Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:2013YevheniiKuriiyevhenii.o.kurii@lpnu.uaLviv Polytechnic National University12 Stepan Bandera str79000LvivUkraineIvanOpirskyyivan.r.opirskyi@lpnu.uaLviv Polytechnic National University12 Stepan Bandera str79000LvivUkraineCybersecurity Providing in Information and Telecommunication SystemsOctober 132022KyivUkraineAnalysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:201357D92D3B7B2E14D5B45C7BFB5F5A562AGROBID - A machine learning software for extracting information from scholarly documentsInformation securitycybersecurity frameworksecurity controlsinformation security management systemISMSISO 27001NIST 800-53controls mapping AC-5 Separation of Duties A.6.1.2 AC-6 Least Privilege A.9.1.2A.9.2.3A.9.4.4A.9.4.5 AC-7 Unsuccessful Logon Attempts A.9.4.2 AC-8 System Use Notification A.9.4.2 AC-9 Previous Logon Notification A.9.4.2 AC-10 Concurrent Session Control None ConfidentialityIntegrity AC-11 Device Lock A.11.2.8A.11.2.9 AC-12 Session Termination None ConfidentialityIntegrity AC-13 Withdrawn ---AC-14 Permitted Actions without Identification or Authentication None ConfidentialityIntegrity AC-15 Withdrawn ---AC-16 Security and Privacy Attributes None ConfidentialityIntegrity AC-17 Remote Access A.6.2.1A.6.2.2A.13.1.1A.13.2.1A.14.1.2 AC-18 Wireless Access A.6.2.1A.13.1.1A.13.2.1 AC-19 Access Control for Mobile Devices A.6.2.1A.11.1.5A.11.2.6A.13.2.1 AC-20 Use of External Systems A.11.2.6A.13.1.1A.13.2.1 AC-21 Information Sharing None Confidentiality 5.25.37.5.17.5.27.5.3A.5.1.1A.5.1.2A.6.1.1A.12.1.1A.18.1.1A.18.2.2 AT-2 Literacy Training and Awareness 7.3A.7.2.2A.12.2.1 AT-3 Role-Based Training A.7.2.2*
Managing information security in the organization may be a daunting task, especially considering that it may encompass many areas from physical and network security to human resources security and management of suppliers. This may be especially hard for young specialists or not experienced enough specialists, who may miss some important areas due to lack of practical experience. This is where security frameworks come in handy and put formality into the process of the design and implementation of the security strategy. With a framework in place, it becomes much easier to define the processes and procedures that your organization must take to assess, monitor, and mitigate cybersecurity risk and apply proper controls to protect valuable information. But another problem came up when you are to choose the "just right" framework for your organization taking into account more business-specific characteristics like the context of the organization, area of operation, applicable laws, regulations and contractual obligations, as well as more general ones like framework's maturity, comprehensiveness or popularity. While there are a bunch of different information security frameworks out in the wild, the most commonly-found and preferred by security professionals worldwide are NIST SP 800-53 and ISO/IEC 27001:2013. They combine both the quite comprehensive set of security controls to cover the most important security areas and wide applicability which allows applying these frameworks to all kinds of organizations. But they also have a set of distinct features, that define their relevance to the particular organization. The article is aimed at giving a brief overview of these two most popular security frameworks as well as describing their key characteristics and providing a comparison of their controls.
Introduction
To successfully achieve the objectives of implementing cybersecurity at different levels, a range of procedures and standards should be followed. Cybersecurity standards determine the requirements that an organization should follow to achieve cybersecurity objectives and facilitate against cybercrimes [1] and ensure the ongoing management of information security controls.
Additionally, the framework establishes a common language for defining a cybersecurity program, enabling organizations to set risk-based cybersecurity goals at the executive level that can be translated to the operations team [2].
