Implementing the NIST

Cybersecurity Framework
Using COBIT 5
A Step-by-Step Guide for Your Enterprise

Abstract
In a time of growing threats and evolving circumstances, adopting and maintaining a
robust cyber security profile in your enterprise is vital. Valuable information and assets
must be protected, but the mission goes beyond that. An enterprises cyber stance
should fit into a larger comprehensive structure of the governance and management
of enterprise IT. In such a structure with proper governance, risk and control
(GRC) programs, and supported by a thorough audit and assurance function, decisions
are made and actions are taken to maximize value to the enterprise, accounting for
the needs of all stakeholders, balancing risk and reward. Given this importance to
enterprise strategy and results, cyber security as part of an entire GRC structure is
no longer just a tech issue. It is the foundation upon which enterprise innovation
and transformation takes place.
To help organizations address cyber concerns, the National Institute of Standards
and Technology (NIST) has developed a set of voluntary best practices. Still, every
enterprise is different, creating unique challenges for implementation, especially as
part of a comprehensive GRC program. In such a situation, the COBIT 5 governance
framework has proved extremely valuable. This white paper outlines the steps for
bringing your NIST cyber program under a COBIT 5 structure, thereby preparing your
enterprise for value creation and laying the foundation for future innovation and
business transformation.
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE

Introduction
The governance and management of enterprise IT has taken on
a new meaning with the rapid growth of cyber security and the
multitude of best practices in the market. Given the complexity, it
is no wonder why some enterprises continue to struggle with their
efforts or take incomplete actions. Although there are some great
approaches for a cyber security program, a critical success factor is
ensuring that some key principles exist: meeting stakeholder needs,
using a holistic approach, covering the complete enterprise and
leveraging a single integrated framework. All of these principles lead
toward the enterprise goal of providing value, proving that cyber
security is not only an IT issue.

From a cyber security/risk perspective, adopting the COBIT 5

framework and the National Institute of Standards and Technology
(NIST) Framework for Improving Critical Infrastructure Cybersecurity
also known as the Cybersecurity Frameworkcan be a huge factor in
the enterprise creation of value. These frameworks complement each
other well; COBIT 5 practices synchronize with NIST categories.
The adoption methodologies for each framework have a striking
resemblance, which makes the coupling of these frameworks into a
coherent governance approach a good decision. These frameworks
are flexible models that can be modified to meet the needs of the
enterprise and enable any organization to have a tested and
repeatable central framework.

