top of page
  • Writer's pictureORNA

NIST, ISO, COBIT, ITIL – Which Cyber Framework Rules Them All?

Securing your business’s infrastructure may be one of the best and easily justifiable spending decisions you can make as a business exec. Why? Every 39 seconds, a breach is happening somewhere on the web. In 2022, cyberattacks are not only widespread but take ever more complex forms with each successive year.

Over the last few years, we saw how bad actors exploited the vulnerabilities of major corporations like Colonial Pipeline, JBS USA, and key healthcare providers in the country. As the commoditization of personally identifiable information, protected health information, and sensitive financial data continues on the Dark Web, most can tell that cyberattacks aren't going anywhere for the foreseeable future. In fact, with quantum computing technology raising its head, things in the upcoming decade are likely to get a lot wilder.

Still, what set of measures can your business implement to protect critical business assets and staff against an attack? Determining exactly what measures you should deploy to identify, detect, respond, and recover from imminent threats can be daunting.

Luckily, there are four major cyber frameworks (NIST, ISO, COBIT, ITIL) that contain best practices and standards to foster efficient cyber protection. With each of them distinct in its own way, which one is more efficient?

Let's find out.


National Institute of Standards Technology (NIST) Special Publication 800-53 is a federal government-approved guideline focusing on security protocols. It is in line with the Federal Information Processing Standard (FIP) 200.

Federal agencies in the US commonly use this framework for security compliance and implementations of the information security management system (ISMS) – minus those directly involved with national security.

ORNA's NIST-based GRC Dashboard
ORNA's NIST-based GRC Dashboard

Admittedly, the standards included in the framework are pretty considerable. However, NIST is more suited for establishments not willing to spend significant time customizing it to tailor specifically to their own industry, making the framework somewhat generic.

Assuming the NIST framework is complementary to your industry, it focuses strongly on information security and may not be comprehensive enough to boost the effectiveness of your overall cybersecurity program across people, processes and technology.

That being said, NIST CSF is an excellent cybersecurity governance framework - in fact, ORNA's Risk & Compliance dashboard uses NIST as a backbone.

ISO 27001/27002

The International Organization for Standardization (ISO) aims to offer best practices and improvement suggestions for the aforementioned ISMS standard. This framework is heavily IT-focused and allows your IT team to effectively identify and manage lapses in your security infrastructure.

The ISO 27001 and 27002 are widely known and are typically used together to provide a coherent IT infrastructure and security management system. This, however, introduces the same caveat as is the case with NIST - in the real world, cybersecurity is a top-to-bottom holistic concern and cannot be effectively managed by IT efforts alone.


Control Objectives for Information and related Technology (COBIT) in its most recent iteration, which is COBIT 2019, is a solid framework that guides processes in a way that allows business executives to roll out major policies and procedures across strategy, innovation, risk management, asset management, and more.

First released in 1996 and managed by the Information Systems Audit and Control Association (ISACA) to this day, COBIT is constantly updated to include sort-of-current technology and is globally accepted and used by major corporations and small businesses alike.

Unlike highly IT-centric NIST and ISO, however, COBIT defines the components and design factors to build and sustain a best-fit overall governance system. It also plays nicely with other IT and cyber risk management frameworks such as ITIL, CMMI and TOGAF, which makes it a great option as an umbrella framework to unify processes across an entire organization.

COBIT Core Model includes 40 governance and management objectives for establishing a governance program and ultimately helps align business goals with IT goals by establishing links between the two and creating a process that can help bridge a gap between IT - or IT silos - and outside departments. Some critics, however, say that the framework is too high-level.


The Information Technology Infrastructure Library (ITIL) is a set of best practices that establishments initiate to align business goals with IT resources. Developed by the British government's Central Computer and Telecommunications Agency (CCTA) during the 1980s specifically for public sector purposes, the OG ITIL spanned 30 full-size books (nobody said IT risk management has to be exciting).

Its relevance has long surpassed that, becoming generally accepted across private sector organizations. Luckily for your mental health, the framework has been condensed into 5 volumes as of now.

The newest version of ITIL focuses on company culture and integrating IT into the overall business structure, encouraging collaboration between IT and other departments, especially as cross-function collaboration within organizations improves and increasingly relies on technology to get work done. ITIL also emphasizes customer feedback, since it’s easier than ever for businesses to understand their public perception, customer satisfaction and dissatisfaction through smart data and feedback analytics.

So What's The Verdict?

In a sense, COBIT provides the “what” and ITIL shows the “how”. In these frameworks' recent updates in particular, they only continue to complement each other. While ISO and NIST have their uses, for maximum efficiency and a holistic approach across all areas of cybersecurity risk management, our pick would be a carefully orchestrated mix of COBIT 2019 and ITIL 4 for GRC, and NIST CSF for cybersecurity specifically.

An article by

Logan Wolfe




Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page