Even though there is a big number of cybersecurity frameworks and all of them are frameworks, they are different in several aspects. Each of them focus on different fields, each has different domains, and each has advantages and disadvantages. In this post “Comparison Between Cybersecurity Frameworks Types” we will compare between five types of Cybersecurity Frameworks. These types are: NIST, ISO 27001, CIS, CMMI, and COBIT 5.
NIST focuses on measuring control maturity and aligning cybersecurity defenses to organizational goals. The domains of NIST are: Identify, protect, detect, respond, recover. The advantages are: NIST built on previous frameworks, available for free, and works with many compliance requirements. While the disadvantages are: it may represent known results, and it is difficult to determine action items.
ISO 27001 focuses on building security management programs. The domains are: security policies, human resources, access control, asset management, and information security organization. The advantages of ISO 27001 are: the most recognized international IT security framework and most compliance requirements are built based on this framework. While the disadvantages are: High cost for the certification, there is no guide for the implementation, and not updated since 2013.
CIS focuses on protecting and tracking high risk areas by using automated controls. The CIS domains are: Basic, Foundational, and Organizational. The advantages of this framework are: easy to use, actionable items, permanently updated. While The disadvantage is not comprehensive.
CMMI focuses on measuring software engineering processes capabilities. The domains are: Product and services development, Service establishment, management, and Product and service acquisition. The advantages of CMMI CSF are: improved continuously and suitable for large companies of software development. The disadvantages are: focus on software development only, and need a well defined role to work with.
COBIT 5 focuses on connecting business and IT goals together, setting responsibilities up, and measuring control maturity. Its domains are: control objectives, maturity models, description of the process, and management guidelines. The advantages are: working with many compliance requirements and focusing on IT governance. While the disadvantage is lacking in cybersecurity components.
In this post we have compared between five types of cybersecurity frameworks. These types are: NIST, ISO 27001, CIS, CMMI, and COBIT 5. When considering adopting which cybersecurity framework, get to know your company governance, risk management and compliance (GRC) first, before blindly following other people’s footsteps without clearly understanding what you want to achieve.
E-SPIN Group in the enterprise ICT solution supply, consulting, project management, training and maintenance for multinational corporations and government agencies across the region. Feel free to contact E-SPIN for cybersecurity management, from governance, risk management and compliance (GRC), implementing cybersecurity framework to threat and vulnerability management, pentesting, red team, DevSecOps.