2016 ISACA. All Rights Reserved. 2

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 55:IN
A STEP-BY-STEP
YOUR ENTERPRISE
Providing value to
the enterprise
Even with new technologies, more efficient processes
and better-trained staff, some things just seem to be
getting harder to deliver, and one noteworthy area is value.
Enterprises consist of multiple service providers who serve
the business through people, processes and technology, and
typically provide this value in the form of services. What does
this mean to the business? Value consists of achieving
business benefits while optimizing risk and resources.
Without value in those services provided by service providers,
enterprises can most likely expect a massive decline in
stakeholder value and, more importantly, business survival.
The elements in this definition of value can be
explained further:
Benefits realization means that the enterprise is
attaining the new benefits that it set out to attain, based
on stakeholder needs, and eliminating initiatives or assets
that are underperforming.
Risk optimization is the result of making informed
enterprise decisions when the risk exposure is within the
enterprises risk appetite.
Resource optimization requires applying enterprise
resources at the right time, place and effort, and not
wasting them frivolously.
Generally, the key to successful innovation and business
transformation requires investing in a foundational set
of enablers, as part of an overall governance, risk and
control (GRC) posture that maximizes these elements of
value. If an enterprise exhibits strong competencies in
the GRC functions, it will be well positioned to drive the
kind of transformation needed
to stay competitive and thrive in todays economy. Failure
to consider the importance of these functions to achieving
transformational goals can lead to huge disappointment while
the enterprise spins its wheels in a reactive mode.
To add to the challenge of providing value, enter cyber
security. Stakeholders are influenced by many things,
and in todays environment, cyber security is most likely
somewhere toward the top of the influencers list. Simply
implementing a variety of security mechanismsthe
2017 ISACA. All Rights Reserved.
GUIDE FOR YOUR ENTERPRISE
approach taken by most enterprisesis not enough.
To be effective, security measures must be fully integrated
into the enterprise architectures and GRC programs.
Although cyber security has been traditionally thought of
as a technological problem, cyber security risk cannot be
addressed by only technical solutions. Many breaches can
be attributed not to technology, but to lapses in policies,
management supervision, failure to assign responsibility for
cyber security tasks or oversight, and an insufficient system of
controls for access to the enterprise systems and data. Cyber
security, therefore, requires several levels of effort involving:
Application of technology
Management oversight
Legal and regulatory awareness
Employee training
Adoption and implementation of policies and procedures
governing the information technology environment
This required effort means that overall enterprise governance
measures and attitudes toward risk must drive the enterprise
cyber security program. These drivers are most effective
when they are integrated into the culture of organizational
behaviors and actions.
This shift in perspective raises security from a technical
concern to an enterprise issue. Because security concerns
influence stakeholders definition of value, the organization
must identify, protect, detect, respond and recover from
cyber security threats, and focus many core resources and
competencies so that security risk is managed and aligned
with the strategic goals, operational criteria, risk thresholds,
compliance requirements and technical system architecture.
Cyber security is about managing risk. Risk governance
and management is about informed decision making.
Therefore, the cyber security equation has two
components: business enablement and asset
protection. First, cyber security efforts must be aligned to
fit the enterprise GRC framework by delivering on business
strategy. Cyber risk is a critical business risk and thus an
important element. Second, information is a key enterprise
asset and must be protected based on criticality, integrity and
availability needs. Cyber security must be considered in the
larger picture of enterprise GRC scope, because of the need
to move information in todays economy is vital to success.
3
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE
Real-Life Business Transformation:
Start with a Simple Approach.
XYZ is an IT managed service provider in North
America. With over 100 client enterprises, the need
for a single, integrated governance framework was
evident. Each tenant enterprise had specific needs
and requirements from a compliance and security
perspective. The client enterprises had a host of
industry frameworks and standards that they used
for their operations. The complexity of trying to
manage this multitude of requirements from several
different areas was daunting and created multiple
vulnerabilities, duplication of efforts and wasted
resources. Recognizing this issue, XYZ embarked
on a simplification effort with the goal of finding a few
key frameworks that could be leveraged to provide a
core governance and management program. This
was done with the COBIT 5 framework. COBIT 5
not only referenced commonly known frameworks
and standards in the industry, it also synchronized
well with two of the most common security-related
frameworks: ISO/IEC27001 and the NIST Cybersecurity
Framework. Using these frameworks as the basis
for improvements, assurance and compliance,
stakeholder needs were addressed effectively in all
activities. By using COBIT 5 as their central control
tool, this ensured a proper balance of conformance
and performance by ensuring that stakeholder
needs, risk and compliance requirements were
addressed based on their importance to the goal
of creating value for stakeholders.
2017 ISACA. All Rights Reserved.
The need for a
simple approach
Recognizing that cyber security is no longer only an IT
issue, leadership should ensure that the enterprise develops
a cyber security/risk framework. There are many to choose
from. In fact, there are so many that often enterprises
admittedly suffer from framework overload. There is a best
practice for everything: governance, compliance, risk,
service management, development lifecycles, and of course,
cyber security. The list of these best practices includes
frameworks, bodies of knowledge, standards, methodologies
and so on. These are found in both public and proprietary
domains. The secret to enterprise success: Do not fall victim
to the idea that a single framework can handle all of the
enterprise needs, i.e., one-size-fits-all; rather, combine these
best practices into a single governing framework that governs
the use of all of these various frameworks.
From a cyber security perspective, the list of best practices
is growing quickly, and they all have significant value
propositions for the enterprise if they are leveraged correctly.
A viable enterprise solution for cyber security is to
adopt a framework to manage frameworks. This is
accomplished with the intersection of the NIST
Cybersecurity Framework and COBIT 5 as an
overarching framework.
The NIST CSF
structure
Cyber security attacks are growing more intense and
harmful, and based on the increasing number of incidents
over the last few years, they are likely to continue. These
scenarios, coupled with an increasing threat to a nations
critical infrastructure, puts cyber security protection very
high on any enterprise priority list.
Recognizing the need for broad safeguards against attacks
that could disrupt our nations critical systems, Executive
Order (EO) 13636, Improving Critical Infrastructure
4
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE

