See discussions, stats, and author profiles for this publication at: [Link]

net/publication/384011298

Compare cybersecurity framework in NIST, ISO 27001, CIS Control and COBIT

Poster · September 2024

CITATIONS READS

0 671

1 author:

Velibor Božić
General Hospital Koprivnica
703 PUBLICATIONS 261 CITATIONS

SEE PROFILE

All content following this page was uploaded by Velibor Božić on 21 May 2025.

The user has requested enhancement of the downloaded file.

 Velibor BOŽIĆ
Compare cybersecurity framework in NIST, ISO 27001, CIS Control and COBIT

COBIT, which stands for Control

ISO/IEC stands for the
NIST stands for the National Objectives for Information and
International Organization for CIS Controls, formerly known
Institute of Standards and Related Technologies, is a
Standardization (ISO) and the as the SANS Critical Security
Technology. It's a non-regulatory comprehensive framework for
International Electrotechnical Controls, are a set of prioritized
agency of the United States enterprise IT management and
Commission (IEC). These two best practices designed to help
Department of Commerce. While governance. Developed by ISACA
organizations work together to organizations improve their
NIST has a broad mandate (Information Systems Audit and
develop international cybersecurity posture.
covering various scientific and Control Association), COBIT provides
standards in the field of Developed and maintained by
technological standards, it has a set of best practices for IT
information technology, the Center for Internet Security
become particularly well-known governance, helping organizations
including cybersecurity. The (CIS), these controls provide a
in the cybersecurity field for its create optimal value from IT by
ISO/IEC standards are widely practical and actionable
cybersecurity frameworks and maintaining a balance between
recognized and adopted approach to cybersecurity.
guidelines. realizing benefits and optimizing risk
globally.
levels and resource use.

NIST Cybersecurity Framework ISO 27001 CIS Controls COBIT

Focus: Risk management and critical Focus: Information Security Focus: IT governance and management
infrastructure protection Focus: Practical and prioritized set of
Management System (ISMS)
actions to improve cybersecurity Structure: 5 domains, 40 processes
Structure: Five core functions (Identify, Structure: 10 clauses and Annex A with
Protect, Detect, Respond, Recover) Structure: 18 control categories with Approach: Holistic view of IT
114 controls in 14 domains
Approach: Flexible and adaptable to specific actions governance, aligning business goals with
various organizations Approach: Risk-based, following Plan- IT goals
Approach: Prioritized, prescriptive
Do-Check-Act cycle
Audience: Originally for critical actions based on real-world threats Audience: Primarily larger enterprises
infrastructure, now widely adopted Audience: Global, applicable to all types and IT professionals
Audience: Organizations of all sizes,
across industries and sizes of organizations
especially those with limited resources Regulatory Status: Voluntary, but often
Regulatory Status: Voluntary, but often Regulatory Status: International used for compliance with regulations
Regulatory Status: Voluntary, but widely
recommended by U.S. government standard, often required for compliance like SOX
recognized as best practice
agencies or contracts

Scope
Broad cybersecurity risk management Information security management Specific, actionable cybersecurity Broader IT governance and management
measures
Flexibility
Highly flexible and adaptable Flexible within a structured framework Prescriptive but adaptable Flexible, but more complex to implement
Implementation
Can be implemented partially or fully Typically implemented as a whole for Can be implemented incrementally Often implemented selectively based on
certification organizational needs
Regulatory Aligment
Aligns well with U.S. regulations Internationally recognized, aligns with Aligns with various regulations but not Strong alignment with financial and IT
global regulations specifically designed for compliance regulations
Maturity Model
Includes implementation tiers No specific maturity model, but follows Includes implementation groups based Includes a detailed maturity model
PDCA cycle on organizational complexity
Primary Strenghts
Comprehensive and adaptable Structured and internationally Practical and prioritized Comprehensive IT governance
recognized
Choice of framework often depends on
Organizational size and complexity Industry sector and regulatory Existing IT governance structures Specific security goals and risk profile
requirements
Table1. Comparing cybersecurity framework

SOURCES:
National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity (Version 1.1). U.S. Department of Commerce.
[Link] (1. 9. 2024)

Center for Internet Security. (2021). CIS controls: Version 8.0. [Link] (4. 9. 2024)

ISACA. (2019). COBIT 2019 framework: Introduction and methodology. ISACA.

International Organization for Standardization. (2022). ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management
systems — Requirements. [Link] (7. 9. 2024)

View publication stats