The following is a list of the primary benefits of the COBIT, ISO 27000, and NIST frameworks:
COBIT
- COBIT allows much broader scope and takes into account all IT management processes.
- Geared towards a method of successfully executing key policies and procedures. It is often used to tie together controls, technical issues and risks, within an organization.
- COBIT is managed by the Information Systems Audit and Control Association (ISACA) so it is kept up to date with current technology, and is globally accepted.
- Allows scope to extend beyond IT and into management of the organization.
ISO 27002
- ISO 27002 provides best practice recommendations for an Information Security Management System (ISMS) standard. The 27001 and 27002 are used together to provide a management system, and specify industry-related controls. The ISO 27002 is an IT department focused standard.
- Allows system managers to identify and mitigate gaps and overlaps in coverage.
- Limited in scope compared to other standards.
NIST
- NIST is a Federal Government standard that covers a Risk Management Framework which addresses security controls in accordance with the Federal Information Processing Standard (FIPS) 200. This means that the standard has been through a very stringent review process and is very thorough.
- Provides a level of detail for organizations not wanting to do a lot of customization. Comprehensive.
- Like the ISO standard, NIST is limited in scope to information security.
When comparing COBIT to the other standards, it does have some appealing advantages. Since it allows for a wide-scope to include management outside of IT, it makes it easier to customize and integrate into the organization. COBIT is a good choice for an organization-wide framework allowing flexibility. Both ISO and NIST are restricted in scope to IT, and are not as flexible. A notable point is that all Government agencies and contractors must adhere to NIST standards. Much depends on the organization, its purpose, and if it is private or Government affiliated. For large private enterprises with no Government ties, COBIT is a desirable framework because of its broad scope, and flexibility.
References
Agnosticator. (2013, December 09). A Comparison of COBIT, ITIL, ISO 27002 and NIST. Retrieved September 9, 2017, from http://agnosticationater.blogspot.com/2013/12/a-comparison-of-cobit-itil-iso-27002.html.
Gallagher, P. D. (2013, April). NIST Special Publication 800-53 Revision 4. Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 9, 2017, from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