Cybersecurity,1 directed collaboration with industry to

develop a voluntary risk-based cyber security framework.
In response, the NIST collaborated with ISACA and industry
partners to create a risk-based cyber security framework.
Real-Life Business Transformation:
The NIST Cybersecurity Framework (CSF) provides this Build a Foundation for Innovation
risk-based iterative approach to the adoption of a more
vigilant cyber security posture in the public and private After the XYZ IT managed service provider made
domains. Figure 1 describes the components of the the business decision to leverage COBIT 5 as its
NIST CSF. central governing framework and the NIST
Cybersecurity Framework, the real work began. Due
One of the strongest features of the NIST CSF is the Framework to the size and complexity of the enterprise and its
Core, as illustrated in figure 2. This core is a set of cyber customers, XYZ decided to adopt these frameworks
security activities, desired outcomes and references from iteratively, taking small improvements at a time
industry standards, guidelines and practices. which would yield an ongoing effort. Fortunately, the
COBIT 5 and NIST implementation methodologies
The Framework Core has five functions and 22 categories. are aligned to enable this. During the first two
Each of these categories is further broken down into iterations of this adoption, XYZ recognized that
subcategories and informative references. Informative there was something unique to this transformation:
references provide the specific standard, guideline or It was being driven by stakeholder needs and goals,
which was a new, innovative way of looking at things
for this enterprise. Instead of letting technology drive
value, the needs of the business drove value. The
FIGURE 1 typical knee-jerk reactions to checklists were now
Structure of the NIST Cybersecurity Framework thoughtful analyses of risk, which pointed efforts
toward responding in more appropriate ways.
Component Description Whereas in the past, there was a tendency to
over-control every need, which wasted resources,
now XYZ had methods to determine, based on
The Framework Core consists of five functions
(Identify, Protect, Detect, Respond and Recov- risk, the areas that could be accepted, transferred,
Framework Core
er) and includes activities, desired outcomes avoided or mitigated. Having this link to the business
and applicable references. facilitated a combined effort of all applicable
stakeholders in the cyber security project, rather
Implementation Tiers provides context and than only being driven by technology.
Implementation identifies the degree to which practices
Tiers exhibit the characteristics defined in the
framework. Tiers range, from Tier 1 Partial to
Tier 4 Adaptive.

Profiles are outcomes based on business

needs. This is the analysis of current and
Profiles target profiles that help determine the prioriti-
zation of efforts based on risk.

Implementation Implementation Guidance uses a seven-step

Guidance process that is iterative and flexible.

SOURCE: Framework for Improving Critical Infrastructure Cybersecurity, Version

1.0, National Institute of Standards and Technology. February 12, 2014

1 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology. February 12, 2014

2017 ISACA. All Rights Reserved. 5

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE

FIGURE 2
Functions of the NIST CSF Framework Core

Identifiy Protect Detect Respond Recover

Develop the organizational
understanding to manage
cyberspace risk to systems,
assets, data and capabilities
Develop and implement the
appropriate safeguards to
ensure delivery of critical
infrastructure services
Appropriate activities to
Develop and implement the maintain plans for resistance
Develop and implement the
appropriate activities to and to restore any
appropriate activities to take
identify the occurrence of a capabilities or services
action regarding
cybersecurity event that were impaired due to
a cybersecurity event