These frameworks are a blueprint for managing and reducing organizational risk. Information security professionals use frameworks to define and prioritize the tasks required to manage the organization's security program. Frameworks are also used to help prepare for compliance and other IT and security audits. When you are choosing from the number of leading information security frameworks, you would primarily assess the number of unique information security controls (requirements) in each of them [3][4][5]. The volume of these controls directly impacts the number of domains covered by that framework. The lesser number of controls in a framework might make it easier to implement, but it also might not provide the necessary coverage that your organization needs from the perspective of administrative, technical, and physical information security practices [6].
This is where defining the applicable and relevant framework is primarily a business decision [7], based on your organization's context and risk profile, which needs to consider applicable laws and regulations, that are required to support existing or planned business processes.
Commonly, this selection process generally leads to adopting one of the following frameworks: ISO 27001/002 [8,9] NIST Special Publication 800-53 [10] NIST Cybersecurity Framework [11] PCI DSS [12] CIS Controls [13,14] HITRUST Common Security Framework [15] HIPAA [16] CSA CCM [17] GDPR [18] ISO 27701 [19] AICPA Trust Services Criteria (SOC 2) [20] COBIT [21] Each information security framework has its own unique specialization and depth of coverage. However, understanding this can help you make an informed decision on the most appropriate framework for your needs. [22,23] You may even find you need to leverage a metaframework (e.g., the framework of frameworks) to address more complex compliance requirements (e.g., when the organization is holding the personal data of EU citizens and process cardholder data, it should comply with both GDPR and PCI DSS requirements).
A key consideration for choosing an information security framework would be understanding the level of content and robustness each framework offers. This will directly impact the available information security controls within each framework [24].
Overview and Comparison between NIST SP 800-53 and ISO/IEC 27001:2013
The Special Publication (SP) 800-53 Security and Privacy Controls for Information Systems and Organizations from the National Institute of Standards and Technology (NIST) is currently in its 5th revision (rev5) dated September 2020. It was initially designed to protect the US federal government, but quickly gained popularity among private industry and now is considered as one of the most popular and respectable information security frameworks in the world. It was partially caused due to the significant outsourcing to private companies that do business with the US federal government.
According to the official web page of the standard "This publication [Special Publication (SP) 800-53] provides a catalog of security and privacy controls for information systems and SO 27001 is a well-respected international information security standard that outlines the key processes and approaches a business needs to manage information security risk in a practical way [26]. ISO 27001 consists of the main part and Annex A, that contains the basic overview of the security controls needed to build an Information Security Management System (ISMS). Additionally, there is a separate standard ISO 27002 that provides a detailed description of the specific controls that are necessary to actually implement ISO 27001 (essentially, you can't meet ISO 27001 without implementing ISO 27002). [27,28]. The important thing about ISO is that it provides the companies with the possibility to undergo an external audit and get certified against ISO 27001. As may be seen from the table there is an overlapping between the controls from ISO and NIST frameworks. But the most important specifics of these frameworks is that NIST 800-53 can be considered a super-set of ISO 27001. In particular, all the controls from ISO 27001 can be covered by NIST 800-53. However, ISO 27001 does not cover all of the areas of NIST 800-53. From the coverage perspective, NIST 800-53 is more comprehensive and contains much more areas and controls than ISO 27001. While the detailed analysis of the missing controls is out of the scope of this investigation let's take a look at a few examples which would show in which areas NIST, in contrast to ISO, provide more comprehensive coverage of the security-related areas.
Detailed Mapping of Controls
[AT-4 Training Records], [AT-6 Training
Feedback]. These two controls require the organization to document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, retain individual training records, and gather feedback on organizational training results [10]. These could be important indicators of the awareness process effectiveness in the organization. These controls very often are audited by auditors during the ISO 27001 certification process; however, they are not explicitly mentioned in ISO 27001.
[CM-2 Baseline Configuration], [CM-6 Configuration Settings]. These controls force organizations to develop, document, and maintain under configuration control, a current baseline configuration of the system, and configuration settings for components. Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture [10]. These controls are important for maintaining the integrity of the security configurations for the systems and components and ensuring the standard configuration for the infrastructure systems and components. Again, these aspects are not explicitly highlighted in the ISO 27001 but commonly are checked during the ISO certification process.
