The NFC is a portable, simple and improved starting point when compared to other principles and frameworks, such as the standard ISO27001 and ISO27002, which come with different distinct features. For example, the ISO 27002 does not make a distinction between controls applicable to a particular organization and those which are not, while the ISO27001 prescribes a risk assessment to be performed in order to identify for each control whether it is required to decrease the risks, and if it is, to what extent it should be applied. Here, we can see that both standards are different, but lack the positive attributes of both tools when combined. This is where the NFC comes in, taking usability in to consideration and utilizing a single standard that makes it simple and portable for practical use.
The NFC also focuses on design, identification, and the mitigation of potential factors causing an overall hindrance to security-related policy compliance within an organization. Every potential factor that generates any hindrance is a cause of variation that should be addressed in the NFC context, unlike the ISO27000 where standards are designed for certain focus. For example, the ISO27001 is for building an IS foundation in an organization, the ISO 27002 is for the control implementation, and the ISO 27005 is for carrying out risk assessment and risk treatment. The NFC combines all these with a dynamic compliance process standard that involves: A) awareness of the compliance regulation; B) controlling integration; and C) closing gaps. Both the key factors and the central point prerequisites are enclosed in the control integration and close gaps dynamic. The NFC also enhances the interrelationship between technology and human factors and these are not seen in the context of ISO27000.