Frameworks Revision
To solidify my knowledge and application of the main Cybersecurity frameworks, today I am focusing on reviewing my knowledge and filling any gaps.
In addition, it is my intention to attain ISC2’s Certified in Cybersecurity (CC) certification, and the bulk of the exam weighting is on Domain One: Security Principles.
Looking at my notes from previous days I noticed one framework that I did not get to look at: ISACA’s COBIT (2019).
This stands for Control Objectives for Information and Related Technology and is a framework for the governance and management of enterprise information and technology.
Based on research, one of the advantages of this framework is its plug and play with NIST, ISO and others when it comes to its implementation.
For that reason, my focus shall remain on NIST and ISO to make sure I understand the key differences and areas of overlap between the two, I have put together the following table:
| Aspect | ISO/IEC 27001:2022 | NIST CSF 2.0 |
|---|---|---|
| Primary Focus | Information Security Management System (ISMS): requirements + risk-driven controls | Cybersecurity outcomes: a framework to assess/improve posture |
| Scope | Organization-defined ISMS boundary (products, sites, data types) | Organization-wide cybersecurity risk mgmt (esp. critical infrastructure, any org) |
| Structure | Clauses 4–10 (ISMS processes) + Annex A (93 controls in 4 themes: Organizational, People, Physical, Technological) | 6 Functions (Govern, Identify, Protect, Detect, Respond, Recover) → Categories → Subcategories |
| Prescriptiveness | Risk-based requirements + reference controls; implementation guidance in ISO 27002 | Outcomes, not controls; flexible for all orgs |
| Certification | Yes – accredited certification bodies | No certification |
| Governance | Clause 5 (Leadership), Clause 6 (Planning), Clause 9 (Performance evaluation) | Govern Function (GV) added in CSF 2.0 |
| Risk Management | Clauses 6.1.2 & 6.1.3 (risk assessment & treatment, Statement of Applicability) | Identify Function |
| Security Operations | Annex A controls (logging, monitoring, incident mgmt, access mgmt, crypto, continuity) | Protect, Detect, Respond, Recover Functions |
| Supply Chain | Annex A (supplier relationships, cloud service security) | Govern/Identify |
| Business Continuity | Annex A: ICT readiness for BC, backup, recovery | Recover Function |
| Physical Security | Annex A Physical theme (secure areas, entry controls, equipment protection) | Protect Function |
| Privacy | Mainly security-driven (privacy covered in ISO/IEC 27701 extension) | Integrated as cross-cutting consideration |
Areas of Overlap
| Capability Area | ISO/IEC 27001:2022 | NIST CSF 2.0 |
|---|---|---|
| Access control | Annex A: Access Mgmt & Authentication | Protect |
| Awareness & training | Annex A: Awareness & Competence | Protect |
| Logging & monitoring | Annex A: Monitoring, Logging, Detection | Detect |
| Incident management | Annex A: Incident Mgmt | Respond |
| Business continuity | Annex A: Backup, ICT readiness, continuity | Recover |
| Supplier security | Annex A: Supplier relationships, cloud security | Govern |
| Risk assessment | Clauses 6.1.2, 6.1.3 | Identify |
| Governance | Clauses 4–6, 9–10 | Govern |
| Cryptography | Annex A: Cryptography & Key Mgmt | Protect |
| Vulnerability mgmt | Annex A: Vulnerability Mgmt | Identify , Protect |
| Physical protection | Annex A: Physical & Environmental | Protect |