ASSET MANAGEMENT ACCESS CONTROL ANOMALIES AND EVENTS RESPONSIVE PLANNING RECOVERY PLANNING

SECURITY CONTINUOUS
BUSINESS ENVIRONMENT AWARENESS AND TRAINING COMMUNICATIONS IMPROVEMENTS
MONITORING

GOVERNANCE DATA SECURITY DETECTION PROCESSES ANALYSIS COMMUNICATIONS

INFORMATION PROTECTION
RISK ASSESSMENT MITIGATION
PROCESSES AND PROCEDURES

RISK MANAGEMENT STRATEGY MAINTENANCE IMPROVEMENTS

PROTECTIVE TECHNOLOGY

SOURCE: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology. February 12, 2014

practice to use to achieve the associated outcome. These option 1, the gradual approach. The NIST implementation
include specific COBIT 5, CIS Critical Security Controls, ISO/ approach is a nice fit with the COBIT 5 framework, because
IEC 27001, NIST SP 800-53, and ISA 62443 references. COBIT 5:
Employs a principles-based structure

Adopting NIST
Provides a holistic approach
Has a phased, iterative implementation methodology
Is used as an informative reference in the NIST CSF

using COBIT Includes an assessment program based on

industry standards

Regardless of the type of framework, adoption can be
typically accomplished in one of two ways:
1. Adopting the framework gradually by starting small to
create quick wins and building on initial successes to
iterate deployments regularly
Therefore, it is no surprise that COBIT 5 is a natural fit
for adopting not only solid GRC practices, but also cyber
security practices that are based on the NIST CSF.
Figure 3 shows the alignment between the NIST CSF and
the COBIT 5 implementation steps and principles.

2. Using a big bang approach across the entire enterprise Using a deployment methodology that is proven in the
industry is paramount. Because the NIST CSF and COBIT 5
Although the big bang approach can be a viable solution, align nicely, it is a logical approach. Following are the steps
depending on the situation, it is generally best to adopt of a typical enterprise implementation.

2017 ISACA. All Rights Reserved. 6

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE
FIGURE 3
NIST CSF and COBIT 5 Implementation Alignment
NIST CSF Implementation Steps
1 Prioritize and scope
2 Orient
3 Create a current profile
4 Conduct a risk assessment
5 Create a target profile
6 Detemine, analyze and prioritize gaps
7 Implement action plan
8 CSF action plan review
9 CSF lifecycle managment
SOURCE: Implementing the NIST Cybersecurity Framework, ISACA
NIST CSF STEP 1: Prioritize and scope
The purpose of this step is to obtain an understanding of
the current approach to governance and cyber security in
the enterprise and identify key stakeholders, organizational
mission, roles and responsibilities. This aligns with the
COBIT 5 implementation phase What are the drivers? and
principle Meeting stakeholder needs.
Step 1 is also the right moment to conduct a Goals Cascade
exercise (another feature in COBIT 5), which is a really helpful
and effective tool. The Goals Cascade is a series of
mappings that allow an enterprise to link stakeholder needs
with enterprise goals, IT-related goals and enabler goals.
Figure 4 is a high-level description of the Goals Cascade.
NIST CSF STEPS 2 AND 3: Orient and Create a
current profile
Now that the goals cascading is complete, it is time to
identify threats to, and vulnerabilities of, those systems and
assets. The purpose of these two steps is to gain an
understanding of the enterprise systems and assets that
enable the mission described in Step 1. These steps align
2017 ISACA. All Rights Reserved.
COBIT Implementation Steps COBIT Principles
1 What are the drivers? 1 Meeting stakeholder needs
2 Where are we now? 2 Covering the enterprise end to end
3 Applying a single integrated framework
3 Where do we want to be?
4 What needs to be done?
5 How do we get there? 4 Enabling a holistic approach
6 Did we get there?
7 How do we keep the momentum going?
5 Separating governance from management
with the COBIT 5 implementation Step 2, Where are we
now? and COBIT 5 principles Covering the enterprise end
to end and Applying a single integrated framework.
This is where the framework implementation tiers enter the
equation. These are levels of implementation that can assist
in assessment and planning of cyber security activities. Tiers
describe attributes to consider when completing the current
profile and creating a target profile later on, and describe the
implementation progression. These tiers are also aligned well
with the COBIT 5 process capability levels. Figure 5 shows
the four tiers.
This step conducts a current-state assessment using the
ISO 15504 approach to process capability. The COBIT 5
assessment methodology is used to complete the current
profile, iterating through each subcategory and recording
current status, ranging from not achieved to fully achieved.
Therefore, a current profile can also be referred to as the
current state. This is the key output to Step 3. The NIST CSF
provides a template for this, as illustrated in figure 6.
7
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE
FIGURE 4
COBIT 5 Goals Cascade
PRINCIPLES, POLICIES
AND FRAMEWORKS
INFORMATION
SOURCE: COBIT 5, A Business Framework for the Governance and Management of Enterprise IT, ISACA
FIGURE 5
NIST CSF Implementation Tiers
Risk Managment Process
Tier 1: Informed risk practices.
Partial Reactive, ad hoc risk approach.
Approved risk management
Tier 2:
practices but not organization-wide.
Risk
Priorities informed by stakeholder
Informed
goals and corporate risk decisions.
Risk management practices
Tier 3:
formally approved, expressed as
Repeatable
policy, regularly updated.
Implementation Guidance uses
Tier 4:
a seven-step process that is
Adaptive
iterative and flexible.
SOURCE: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology. February 12, 2014
2017 ISACA. All Rights Reserved.
Stakeholder Drivers
Stakeholder Needs
Enterprise Goals
IT-Related Goals
Enabler Goals
PROCESSES ORGANIZATIONAL STRUCTURES
SERVICES, INFASTRUCTURE,
AND APPLICATIONS
Integrated Risk
Management Program
Limited institutional awareness.
Risk management in place
but irregular.
Organization has cyber security
risk awareness but not an
institutionalized approach.
Organization-wide approach to
managing cyber security risk.
Risk-informed policies, processes
and procedures are defined
and reviewed.
Organizational risk approach with
situational awareness integrated
into culture.
CULTURE ETHICS AND
BEHAVIOR
PEOPLE, SKILLS AND
COMPETENCIES
Comparison to COBIT 5
External Participation
Process Capability Levels
Lacks process to coordinate Level 0 (Incomplete)
and collaborate. Level 1 (Performed)
Organization has not formalized
Level 2 (Managed)
capabilities to interact and share
information.
Organization understands
dependencies and partners.
Receives information that Level 3 (Established)
enables collaboration and
risk-based response decisions.
Active sharing with partners to
Level 4 (Predictable)
proactively learn and benefit the
Level 5 (Optimizing)
community.
8
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE

