NIST, ISO, CIS Or COBIT? Comparing Comprehensive Cybersecurity Frameworks

From Facebook to Capital One, high-profile data breaches affecting hundreds of millions of people have become alarmingly commonplace. It should come as little surprise, then, that the United States is beginning to follow the lead of the European Union in creating laws to protect the sensitive consumer info that’s so often compromised in those breaches.

Such laws are just the latest incentive for businesses to implement a comprehensive data security program to ensure that they’re prepared in the event of a breach. And for organizations that may be behind the curve on this matter — which amounts to roughly 7 in 10 U.S. businesses, according to a 2017 survey — the best place to begin is with the implementation of a cybersecurity framework (CSF).

Yet choosing the right cybersecurity framework is no small task. The first step is to distinguish between CSFs that are comprehensive, and those that are designed to achieve a specific objective. The latter category includes such frameworks as the Health Information Trust Alliance (HITRUST), which is used in healthcare, and the Cloud Security Alliance Cloud Controls Matrix (CCM), specific to cloud computing.

For most businesses, though — particularly those that are modest sized, or not operating in a highly regulated industry like healthcare or finance — it makes more sense to begin with the first category. In fact, almost every industry-specific CSF is a hybrid built on the foundation of a more comprehensive cybersecurity framework.

With that in mind, let’s take a look at the leading types of comprehensive cybersecurity frameworks, and how they stack up against one another.

Comparing Comprehensive Cybersecurity Frameworks

NIST Cybersecurity Framework

The cybersecurity framework established by the National Institute of Standards and Technology (NIST) is the most widely used by American companies. This is due in no small part to the fact that it’s the longest-running, established way back in 1990. It also offers the reassurance of having been developed by the U.S. federal government in collaboration with private businesses.

Summary

Offering detailed guidance on everything from risk assessment and continuous monitoring to incidence response and awareness training, NIST is considered the gold standard of CSFs, offering not only a comprehensive plan for data protection and risk mitigation but also a methodology for limiting the impact of adverse events. It’s also available in a variety of different versions to meet the needs of various industries and areas of emphasis.

How It Stacks Up

Businesses using the NIST can be confident that they’re implementing a framework that’s not only flexible and customizable, but also regularly updated and government approved, leveraging the collective wisdom and unique insights of the nation’s federal resources. Moreover, NIST offers a simpler alternative through NIST.IR 7621r1, intended as a “crawl before you walk” cyber guideline that can be a good precursor to the more elaborate NIST family. Another bonus of the NIST is the vast library of resources available for those who use it.

Will It Work for Your Business?

NIST is designed to be adaptable to a wide variety of different needs and is regularly updated to meet the evolving needs of cybersecurity. Yet because it’s so comprehensive, some more modest-sized organizations may also find it intimidating in scope, and resource-intensive to keep up with, often requiring expert guidance for implementation.

ISO 27000 Cybersecurity Framework Series

Like the NIST, the ISO is designed to provide a framework for achieving a certified level of data security compliance that meets external assessment standards. But where the NIST is designed by the U.S. federal government, the ISO is built upon an international basis, developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Summary

Simultaneously broad in scope and comprehensive in detail, the cybersecurity standards of the ISO are designed to help organizations ensure a level of data privacy and confidentiality that not only helps them avoid prosecution, but also to maximize operational efficiencies through the reduction of vulnerability to disruptive attacks.

How It Stacks Up

The ISO series is a truly international framework, designed to accompany decades-old ISO standards for quality assurance in other areas like manufacturing (ISO 9000) and environmental protection (ISO 14000). Like NIST, the ISO series offers various subsets (i.e., ISO 27799, defining standards for healthcare), which could reduce the need for developing hybrid frameworks.

Will It Work for Your Business?

Because the EU has much stricter data protection standards than the U.S. (at least, so far), businesses that have any international operational footprint may be wise to consider using the ISO as a foundation when building their cybersecurity framework.

CIS® Cybersecurity Framework

The Critical Security Controls (CIS) framework was developed by the SANS™ Institute, an international research and education cooperative formed by IT professionals with the goal of facilitating solutions for information security. As such, it offers an expert-level understanding of cybersecurity, and is acclaimed for breaking down those insights into three manageable and actionable categories.

Summary

With an emphasis on protecting against the most prevalent cyberattacks and mitigating the effects of breaches, the CIS model provides a straightforward framework of actionable defense mechanisms designed to ensure that appropriate personnel are accessing appropriate data and assets within an organization.

How It Stacks Up

Offering relative operational simplicity and an emphasis on protection and mitigation, the CIS is perhaps more focused than the NIST or ISO, yet no less reliable. (The NIST uses CIS standards in several of its data protection standards.)

Will It Work for Your Business?

Because it was designed by high-level IT professionals rather than regulators or administrators, the CIS framework is viewed by many as being the most practical CSF. In addition, its focus on defense and mitigation is valued by organizations with a need to quickly address risk and to develop resiliency against potential cyberattacks.

COBIT Cybersecurity Framework

The Control Objectives for Information Related Technology (COBIT) framework is designed to help guarantee the integrity of an organization’s data infrastructure from an operational perspective. It does this chiefly by breaking down cybersecurity into four administrative categories: planning and organization; support and delivery; acquisition and implementation; and monitoring and evaluation.

Summary

The COBIT framework offers a tool for managers to assess risks and shore up weak spots from a big-picture perspective — in essence, it’s a more simplified CSF that’s designed to provide a means for ensuring data security while avoiding the wasted resources that come from organizational confusion and the duplication of efforts.

How It Stacks Up

Though not bearing the same clout as the ISO or NIST, the COBIT framework has a comparable legacy, dating back to 1996. Though it’s designed to be agile and efficient, COBIT has also been criticized for its simplicity, as well as a perceived tendency to cause stakeholder avoidance rather than nurturing the organization-wide embrace of accountability that cybersecurity requires.

Will It Work for Your Business?

Used globally, COBIT offers standards that are recognized by a number of international organizations, and can be used confidently by organizations across all industries. But more important than this may be its accessibility, with a design that strives to connect the on-the-ground realities of running a business with the goals of effective cybersecurity governance.

Which Cybersecurity Framework Is Best for Your Business?

For businesses that aren’t tech-savvy, learning more about cybersecurity frameworks can often be more confusing than enlightening. Even if you’re confident that you know where to begin, it’s still a good idea to seek expert assistance – attempting to implement a CSF without professional guidance is comparable to going to trial without the help of an attorney.

We can help provide the expertise you need to ensure that your cybersecurity efforts meet today’s regulatory and commercial demands. Contact us here to set up a complimentary consultation with an Omnistruct cybersecurity specialist.

Categories: Blog, Cyber Compliance, Cyber Risk, NIST CSF

Ready to take the next step?