[PE-6 Monitoring Physical Access], [PE-8 Visitor Access Records]. NIST 800-53 requires from organizations to monitor physical access to the facility where the system resides to detect and respond to physical security incidents and to maintain and periodically review visitor access records to the facility where the system resides [10]. These are other examples of controls that are extremely relevant for the protection of the organization's assets. They are especially important for small representative offices that often are lacking baseline security controls established within headquarters and are also quite often emphasized during the ISO certification audits. Nevertheless, they have been overlooked for a quite long time until the issue of the revised version of the ISO 27002 earlier this year (so they should appear in the new version of the ISO 27001 as well).
[RA-10 Threat Hunting]. Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. [10]. Likewise the previous controls, this one has been also overlooked by the ISO 27001 publications, despite its extreme importance and relevance for the organizations. This inconsistency should be partially eliminated with the new version of the ISO 27001 standard -this year's revised version of ISO 27002 already contains a new control defining requirements for threat intelligence which is an integral part of the threat hunting process.
[
PM-18 Privacy Program Plan], [PT-1 Personally Identifiable Information Processing and Transparency Policy and Procedures], [PT-2 Authority to Process Personally Identifiable Information], [PT-4 Consent], [PT-5
Privacy Notice] and other controls related to the protection of personally identifiable information (PII) processing. The defining characteristic of the NIST 800-53 is that it contains a set of controls to address privacy requirements for the processing of PII while ISO 27001 does not specifically address privacy beyond the inherent benefits provided by maintaining the security of PII, therefore we can assume that the ISO 27001 controls do not satisfy privacy requirements with respect to PII processing [29]. From this perspective, NIST has an advantage over ISO 27001 in regard to the protection of the PII processing and may be considered a good basis for GDPR compliance.
Conclusion
Understanding both the differences and similarities between these two the most known and adopted security frameworks-ISO 27001 and NIST 800-53 is crucial for implementing an effective information security program that would be tightened to the organization's context and needs and expectations of interested parties.
A common misunderstanding is that companies have to pick one or the other framework and stick with it, or that one is better than the other. In fact, both frameworks can be applied to a single organization due to their synergy and can greatly increase its information security, risk management, and security program.
It is not always necessary to choose between NIST 800-53 and ISO 27001. In fact, the two are complementary and can be used the same organization. However, if certification is your goal, you should definitely look closer at ISO 27001. Being externally audited and achieving accredited certification against ISO 27001's requirements would likely provide a higher level of confidence among clients and stakeholders and would be a prerequisite for securing certain contracts. Accredited certification to ISO 27001 demonstrates that your organization follows information security best practices, and delivers an independent, expert assessment of whether your valuable information and information assets are adequately protected. At the same time, while implementing the ISO 27001 requirements you still can leverage NIST 800-53 to strengthen the areas that are missing or not sufficiently covered in the ISO.
Figure 1 :Figure 1: Information security frameworks based on their specialization and coverage
Table 1Key differences between NIST SP 800-53 to ISO 27001
organizations to protect organizational operationsand assets, individuals, other organizations, andthe Nation from a diverse set of threats and risks,NIST A recognized framework thatISOincluding hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks" [25].Descriptioncontains security and privacy controls for information systems and organizations to protect organizational operations and assets with aimAn internationally recognized standard that describes how to manage information security in an organizationto effectivelymanage riskCan beimplementedTarget organizationsWas primarily created to help US federal agenciesin any kind of organization, profit or non-profit, private or state-owned, smallor largeStructureContains 1007 controls broken down into 20 control familiesAnnex A provides 14 control categories with 114 controlsIs lesstechnical, withIs very detailedmore emphasisComplexityand technical inon risk-basedits natureapproach tomanagingsecurityEnablescompanies toCertificationIs voluntary and relies on self-assessment and self-compliancebecome certified, relies on independent audit andcertificationbodiesAvailabilityCan be freely downloaded from official sourceDistributed on the commercial basis through the official website
Table 2provides a mapping from the security controls in NIST Special Publication 800-53 to the security controls in ISO/IEC 27001:2013[29].