FIGURE 6
NIST CSF Current Profile Template

Function Category Subcategory Relevant COBIT Practices

ID.AM-1: Physical devices and systems within the organization are inventoried BAI09.01, BAI09.02

ID.AM-2: Software platforms and applications within the organization

BAI09.01, BAI09.02, BAI09.05
are inventoried
Asset Management (ID.AM): The
data, personnel, devices, systems,
and facilities that enable the ID.AM-3: Organizational communication and data flows are mapped DSS05.02
organization to achieve business
purposes are identified and managed ID.AM-4: External information systems are catalogued APO02.02
consistent with their relative
importance to business objectives
ID.AM-5: Resources (e.g., hardware, devices, data, and software) are APO03.03, APO03.04,
and the organizations risk strategy.
prioritized based on their classification, criticality, and business value BAI09.02

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and
APO01.02, DSS06.03
third-party stakeholders (e.g., suppliers, customers, partners) are established

APO08.04, APO08.05,
ID.BE-1: The organizations role in the supply chain is identified
APO10.03, APO10.04,
and communicated
APO10.05

Business Environment (ID.BE): ID.BE-2: The organizations place in critical infrastructure and its industry
The organizations mission, APO02.06, APO03.01
Identify sector is identified and communicated
(ID) objectives, stakeholders, and
activities are understood and
ID.BE-3: Priorities for organizational mission, objectives, and activities are APO02.01, APO02.06,
prioritized; this information is
established and communicated APO03.01
used to inform cybersecurity
roles, responsibilities, and risk
management decisions. ID.BE-4: Dependencies and critical functions for delivery of critical services
are established

ID.BE-5: Resilience requirements to support delivery of critical services

DSS04.02
are established

Governance (ID.GV): The
policies, procedures, and processes
to manage and monitor the
organizations regulatory, legal, risk,
environmental, and operational
requirements are understood
and inform the management of
cybersecurity risk.
APO01.03, EDM01.01,
ID.GV-1: Organizational information security policy is established
EDM01.02
ID.GV-2: Information security roles & responsibilities are coordinated and
APO13.12
aligned with internal roles and external partners
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including
MEA03.01, MEA03.04
privacy and civil liberties obligations, are understood and managed
ID.GV-4: Governance and risk management processes address
DSS04.02
cybersecurity risks

