An Information Security Management System (ISMS) is a primary asset responsible for an organization’s cybersecurity. It structures the unit with respective functions, and organizations tend to follow a defined standard for its design (Susanto & Almunawar, 2018). Those standards are frameworks that determine such aspects of organizational activities as IT Governance, IT Management, and Risk Management, which are all intertwined. IT Governance is responsible for planning, decision-making, and establishing capabilities, which target internal safety concerns particularly (Rubino et al., 2017).
IT Management executes planned activities and makes the strategy viable, and its operations directly impact the organization’s cybersecurity status (De Haes et al., 2016). Risk Management is connected with the other two in the sense that they employ it and reports the situation regarding security issues so that the strategy can be updated accordingly (Vincent et al., 2017). It also aims to mitigate existing problems, which is more approachable with an ISMS. Altogether, a framework facilitates organizational processes, which have shared responsibilities regarding maintaining cybersecurity, and its selection is crucial for the main strategy.
Three frameworks are relevant as far as the processes of maintaining cybersecurity and avoiding risks for e-commerce are concerned. They are ISO/IEC 27000, 27001, 27002, COBIT 5, and NIST’s CSF. The ISO/IEC 27000 series is an international standard for best practices for the overall ISMS, making use of controls and activity sequences (Aminzade, 2018). ISO/IEC 27001 includes seven sections with requirements to be met if an organization wishes to achieve compliance with ISO standards. For instance, one should contextualize organizational needs, provide rigorous planning and support for ISMS, and evaluate security (Praxiom Research Group, 2020).
ISO/IEC 27002 is broader and concerns such points as cryptography policy and supplier relationship (Praxiom Research Group, 2020). Businesses adopt the framework family due to its established nature, allowing for general guidance, and to gain trust from their partners and customers, who might be familiar with the name (Humphreys, 2016). The desired outcomes and benefits are numerous, including information confidentiality, systemic detection of vulnerabilities, minimization of IT risks, reduction of security breaches, and a competitive edge (Humphreys, 2016). Overall, the framework series guarantees established guidelines and constant support.
Control Objectives for Information Technology (COBIT) is another framework under consideration, and its objectives can specifically target enterprises. It includes requirements for implementing an ISMS and aligns with other frameworks (Ahmed, 2017). COBIT 5 contains five process areas: “Evaluate, Direct, and Monitor,” “Align, Plan, and Organize,” “Build, Acquire, and Implement,” “Deliver, Service, and Support,” and “Monitor, Evaluate, and Assess” (Mohanan & Menon, 2016).
Businesses adopt this framework due to its optimizing costs and IT value provision through effective and innovative use as well as compliance with relevant legislation, agreements, policies, and standards (Chatterji, 2016). These steps allow an organization to deploy effective management that ensures more clarity on creating a governance system for business needs (Almeida et al., 2018). The framework’s open-source model allows for continuous feedback, and its customizability leads to faster updates and enhancements (Chatterji, 2016). Thus, COBIT addresses the secure, legal, and innovative aspects of operating an ISMS and reflects the flexibility necessary for a business.
The NIST CS framework is relatively recent and notable for its innovative nature. While its primary purpose is to address critical cybersecurity risks through the five categories (identify, protect, detect, respond, and recover), it can also maintain transaction privacy for all stakeholders involved (IBM Cloud Education, 2020). Additionally, the framework analyzes the business environment and manages an organization’s assets, which can occur regardless of actual threats (IBM Cloud Education, 2020). NIST’s CSF also supports cyber-physical systems, which are gradually being integrated into the business sphere (Burns et al., 2018). Altogether, NIST has important supportive functions co-existing with the defensive ones and aims for future developments.
The frameworks can function independently or in a sequence to address risks and support business operations. For instance, COBIT 5 and NIST can cooperate in a risk management process, where the latter will assess the situation and the former will respond to it (Supriyadi & Hardani, 2018). Any framework is capable of identifying the threat’s category and level, although NIST can be particularly useful for businesses. The ISO/IEC 27002 series is instrumental in ensuring human resources security, so employees will not be concerned with their data being stolen or manipulated (Sulistyowati et al., 2020).
Meanwhile, NIST can cover other parties, including customers, suppliers, and shareholders (IBM Cloud Education, 2020). COBIT 5 can ensure benefits delivery and determine financial aspects of IT enterprise, compensating for the absence of those objectives in other frameworks. All frameworks also contribute to enhancing an organization’s management functions, so e-commerce may find its standard-defined ISMS useful for operation outside of maintaining security. Thus, the industry may make use of the frameworks mainly for various cybersecurity issues and operations, but they can be beneficial for overall business too.