Table 2Mapping NIST SP 800-53 to ISO 27001
NIST SP 800-53 CONTROLS ISO/IEC 27001 CONTROLS
PM-2Information Security Program Leadership5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, 5.1, 5.3, A.6.1.1CP-11 PM-26Alternate Communications Complaint Management5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.17.1.2* NoneConfidentiality, Integrity, AvailabilityAT-4 Training Records AT-5 Withdrawn AT-6 Training Feedback CM-1 Configuration Management Policy and Procedures Role Information Security CM-2 Baseline Configuration CM-3 Configuration Change Control PM-3 and Privacy Resources PM-4 Plan of Action and Milestones Process PM-5 System Inventory CM-4 Impact Analyses CM-5 Access Restrictions for Change CM-6 Configuration Settings CM-7 Least Functionality CM-8 System Component Inventory CM-9 Configuration Management Plan CM-10 Software Usage Restrictions CM-11 User-Installed Software CM-12 Information Location None None ---None A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2 None 8.1, A.12.1.2, 5.1, 6.2, 7.1 6.1.1, 6.2, 7.5.1, 7.5.2, 7.5.3, 8.3, 9.2, 9.3, 10.1 None A.14.2.2, A.14.2.3, A.14.2.4 A.14.2.3 A.9.2.3, A.9.4.5, A.12.1.2, A.12.1.4, A.12.5.1 None A.12.5.1* A.8.1.1, A.8.1.2 A.6.1.1* A.18.1.2 A.12.5.1, A.12.6.2 CM-13 Data Action Mapping None CM-14 Signed Components None CP-1 Contingency Planning Policy and Procedures 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2 CP-2 Contingency Plan 7.5.1, 7.5.2, 7.5.3, A.6.1.1, A.17.1.1, A.17.2.1 CP-3 Contingency Training A.7.2.2* CP-4 Contingency Plan Testing A.17.1.3 CP-5 Withdrawn CP-6 Alternate Storage Site A.11.1.4, A.17.1.2, CP-7 Alternate Processing Site A.11.1.4, A.17.2.1 CP-8 Telecommunications Services A.11.2.2, A.17.1.2 CP-9 System Backup A.12.3.1, A.17.1.2, CP-10 System Recovery and Reconstitution A.17.1.2 Research Testing, Training, and A.18.1.3 PM-25 Identifiable Information Used in None Personally Minimization of PM-24 Data Integrity Board None A.17.1.2, PM-23 Data Governance Body None A.17.2.1 Management PM-22 Identifiable Information Quality None ---Personally PM-21 Accounting of Disclosures None PM-20 Privacy Program Information None Dissemination of PM-19 Privacy Program Leadership Role None PM-18 Privacy Program Plan None External Systems PM-17 Information on None Unclassified Protecting Controlled 5.2, 5.3, 7.5.1, PM-16 Threat Awareness Program None Associations 15 Groups and 7.4, A.6.1.4 PM-Security and Privacy PM-6 Measures of Performance 5.3, 6.1.1, 6.2, 9.1, PM-7 Enterprise Architecture None PM-14 Monitoring 6.2* Testing, Training, and PM-13 Workforce 7.2, A.7.2.2* Security and Privacy PM-12 Insider Threat Program None PM-11 Process Definition 4.1 Mission and Business PM-10 Process 9.3, A.6.1.1* Authorization 10.2 PM-8 Critical Infrastructure None Plan PM-9 Risk Management Strategy 4.3, 4.4, 6.1.1, 6.1.2, 6.2, 7.5.1, 7.5.2, 7.5.3, 9.3,Integrity Integrity Integrity Integrity, Availability Integrity Confidentiality, Confidentiality, Integrity, Availability Integrity Integrity Confidentiality, Integrity Confidentiality, Integrity, Availability Confidentiality, Integrity, Availability Confidentiality, Integrity Confidentiality, Integrity Confidentiality, Integrity Confidentiality, Integrity Confidentiality, Confidentiality Integrity Confidentiality, Integrity, Availability Confidentiality, Integrity, Availability Integrity Confidentiality, AvailabilityNote: An asterisk (*) indicates that the ISO/IEC control does not fully satisfy the intent of the NIST control. 