18 | PR.AC-7 | Okta MFA for all systems | Configuration screenshots, access logs |
Encryption at Rest | A.8.24 | PR.DS-1, PR.DS-5 | BitLocker + AES-256 | Encryption audit reports |
Incident Response Plan | A.5.24, A.5.25, A.5.26 | RS.CO-1, RS.AN-1, RS.MI-1 | Documented IRP, quarterly tests | IRP document, test reports |
Vendor Security Assessment | A.5.19, A.5.20, A.5.21 | ID.SC-1, ID.SC-2, ID.SC-3 | Risk assessment questionnaire | Vendor assessments, contract reviews |
Security Awareness Training | A.6.3 | PR.AT-1, PR.AT-2 | Monthly training, annual testing | Training records, test scores |
I built this for a technology company in 2021. It had 147 rows covering every control in both frameworks. We identified that 112 controls (76%) could be implemented once and satisfy both frameworks.
Step 2: Prioritize Using Risk and Business Impact (Month 2-3)
Create a prioritization matrix:
Control Area | ISO 27001 Priority | NIST CSF Priority | Business Impact | Risk Level | Implementation Order |
|---|---|---|---|---|---|
Access Control | Mandatory | High | High | High | 1 |
Incident Response | Mandatory | High | Critical | High | 1 |
Asset Management | Mandatory | High | High | Medium | 2 |
Encryption | Mandatory | High | High | Medium | 2 |
Network Security | Mandatory | Medium | High | Medium | 3 |
Physical Security | Mandatory | Low | Medium | Low | 4 |
Supplier Management | Mandatory | Medium | Medium | Medium | 3 |
This approach ensures you're building security that matters to your business, not just checking compliance boxes.
Step 3: Implement Shared Controls First (Months 3-9)
Focus on the 70-80% overlap. Common implementations include:
Access Control Implementation:
Single sign-on (SSO) platform
Multi-factor authentication (MFA)
Role-based access control (RBAC)
Privileged access management (PAM)
Regular access reviews
This satisfies:
ISO 27001: A.5.15, A.5.16, A.5.17, A.5.18
NIST CSF: PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7
Security Monitoring Implementation:
SIEM (Security Information and Event Management)
Log aggregation and retention
Anomaly detection
24/7 SOC or managed detection
This satisfies:
ISO 27001: A.8.15, A.8.16
NIST CSF: DE.AE-1, DE.AE-2, DE.AE-3, DE.CM-1, DE.CM-7
"Implement once, comply twice. The magic of framework integration is building security capabilities that satisfy multiple requirements simultaneously."
Step 4: Address Framework-Specific Requirements (Months 9-12)
ISO 27001 Specific Needs:
Formal ISMS documentation structure
Statement of Applicability (SoA)
Internal audit program with independence
Management review meetings with specific agenda items
Documented corrective action procedures
NIST CSF Specific Needs:
Tier assessment and documentation
Current and target profiles
Framework implementation roadmap
Risk-based prioritization justification
Continuous improvement methodology
Step 5: Prepare for Assessment (Months 12-15)
For ISO 27001:
Stage 1 audit (documentation review)
Address Stage 1 findings
Stage 2 audit (implementation verification)
Achieve certification
For NIST CSF:
Self-assessment against all subcategories
Tier determination
Gap analysis documentation
Optional third-party assessment
The Decision Matrix: Which Framework Should You Choose?
