Skip to content

The Symbiotic Relationship Between COBIT 5 and NIST CSF


Take three things:

1. Legislative requirements.
2. The Cyberworld.
3. Running a Business.

They are a disaster awaiting to happen unless we have a clear understanding of what is needed to achieve:

• Legal compliance.
• Cyber threat management.
• Crisis and business continuity responses.

They have been around for a long time in some shape or form. Why mention them again, now?

Because legislation is becoming more stringent, compensating for the fast-moving developments in IT that favour the criminal at the expense of people and business.

What is the legislation?

In the USA, it is the New York State Department of Financial Service’s (DFS) “Cybersecurity Requirements for Financial Companies”. Its adoption starts now, and applies to firms “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking, insurance or financial services law” (source: EY).

Its purpose is to “promote the protection of customer information as well as the information technology systems of regulated entities”. Housingwire summarise what must be enacted:

A. Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.
B. Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing.
C. Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events.
D. Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

In the EU, it is the General Data Protection Regulation (GDPR), implementation date to be the 5th May 2019. For an overview see. Key aspects relate to:

a. Firms’ levels of responsibility and accountability.
b. Obtaining explicit consent to collect personal data.
c. The enhanced role of the Data Protection Officer.
d. Anonymising personal data.
e. Greater requirements around reporting data breaches.
f. Sanctions and fines.
g. Right to be forgotten.
h. Data portability.
i. Privacy by design and default.

Both laws demand improvements in protecting, and being accountable for, data and systems with agile, not static, security.

Enter the Cyberworld. Unless you have good cyber housekeeping in place – and there are at least 33 (see the Cyber House Rules here in Chapter 1 of “CYBERSECURITY EXPOSED: The Cyber House Rules”, Meeuwisse R, 2017, Cyber Simplicity Ltd., ISBN 978-1-911452-09-6) – you are unlikely to satisfy legal requirements.

Bye-bye to your business.

But there is help – NIST CSF and COBIT 5.

What is NIST CSF? The National Institute of Standards and Technology created a cybersecurity framework in response to increasing threats to data and systems. The key focus is on having better cybersecurity within firms. The framework helps organisations educate themselves in what they need to do to be cyber-safe via an easy-to-understand approach that also acts as a maturity model.

What is COBIT 5? It is a comprehensive framework that helps organisations achieve their objectives to get value from, and build trust in, IT by aligning business and IT needs through good governance. The key focus is meeting stakeholders’ needs via a holistic approach. That means not only running an efficient organisation but being effective, too, in protecting customers, clients and information whist optimising the business opportunities these offer.

Together they place cybersecurity at the heart of the business, not as an add-on.

ISACA has produced a combined approach, documented in “Implementing NIST Cybersecurity Framework”, free to ISACA members. This useful guide explains the purpose of each framework and how they complement each other. By starting with the most basic level in NIST CSF’s maturity model, the guide maps out how you achieve the assessment, management and improvement by applying COBIT 5’s principles. The benefit of using both is that we assess the security controls within the context of good governance.

Using the steps and principles from both, we can map our organisation to the requirements of each piece of legislation. Capital letters refer to the DFS’ legislation requirements, the small ones to the GDPR’s.

CSF Implementation Steps COBIT 5 Principles
1.       Prioritise and scopeC, D

a, i

1.       Meeting stakeholders’ needsA, B, C, D

a, b, c, g, i

2.       OrientA, B

c, e

       2.    Covering the enterprise end-to-endB, D

a, d, e, f, h, i

3.       Create a current profileA

a – i

       2.    Covering the enterprise end-to-endC, D

a, d, e, f, h, i

4.       Conduct a risk assessmentB, C

a -i

       3.    Apply a single, integrated frameworkB, D

a – i

5.       Create a target profileB, C

a -i

       3.    Apply a single, integrated frameworkA

a – i

6.       Determine, analyse and prioritise gapsB, C

a – i

       3.    Apply a single, integrated frameworkA

a – i

7.       Implementation action planC, D

a – i

       4.    Enabling a holistic approachA

a, c, e, i

8.       (not part of CSF)         5.  Separating governance from managementD


The table, whilst simple, hides the effort needed as neither framework are ends in themselves. What they do is ensure nothing is forgotten. How well they are applied is down to organisations’ willingness to invest in review, assessment, correction, improvement and pro-active monitoring against ever-demanding expectations from stakeholders.

Linking this back to the start of my blog, we can choose to do the right things or get hit where it hurts – at the bottom line. If we want to avoid fines, we must have a robust approach to running the business well, including comprehensive governance for managing all risks plus having the agility to address threats. That way we can demonstrate our better understanding, use and management of the Cyberworld that matches the spirit as well as the letter of the law.

That’s business.






Posted in COBIT 5.

Tagged with , .