The three frameworks have overlapping functions and complementing features, so using them simultaneously may enhance cybersecurity. For example, all of them address asset management and business environment, so they can be applied to compensate for COBIT 5’s inability to distinguish between business and operation controls (Noor & Ghazanfar, 2016). As mentioned previously, the frameworks can identify a threat’s characteristics, but it might be worth analyzing how all three view a risk to ascertain its priority. Communications is another aspect where the functions intertwine, as one framework (ISO/IEC) may focus on internal stakeholders, while the other two can cover the more extensive external network (Almeida et al., 2018).
It can also be applied to protection procedures, as COBIT 5, due to its optimizing nature, is recommended for data susceptible to low risks, and more rigorous aspects can be entrusted to the other two (Matsikidze & Kyobe, 2020). Maintenance is another aspect where the frameworks overlap, so their objectives can be distributed depending on risk levels and data importance (Sulistyowati et al., 2020). In conclusion, an organization may use the three guidelines to enhance overall cybersecurity, as they will mend individual weaknesses.
Nowadays, online businesses cannot afford their cybersecurity to be breached, as threats become more substantial, affecting operations and endangering both staff and clients. Thus, using various frameworks, such as the ISO/IEC 27000 series, COBIT 5, and NIST, for one’s ISMS is essential to ensure that all information is secure. Their roles in maintaining cybersecurity are through identifying threats (ISO/IEC) and responding to them (NIST), protecting stakeholders’ data, and delivering benefits (COBIT 5) are highlighted. Some of the framework functions overlap, so they can be integrated to compensate for each other’s weaknesses in a particular aspect, but the overall result will guarantee enhanced cybersecurity. Frameworks can be more business-oriented or innovative, but they all strive to develop and address the latest threats.
References
Ahmed, H. S. A. (2017). COBIT 5 for risk—A powerful tool for Risk Management. ISACA.
Almeida, R., Lourinho, R., Mira da Silva, M., & Pereira, R. (2018). A model for assessing COBIT 5 and ISO 27001 simultaneously. 2018 IEEE 20th Conference on Business Informatics (CBI). IEEE Xplore.
Aminzade, M. (2018). Confidentiality, integrity and availability – finding a balanced IT framework. Network Security, 2018(5), 9–11.
Burns, M., Manganelli, J., Wollman, D., Laurids Boring, R., Gilbert, S., Griffor, E., Lee, Y.-C., Nathan-Roberts, D., & Smith-Jackson, T. (2018). Elaborating the human aspect of the NIST framework for cyber-physical systems. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 62(1), 450–454. SAGE Journals.
Chatterji, S. (2016). Improving business with COBIT 5. ISACA.
De Haes, S., Huygh, T., Joshi, A., & Van Grembergen, W. (2016). Adoption and impact of IT Governance and Management practices: A COBIT 5 perspective. International Journal of IT/Business Alignment and Governance (IJITBAG), 7(1), 50-72.
Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS standard (2nd edition). Artech House.
IBM Cloud Education (2020). NIST Cybersecurity Framework. IBM.
Matsikidze, H., & Kyobe, M. (2020). A proposed cyber security framework for auditing in financial institutions. 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON). IEEE Xplore.
Mohanan, C., & Menon, V. (2016). Disaster management in India — An analysis using COBIT 5 principles. 2016 IEEE Global Humanitarian Technology Conference (GHTC). IEEE Xplore.
Noor, U., & Ghazanfar, A. (2016). A survey revealing path towards service life cycle management in COBIT 5. 2016 Eleventh International Conference on Digital Information Management (ICDIM). IEEE Xplore.
Praxiom Research Group (2018). ISO IEC 27002 2013: Plain English overview.
Praxiom Research Group (2020). ISO IEC 27001 2013: Plain English overview.
Rubino, M., Vitolla, F., & Garzoni, A. (2017). The impact of an IT Governance framework on the internal control environment. Records Management Journal, 27(1), 19–41.
Sulistyowati, D., Handayani, F., & Suryanto, Y. (2020). Comparative analysis and design of cybersecurity maturity assessment methodology using NIST CSF, COBIT, ISO/IEC 27002 and PCI DSS. International Journal on Informatics Visualization, 4(4), 225-230. Web.
Supriyadi, Y., & Hardani, C. W. (2018). Information System Risk Scenario Using COBIT 5 for Risk and NIST SP 800-30 Rev. 1: A case study. 2018 3rd International Conference on Information Technology, Information System and Electrical Engineering (ICITISEE). IEEE Xplore.
Susanto, H., & Almunawar, M. N. (2018). Information Security Management Systems: A novel framework and software as a tool for compliance with information security standards. Apple Academic Press.
Vincent, E. D., Higgs, J. L., & Pinsker, R. E. (2017). IT governance and the maturity of IT Risk Management practices. Journal of Information Systems, 31(1), 59–77.