5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3 A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2 None A.12.4.1* A.12.1.3 None A.12.4.1, A.16.1.2, A.16.1.4 None A.12.4.4 A.12.4.2, A.12.4.3, A.18.1.3 None A.12.4.1, A.16.1.7 A.12.4.1, A.12.4.3 None A.12.4.1* ---None 5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2 A.14.2.8, A.18.2.2, A.18.2.3 A.13.1.2, A.13.2.1, A.13.2.2 ---8.3, 9.2, 10.1* 9.3* 9.1, 9.2, A.18.2.2, A.18.2.3* CA-8 Penetration Testing None AC-1 Access Control Policy and Procedures AC-2 Account Management AC-3 Access Enforcement AC-4 Information Flow Enforcement AU-1 Audit and Accountability Policy and Procedures AU-2 Event Logging AU-3 Content of Audit Records AU-4 Audit Log Storage Capacity AU-5 Response to Audit Logging Process Failures AU-6 Audit Record Review, Analysis, and Reporting AU-7 Audit Record Reduction and Report Generation AU-8 Time Stamps AU-9 Protection of Audit Information AU-10 Non-repudiation AU-11 Audit Record Retention AU-12 Audit Record Generation AU-13 Monitoring for Information Disclosure AU-14 Session Audit AU-15 Withdrawn AU-16 Cross-Organizational Audit Logging CA-1 Assessment and Authorization Policies and Procedures CA-2 Control Assessments CA-3 Information Exchange CA-4 Withdrawn CA-5 Plan of Action and Milestones CA-6 Authorization CA-7 Continuous Monitoring CA-9 Internal System Connections None Protocols CP-12 Safe Mode None PM-27 Privacy Reporting None CP-13 Alternative Security Mechanisms A.17.1.2* IA-1 Identification and Authentication Policy 5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, 4.3, 6.1.2, 6.2, PM-Risk Framing 7.4, 7.5.1, 7.5.2, 28 7.5.3 PM-29 Risk Management 5.1, 5.3, 9.2, Program Leadership A.6.1.1 Roles IR-10 Withdrawn ---IR-9 Information Spillage Response None IR-6 Incident Reporting A.6.1.3, A.16.1.2 IR-7 Incident Response Assistance None IR-8 Incident Response Plan 7.5.3, A.16.1.1 7.5.1, 7.5.2, IR-5 Incident Monitoring None IR-4 Incident Handling A.16.1.4, A.16.1.6 A.16.1.5, IA-11 Re-authentication None IA-12 Identity Proofing None IR-1 Incident Response Policy and A.18.1.1, A.18.2.2 IR-2 Training IR-3 Testing None Incident Response A.7.2.2* Incident Response Procedures 5.2, 5.3, 7.5.1, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 7.5.2, 7.5.3, IA-9 Service Identification and Authentication None IA-10 Identification and Authentication None Adaptive and Procedures A.12.1.1, A.18.1.1, A.18.2.2 IA-2 Identification and Supply Chain Risk 4.4, 6.2, 7.5.1, PM-Management 7.5.2, 7.5.3, 30 Strategy 10.2* 4.4, 6.2, 7.4, Authentication (Organizational Users) A.9.2.1 IA-3 Device Identification and Authentication None IA-4 IA-5 Authenticator Management A.9.2.1, A.9.2.4, IA-6 Authentication IA-7 Cryptographic Module Authentication IA-8 Authentication (Non-Organizational Users) A.9.2.1 Identification and A.18.1.5 Feedback A.9.4.2 A.9.3.1, A.9.4.3 Management A.9.2.1 Identifier PM-Continuous 7.5.1, 7.5.2, 31 Monitoring Strategy 7.5.3, 9.1, 10.1, 10.2 PM-32 Purposing NoneEffected CIA triad element Confidentiality, Integrity, Availability Integrity, Availability Integrity, Availability Integrity Confidentiality Confidentiality, Integrity Confidentiality, Integrity, Availability Confidentiality, Integrity, Availability Integrity, Availability Confidentiality, Integrity, Availability Integrity, Availability Confidentiality, Integrity, Availability Confidentiality, Confidentiality, Integrity, Availability Integrity Availability Integrity Confidentiality, Confidentiality, Confidentiality, Integrity Confidentiality, Integrity Confidentiality, Integrity