After fifteen years of helping organizations make this decision, here's my decision tree:
Choose ISO 27001 When:
✅ You have international customers or operations
ISO 27001 is recognized in 180+ countries
European customers often require it
Asian markets increasingly demand it
✅ You need formal certification
RFPs require certified frameworks
Insurance requires certified compliance
Regulatory bodies recognize certification
✅ You're in highly regulated industries
Financial services
Healthcare (alongside HIPAA)
Government contractors
Payment processing (alongside PCI DSS)
✅ You have resources for structured implementation
Budget: $150,000 - $500,000 initial implementation
Time: 12-18 months to certification
Staff: Dedicated compliance team or consultant
Choose NIST CSF When:
✅ You're primarily US-focused
American customers understand it
US government recognizes it
Aligns with US regulatory expectations
✅ You want flexibility and incremental improvement
No pass/fail certification pressure
Can implement at your own pace
Can prioritize based on risk
✅ You're building or improving your security program
Excellent roadmap for maturity
Clear progression through tiers
Risk-based approach aligns with business
✅ You have constrained resources
Can start small and expand
No mandatory certification costs
Internal assessment acceptable
Choose Both When:
✅ You have diverse global customer base ✅ You operate in multiple regulated sectors ✅ You have mature security program and resources ✅ You want maximum market access ✅ You can invest in integrated implementation
The Cost Reality: What You'll Actually Spend
Let me give you real numbers from actual implementations I've led:
ISO 27001 Cost Breakdown (Medium-sized organization, 200 employees):
Cost Category | Year 1 | Year 2 | Year 3 |
|---|---|---|---|
External Consulting | $120,000 | $30,000 | $30,000 |
Certification Audit | $45,000 | $15,000 | $45,000 |
Technology/Tools | $80,000 | $20,000 | $20,000 |
Internal Labor (1.5 FTE) | $180,000 | $180,000 | $180,000 |
Training | $25,000 | $10,000 | $10,000 |
Documentation | $15,000 | $5,000 | $5,000 |
Total | $465,000 | $260,000 | $290,000 |
NIST CSF Cost Breakdown (Same organization):
Cost Category | Year 1 | Year 2 | Year 3 |
|---|---|---|---|
External Consulting | $80,000 | $20,000 | $20,000 |
Assessment (optional) | $25,000 | $15,000 | $15,000 |
Technology/Tools | $70,000 | $20,000 | $20,000 |
Internal Labor (1 FTE) | $120,000 | $120,000 | $120,000 |
Training | $20,000 | $10,000 | $10,000 |
Documentation | $10,000 | $5,000 | $5,000 |
Total | $325,000 | $190,000 | $190,000 |
Integrated Implementation (Both frameworks):
Cost Category | Year 1 | Year 2 | Year 3 |
|---|---|---|---|
External Consulting | $150,000 | $35,000 | $35,000 |
Certification/Assessment | $55,000 | $20,000 | $55,000 |
Technology/Tools | $90,000 | $25,000 | $25,000 |
Internal Labor (1.5 FTE) | $180,000 | $180,000 | $180,000 |
Training | $30,000 | $15,000 | $15,000 |
Documentation | $20,000 | $7,000 | $7,000 |
Total | $525,000 | $282,000 | $317,000 |
Key Insight: Integrated implementation costs about 13% more than ISO 27001 alone, but delivers both frameworks. Implementing them separately would cost approximately 70% more.
Common Mistakes I've Seen (And How to Avoid Them)
Mistake #1: Treating Frameworks as IT Projects
A manufacturing company hired me after their first ISO 27001 attempt failed. The IT team had spent eight months implementing technical controls without engaging the business.
The auditor rejected their certification because they couldn't demonstrate that security aligned with business objectives, stakeholders weren't engaged, and management didn't understand their responsibilities.
The Fix: Both frameworks require business leadership, not just IT execution. Your CEO needs to own the Information Security Policy. Your department heads need to understand their roles. Your board needs to provide oversight.
Mistake #2: Documentation for Documentation's Sake
I reviewed a company's ISO 27001 documentation that totaled 847 pages. It was comprehensive, detailed, and utterly useless. Nobody read it. Nobody followed it. It was documentation theater.
The Fix: Documentation should guide behavior, not gather dust. Keep it concise, practical, and accessible. Use flowcharts, checklists, and job aids. If people don't use your documentation, it doesn't satisfy either framework's intent.
Mistake #3: Implementing Controls You Don't Need
A startup implemented all 93 ISO 27001 controls because they thought certification required it. They spent $340,000 implementing controls for risks that didn't apply to their business.
The Fix: Both frameworks are risk-based. ISO 27001's Statement of Applicability lets you exclude controls that don't apply (with justification). NIST CSF is explicitly designed for risk-based prioritization. Focus on what matters to YOUR organization.
Mistake #4: Forgetting Continuous Improvement
Organizations celebrate certification, then stop investing in security. Twelve months later, they fail their surveillance audit.
The Fix: Both frameworks require continuous improvement. Schedule quarterly reviews. Track metrics. Update risk assessments. Maintain momentum.
"Achieving certification is like getting married. The ceremony is important, but the relationship is what matters. Maintain your security program like you maintain important relationships—with ongoing attention, investment, and care."