SOURCE: Implementing the NIST Cybersecurity Framework Toolkit, ISACA

2017 ISACA. All Rights Reserved. 9

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE
In this sample template, each of the subcategories are linked
to specific COBIT 5 practices. These subcategories can also
be linked to the other industry references. Information about
these specific COBIT 5 practices can be found in the COBIT
5: Enabling Processes guide.
NIST CSF STEPS 4 AND 5: Conduct a risk
assessment and Create a target profile
The purpose of these two steps is to identify the overarching
threats to, and vulnerabilities of, those systems and assets
identified earlier, and determine the likelihood and impact of
a cyber security event. Completion of these steps results in a
catalog of potential security risk and business impact
assessment, a target capability level and target profile.
These two steps align with the COBIT 5 implementation
step, Where do we want to be?, and COBIT 5 principles
Covering the enterprise end to end and Applying a single
integrated framework.
To accomplish this, it is beneficial to use COBIT 5 for Risk,
Process Assessment Model (PAM): Using COBIT 5, and
COBIT 5 Assessors Guide to determine appropriate levels
of achievement, and reference the COBIT 5 process APO12,
Manage Risk.
The key outputs of these steps include the enterprise risk
assessment and target profile. The target profile is similar
to the current profile template and should include the
following information:
Applicable function
Applicable category
Applicable subcategory
COBIT 5 reference to identify practices required to meet
the goals of the subcategory
Achievement rating (e.g., not achieved, partially
achieved, largely achieved, fully achieved) based on
existing procedures
Practices, policies and procedures identified in the risk
assessment
Description of how the achievement rating was determined
Actions required to achieve the target state goals
Resources required
2017 ISACA. All Rights Reserved.
NIST CSF STEP 6: Determine, analyze
and prioritize gaps
In this step, the enterprise seeks to understand and
document the actions required to close the gaps between
current and target state environments. This step is aligned
with the COBIT 5 Implementation step What needs to be
done? and COBIT 5 principles Covering the enterprise end
to end and Applying a single integrated framework.
The enterprise records the differences between the current
and desired states and uses COBIT 5: Enabling Processes
to determine the practices and activities that need to be
improved to close the gaps. In addition to the gaps, one
must understand the resources and capabilities that are
required to accomplish these efforts. This action plan of
activities includes milestones, responsibilities and desired
outcomes according to the set priorities. An action plan
should include the following:
Identification
Priority
Assumptions and constraints
Rationale
Specific actions
Resources
Schedule/milestones
Status
Pre-requisites/dependencies
Action assignee
Stakeholder roles
NIST CSF STEP 7: Implement action plan
After the gaps are known and the plans have been
determined to close those gaps, the enterprise can execute
the plan that addresses the priorities to improve security and
meet stakeholder goals. This step is aligned with the COBIT 5
Implementation step How do we get there? and COBIT 5
principle Enabling a holistic approach.
The enterprise should consider the challenges, root causes
and success factors from the COBIT 5 Implementation
Guide, which include:
10
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE
Test the approach by making small improvements initially
and to provide some quick wins
Involve all stakeholders
Improve processes before attempting to apply automation
Set clear, measurable goals and produce scorecards
showing how performance is being measured
Communicate in business impact terms
Using sound program and project management principles
in this step is key. If this step is successful, the outcomes
include operating procedures for implemented action items,
performance reports and metrics.
NIST CSF STEP 8: CSF action plan review
The enterprise reviews the application of the improved
governance and management practices, and confirms that
the action plan delivered the expected benefits. This step is
aligned with the COBIT 5 Implementation step Did we get
there? The enterprise assesses the activities from the
implementation step to ensure that improvements achieve
the anticipated goals and risk management objectives. The
enterprise documents the lessons learned and identifies any
specific ongoing monitoring needs.
NIST CSF STEP 9: CSF lifecycle management
The purpose of this step is to provide ongoing review/
assessment of the overall success of the initiative, identify
FIGURE 7
Three Lines of Defense Model Based on COBIT 5 for Risk
Operations
1st Line of Defense
Operations
Enterprise Risk Group
SOURCE: COBIT 5 for Risk, ISACA.
2017 ISACA. All Rights Reserved.
further governance or management requirements, and
support continual improvement. This step is aligned with
the COBIT 5 Implementation step How do we keep the
momentum going?
Auditing and
assurance
Having this single, integrated framework for the governance
and management of enterprise IT and cyber security efforts
clearly creates value for the enterprise; however, providing
assurance for these efforts is just as critical. From a cyber
security perspective, an audit provides management with
an evaluation of the effectiveness of cyber security-related
policies, implementation of controls, and achievement of
process purposes. These can identify internal and external
deficiencies that could potentially impact the enterprises
ability to meet its goals. Considering the three lines of
defense model in figure 7, simply adopting the COBIT 5
and NIST frameworks can be linked to the first two lines of
defense. Therefore, having the third line of defense, the
audit department, can provide an objective view of how
the frameworks practices and activities are reliable,
accurate, and secure.