MA-1
System Maintenance Policy and Procedures 5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A. 18
Understanding Cybersecurity Frameworks and Information Security Standards-A Review and Comprehensive OverviewHTaherdoost10.3390/electronics111421812022Improving Cybersecurity through the Use of the Cybersecurity FrameworkTConkleGWitte9th International Topical Meeting on Nuclear Plant Instrumentation, Control, and Human-Machine Interface Technologies, NPIC and HMIT20153Security Rating Metrics for Distributed Wireless SystemsVBuriachokVSokolovPSkladannyi8th International Conference on "Mathematics. Information Technologies. Education20192386Modern Machine Learning Technologies and Data Science (MoMLeT and DS)Assessing Approaches of IT Infrastructure AuditFKipchukIEEE 8th10.1109/picst54195.2021.9772181International Conference on Problems of InfocommunicationsPICSTScience and Technology2021Investigation of the IoT Device Lifetime with Secure Data Transmission, Internet of Things, Smart SpacesIKuzminykh10.1007/978-3-030-30859-9_2and Next Generation Networks and Systems2019Framework vs ISO 27001/27002vs NIST 800-53 vs Secure Controls FrameworkNIST CybersecurityInformation Security Management Needs More Holistic Approach: A Literature ReviewAZahoor10.1016/j.ijinfomgt.2015.11.0092016ISO/IEC 27001Information Technology-Security Techniques-Information Security Management Systems-Requirements2013ISO/IEC 27002Information Technology-Security Techniques-Code of Practice for Information Security Controls2013Security and Privacy Controls for Information Systems and Organizations Special Publication (SP) 800-53 Rev 5U.S. Department of Commerce2020. 2020Overview of the NIST Cybersecurity Framework2018PCI DSS Quick Reference GuideUnderstanding the Payment Card Industry Data Security Standard20183CIS Controls v82021Center for Internet SecuritySP 800- 53CIS Controls v8 Mapping to NIST2021Center for Internet SecurityRev 5HIPAA; Pub. L1101936. August 21, 1996Cloud Controls Matrix, Cloud Security Alliance2021679 of the European Parliament and of the Councilon the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data2016. 2018Regulation (EU)ISO/IEC 27701:2019Security Techniques -Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management -Requirements and Guidelines2019Trust Services Criteria Issued by the AICPA Assurance Services Executive Committee2017COBIT 5, A Framework for the Governance and Management of Enterprise IT2012Comparative Analysis and Design of Cybersecurity Maturity Assessment Methodology Using NIST CSF COBIT ISO/IEC 27002 and PCI DSSDSulistyowatiFHandayaniYSuryantoInternational Journal on Informatics Visualization442020Information Security Management Standards: Problems and SolutionsMSiponenRWillisonJ. Information & Management462009SYevseievSynergy of Building Cybersecurity Systems: Monograph2021PC Technology CenterMethodology of ISMS Establishment Against Modern Cybersecurity Threats, in Future Intent-Based NetworkingVSusukailoIOpirskyOYaremko10.1007/978-3-030-92435-5_15Lecture Notes in Electrical Engineering8312022ISO Official website-ISO/IEC 27001 Information security managementNIST SP 800-53Revision 5 Control Mappings to ISO/IEC 27001