CISSP: Comparing Major Security Governance Frameworks

A comparison of key security governance frameworks covered in the CISSP exam: NIST, ITIL, ISO 27000, COSO, and COBIT, with their features and differences.

2 min read

To effectively manage security governance, the following major frameworks and standards are available.

NIST (National Institute of Standards and Technology)

  • Issuing body: National Institute of Standards and Technology (NIST), U.S. Department of Commerce
  • Features:
    • Primarily provides standards and guidelines for U.S. government agencies and businesses.
    • Especially known for the NIST Cybersecurity Framework.
    • The NIST SP 800 series provides detailed guidelines on specific security management and technology.
  • Differences:
    • Government-led, with primarily U.S. domestic application.
    • Rich in practical and technical guidelines.

ITIL (Information Technology Infrastructure Library)

  • Issuing body: AXELOS (a joint venture between the UK government and private companies)
  • Features:
    • Provides best practices for IT service management.
    • Includes security management but primarily aims to improve the efficiency and quality of IT services overall.
    • Focuses on the service lifecycle (Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement).
  • Differences:
    • Focuses on IT service management overall, with security treated as a part of it.
    • Characterized by clear definitions of processes and roles.

ISO/IEC 27000 Series

  • Issuing body: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)
  • Features:
    • International standards for information security management.
    • ISO/IEC 27001: Defines requirements for an Information Security Management System (ISMS).
    • ISO/IEC 27002: Provides implementation guidelines for ISO/IEC 27001.
    • Globally recognized and widely applied.
  • Differences:
    • Widely accepted as an international standard with a certification system.
    • Focuses on organization-wide information security management.

COSO (Committee of Sponsoring Organizations of the Treadway Commission)

  • Issuing body: COSO (Committee of Sponsoring Organizations of the Treadway Commission)
  • Features:
    • Provides a framework for risk management and internal controls.
    • COSO Internal Control - Integrated Framework: Guidelines for strengthening organizational internal controls and managing risk.
    • Also emphasizes risk management from the perspective of accounting and financial reporting.
  • Differences:
    • Primarily focuses on internal controls and risk management, with information security as a component.
    • Related to ensuring the reliability of financial reporting.
  • Issuing body: ISACA (Information Systems Audit and Control Association)
  • Features:
    • A framework for IT governance and management.
    • COBIT 2019: Provides a comprehensive framework for IT governance and management, including risk management, compliance, and security management.
    • Emphasizes alignment between business and IT.
  • Differences:
    • Specializes in IT governance, emphasizing the alignment of business goals and IT strategy.
    • The entire framework focuses on IT management and governance.

関連記事