Board/Enterprise Risk Committee
2st Line of Defense 3rd Line of Defense
Risk Function Audit Department
Compliance
11
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE
There are numerous programs available today that provide
solid assurance models. Considering the topic of this paper,
it makes sense to adopt an auditing program that focuses
on the COBIT 5 and NIST frameworks. ISACAs IS Audit/
Assurance Program for Cyber security: Based on the NIST
Cybersecurity Framework Audit Program provides control
objectives, controls and testing steps based on the NIST
Ten tips to adoption
Even though the approach outlined in this white paper is
relatively simple, there are numerous additional considerations
to ensuring that the enterprise efforts are successful. Following
are some of the most important tips to keep in mind.
1. Know the stakeholders. An enterprise has internal and
external stakeholders. Seek to understand their needs and
their expectations and influences. Hint: Collaborate with
your Risk Group or PMO, its likely theyve already done a
detailed analysis of business stakeholders.
2. Understand why. What are the drivers? It goes without
saying that a business case makes sense, but why does
an enterprise really need governance? Is it for regulatory/
compliance, cost savings, because programs and projects
are amok? Hint: Start with the enterprise stakeholder
needs and cascade them to IT goals by using the COBIT 5
Goals Cascade.
3. Leverage industry available frameworks. Be careful
not to fall into using just one framework because it can do
everythingthose do not exist. Use a mix of frameworks
and adjust them to fit the enterprise needs. Hint: COBIT,
ISO, NIST.
4. Get top management involved. It is hard to get the
attention of enterprise leadership when they are already
busy. Look for trigger events that can get the plan in
front of them and have that plan ready with a powerful
message. Hint: Pain points and trigger events tend to
get the attention of management and can be found in
COBIT 5 Implementation.
5. Instill accountability. This typically starts at the top, but
make sure that key roles are identified with explicit details
regarding their accountabilities. Hint: RACI Charts that can
be found in COBIT 5: Enabling Processes.
2017 ISACA. All Rights Reserved.
CSF functions, categories, subcategories, and informative
references. Adopting the three lines of defense model,
incorporated with solid processes and practices, truly
provides a holistic approach that meets stakeholder needs.
It is also an important part of the GRC foundation
necessary for successfully undertaking enterprise innovation
and transformation.
6. Demonstrate quick wins. Many governance adoptions
tend to fizzle out due to simple exhaustion. Governance
is a way of doing business and not a project, so ensure
that the plan can demonstrate quick wins to keep the
momentum going. Hint: Plan these as a part of your
overall business case.
7. Use a continuous cycle. There are many approaches to
use to keep the momentum going, but the bottom line is
that one must think of governance as a commitment that
requires continuous initiatives that focus on improvement.
Hint: Demings PDCA, ITILs CSI Model, and COBITs
Implementation Model.
8. Embed new approaches. Let things sink in. The
cultural aspects of change require adoption and
acceptance. Hint: Read Kotters Leading Change
about organizational change.
9. Formal documentation. Policies, procedures, and key
documents must be formalized and organized in a manner
that allows stakeholders to get the information they need.
Hint: Look to your knowledge repository to manage
up-to-date documentation.
10. Train. Your actions should support your words, so allow
time and money to deliver the appropriate training. It will
not only demonstrate your commitment, but will increase
the knowledge of the stakeholders. Hint: At a minimum,
COBIT Foundation training should be considered as a part
of any adoption efforts.
12
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE
ISACA
ISACA (isaca.org) helps professionals
around the globe realize the positive
potential of technology in an evolving
digital world. By offering industry-leading
knowledge, standards, credentialing and
education, ISACA enables professionals
to apply technology in ways that instill
confidence, address threats, drive
innovation and create positive
momentum for their organizations.
Established in 1969, ISACA is a global
association serving more than 500,000
engaged professionals in 188 countries.
ISACA is the creator of the COBIT
framework, which helps organizations
effectively govern and manage their
information and technology. Through its
Cybersecurity Nexus (CSX), ISACA
helps organizations develop skilled
cyber workforces and enables
individuals to grow and advance their
cyber careers.
2017 ISACA. All Rights Reserved.
Disclaimer
ISACA has designed and created
Integrating COBIT 5 and the NIST
3701 Algonquin Road, Suite 1010
Cybersecurity Frameworks (the Work)
Rolling Meadows, IL 60008 USA
primarily as an educational resource for
professionals. ISACA makes no claim that Phone: +1.847.253.1545
use of any of the Work will assure a
Fax: +1.847.253.1443
successful outcome. The Work should
not be considered inclusive of all proper Email: info@isaca.org
information, procedures and tests or www.isaca.org
exclusive of other information, procedures
and tests that are reasonably directed to
obtaining the same results. In determining Provide feedback:
the propriety of any specific information, www.isaca.org/NIST-COBIT5
procedure or test, professionals should Participate in the ISACA
apply their own professional judgment to Knowledge Center:
the specific circumstances presented by www.isaca.org/knowledge-center
the particular systems or information
technology environment. Follow ISACA on Twitter:
www.twitter.com/ISACANews
Reservation of Rights Join ISACA on LinkedIn:
2017 ISACA. All rights reserved. www.linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
13
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE

ACKNOWLEDGMENTS
ISACA would like to recognize:

Lead Developer ISACA Board of Directors

Mark Thomas Christos K. Dimitriadis
Ph.D., CISA, CISM, CRISC,
INTRALOT S.A., Greece, Chair
Expert Reviewer
Theresa Grafenstine
Peter Tessin
CISA, CGEIT, CRISC, CIA, CGAP, CGMA,
CPA, US House of Representatives, USA, Vice-chair

Robert Clyde
CISM, Clyde Consulting LLC, USA, Director

Leonard Ong
CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP, CIPM,
CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA,
GCIH, GSNA, GCFA, Merck, Singapore, Director

Andre Pitkowski
CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA, ISO31kLA,
APIT Consultoria de Informatica Ltd., Brazil, Director

Eddie Schwartz
CISA, CISM, CISSP-ISSEP, PMP, WhiteOps,
USA, Director

Jo Stewart-Rattray
CISA, CISM, CGEIT, CRISC, FACS CP,
BRM Holdich, Australia, Director

Tichaona Zororo
CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT |
Enterprise Governance (Pty) Ltd.,
South Africa, Director

Zubin Chagpar
CISA, CISM, PMP, Amazon Web Services,
UK, Director

Rajaramiyer Venketaramani Raghu

CISA, CRISC, Versatilist Consulting India Pvt. Ltd.,
India, Director

Jeff Spivey
CRISC, CPP, Security Risk Management Inc.,
USA, Director

Robert E. Stroud
CGEIT, CRISC, Forrester Research,
USA, Past Chair

Tony Hayes
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
Queensland Government, Australia, Past Chair

Greg Grocholski
CISA, SABIC, Saudi Arabia, Past Chair

Matt Loeb
CGEIT, FASAE, CAE, ISACA, USA, Director

2017 ISACA. All Rights Reserved. 14