Tools and Resources That Actually Help
After trying dozens of tools across multiple implementations, here are the ones that consistently deliver value:
Governance, Risk, and Compliance (GRC) Platforms:
Tool | Best For | Approximate Cost | Key Features |
|---|---|---|---|
Vanta | Startups, automatic evidence collection | $5,000-$30,000/year | Automated monitoring, SOC 2 + ISO 27001 support |
Drata | Growing companies, continuous compliance | $8,000-$40,000/year | Real-time compliance tracking, multiple frameworks |
Secureframe | Mid-market, multi-framework | $10,000-$50,000/year | Strong audit management, integrations |
OneTrust | Enterprise, comprehensive GRC | $50,000-$200,000+/year | Full GRC suite, privacy + security |
LogicGate | Mid-market to enterprise | $30,000-$100,000/year | Customizable workflows, risk management |
Assessment and Documentation Tools:
Tool | Purpose | When to Use |
|---|---|---|
NIST CSF Excel Templates | Basic self-assessment | Small organizations, starting out |
SimpleRisk | Risk management | Need open-source risk tracking |
Archer (RSA) | Enterprise GRC | Large organizations, complex requirements |
ServiceNow GRC | Integrated GRC | Already using ServiceNow platform |
I generally recommend starting with specialized compliance platforms like Vanta or Drata for small-to-mid-sized organizations. They automate 60-70% of evidence collection and make both frameworks more manageable.
Making the Final Decision: A Framework for Choosing Your Framework
Here's the conversation I have with every client facing this decision:
Question 1: Where do you sell?
Primarily US → NIST CSF
International → ISO 27001
Both → Consider both
Question 2: What do your customers require?
Check your RFPs and contracts
Survey your largest prospects
Understand their procurement requirements
Question 3: What are your resources?
Budget < $200K first year → Start with NIST CSF
Budget $200K-$500K → ISO 27001 is feasible
Budget > $500K → Integrated approach possible
Question 4: What's your timeline?
Need results in 6-9 months → NIST CSF
Can commit to 12-18 months → ISO 27001
Planning 18+ month program → Both frameworks
Question 5: What's your maturity?
Starting from scratch → NIST CSF provides better roadmap
Have basic controls → Either framework works
Mature program → ISO 27001 certification or both
My Personal Recommendation
After fifteen years and dozens of implementations, here's my honest advice:
For most organizations, start with NIST CSF and evolve toward ISO 27001 if needed.
Why? NIST CSF gives you:
Immediate value without certification pressure
Clear maturity progression
Risk-based prioritization
Flexibility to adapt
Lower initial investment
Then, when your security program matures and business needs demand it, pursue ISO 27001 certification. You'll have most controls already implemented. Certification becomes a matter of documentation and formal audit rather than building security from scratch.
Exception: If you know you need ISO 27001 certification (European customers, industry requirements, competitive necessity), go straight for it. Don't waste time with intermediate steps.
Best scenario: If you have the resources and market need, integrate both from the start. The overlap is substantial, and the combined value is enormous.
Final Thoughts: It's Not About the Framework
Here's what I've learned after fifteen years: the framework matters less than the commitment.
I've seen organizations achieve ISO 27001 certification and still get breached because they treated it as a compliance exercise. I've seen companies use NIST CSF to build incredible security programs that protect them from sophisticated attacks.
The framework is just a roadmap. Your destination is a security culture where:
Everyone understands their role in protection
Risks are identified and managed systematically
Incidents are detected quickly and handled effectively
Continuous improvement is built into operations
Security enables business rather than blocking it
Whether you choose ISO 27001, NIST CSF, or both, commit to the journey. Invest in people, process, and technology. Engage leadership. Build culture. Measure progress.
The framework you choose is less important than your determination to use it well.
"Frameworks don't protect organizations. People using frameworks to make better security decisions protect organizations. Choose the framework that helps your people make those decisions most effectively."
Your Next Steps
Ready to move forward? Here's your action plan:
This Week:
Review your current security program (honestly)
Survey your top 10 customers about their requirements
Assess your available budget and timeline
Identify your compliance champion internally
This Month:
Conduct gap analysis against both frameworks
Estimate implementation costs
Build business case for leadership
Decide on initial framework approach
This Quarter:
Engage consultant or start internal implementation
Begin building control inventory
Start documentation foundation
Launch awareness and training program
This Year:
Implement priority controls
Build evidence collection processes
Conduct internal assessments
Prepare for external audit or self-assessment