Journal:Understanding cybersecurity frameworks and information security standards: A review and comprehensive overview

Full article title	Understanding cybersecurity frameworks and information security standards: A review and comprehensive overview
Journal	Electronics
Author(s)	Taherdoost, Hamed
Author affiliation(s)	University Canada West
Primary contact	Email: hamed dot taherdoost at gmail dot com
Year published	2022
Volume and issue	11(14)
Article #	2181
DOI	10.3390/electronics11142181
ISSN	2079-9292
Distribution license	Creative Commons Attribution 4.0 International
Website	https://www.mdpi.com/2079-9292/11/14/2181
Download	https://www.mdpi.com/2079-9292/11/14/2181/pdf (PDF)

This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

Abstract

Businesses are reliant on data to survive in the competitive market, and data is constantly in danger of loss or theft. Loss of valuable data leads to negative consequences for both individuals and organizations. Cybersecurity is the process of protecting sensitive data from damage or theft. To successfully achieve the objectives of implementing cybersecurity at different levels, a range of procedures and standards should be followed. Cybersecurity standards determine the requirements that an organization should follow to achieve cybersecurity objectives and minimize the impact of cybercrimes. Cybersecurity standards demonstrate whether an information management system can meet security requirements through a range of best practices and procedures. A range of standards has been established by various organizations to be employed in information management systems of different sizes and types. However, it is challenging for businesses to adopt the standard that is the most appropriate based on their cybersecurity demands. Reviewing the experiences of other businesses in the industry helps organizations to adopt the most relevant cybersecurity standards and frameworks.

This study presents a narrative review of the most frequently used cybersecurity standards and frameworks based on 1. existing papers in the cybersecurity field and 2. applications of these cybersecurity standards and frameworks in various fields to help organizations select the cybersecurity standard or framework that best fits their cybersecurity requirements.

Keywords: cybersecurity framework, cybersecurity standard, information security framework, information security standard, cybersecurity requirements, information security requirements, narrative review

Introduction

A standard is described as an ideal condition with a minimum achievement limit. [1] It also refers to technical specifications that are required to be applied by a service facility to enable service users to acquire the maximum function, purpose, or profit from the services. [2] Many international organizations, associations, and consortia have a vital role in the development of standards. [3,4] According to Standards Australia^[1], standards are represented as documents which define specifications, procedures, and guidelines, aiming to ensure safety, consistency, and reliability of products, services, and systems. Moreover, based on the provided definition by the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), standards are documents or rules made based on a general agreement and validated by a legal entity, which help to achieve optimal results, as a guideline, model, or sample, in a particular context.^[2] A standard practically meets user demands, considers the limitations of technology and resources, and also meets the verification requirements. [2]

The term "standard" most commonly refers to established documents by professional bodies to be used by other organizations (i.e., technical standards, program standards), or standards of technical practice (i.e., practical cybersecurity standards).

The sets of practices or technical methods that help organizations to secure their cyber environment are referred to as cybersecurity standards. [6] Cybersecurity standards include users, network infrastructure, software, hardware, processes, and information in system storage media that can be connected to the internet. [6] The scope of cybersecurity standards is broad in that it covers security features in applications and cryptographic algorithms that mainly provide perspective toward security controls, processes, procedures, guidelines, and baselines. [7] Security experts recommend implementing cybersecurity standards as a fundamentally essential element consisting of a collection of best practices to protect organizations from cybersecurity threats and risks. [8]

The main aim of cybersecurity standards is to prevent or mitigate cyberattacks and reduce the risk of cyber threats. [9] The implementation of such standards typically benefits the adopter by saving time, decreasing costs, increasing profits, improving user awareness, minimizing risks, and offering business continuity. [7] Additionally, using standards facilitates the compliance of an organization to industry best practices and procedures and provides the opportunity to compare a security system on an international level. [10] Hence, the application of cybersecurity standards has been established in different organizations or businesses to protect assets against cyber threats. [11,12] As a result, different cybersecurity standards have been developed by various organizations to ensure that organizations of different size and nature implement appropriate measures to prevent and mitigate cyber threats. [13] However, since a considerable number of standards have been developed to cover different aspects of cybersecurity in various organizations, it may be challenging for business owners to choose the appropriate standard that is the best match for their business. [14]

This study aims to provide an overview of the most frequently used cybersecurity standards based on existing papers in the cybersecurity field, clarifying their features and applications in different industries. A wide range of cybersecurity standards and frameworks are available to ensure the protection of data in different industries; however, this review paper aims to provide a comparative concept regarding cybersecurity standards and frameworks and facilitate the selection of the most appropriate standards and frameworks. This paper can be also helpful for academic purposes to determine the direction of further studies in this field.

In the next section, an overview of the most common cybersecurity standards and frameworks is provided. Following that is a narrative literature review that is the result of extracting and analyzing 17 papers published about cybersecurity standards between 2000 to 2022, and then considering the aim of each study, the main findings of the research, as well as relevant industry and employed standards. Finally, a concluding discussion is presented that clarifies the contribution of different standards for specific purposes.

Cybersecurity standards and frameworks

Cybersecurity standards are generally classified into two main categories: information security standards and information security governance standards. [15] Information security standards and frameworks such as the ISO/IEC 27000 series, ISF SOGP, NIST 800 series, SOX, and Risk IT mainly concentrate on security concerns. Selecting the most appropriate standard or framework is a serious decision that should be made based on the requirements of the organization to examine if it adequately suits the demands of the business. In some cases, employment of a single standard does not suffice to meet the expectations of a business. Thus, managers need to examine whether they need to consider more than one standard or framework. [2]

Open standards and frameworks are easily available and optional to be employed. Thus, organizations can use some parts or all of the guidelines, as required, or use them in combination, integrated with other standards, to complement and strengthen other requirements. [16] Performance standards can be a policy or law to be complied with by certain countries. They may also be required by the responsible organization, association, or regulatory body to be complied with by the implementing organization. [17] A country or company is authorized to reject rules or standards published by others, or to develop their own proprietary standards or local regulatory standards. [18]

The effective implementation of cybersecurity standards as guidelines or techniques which include best practices to be used in business or industry is not possible without the employment of the relevant cybersecurity framework. [19,20] Cybersecurity standards explain and provide methods one by one, specify what is expected to be done to complete the process, and clarify methods to coincide with the standard; a cybersecurity framework is a general guideline that covers many components or domains that can be adopted by businesses/companies/institutions, which doesn't necessarily specify the steps that are required to be taken. [21] Satisfactory cybersecurity protection can be achieved by adopting a cybersecurity framework that describes the scope, implementation, and evaluation processes, and also provides a general structure and methodology for protecting critical digital assets. [22] In fact, organizations can refer to cybersecurity frameworks to realize guidelines in the successful implementation of cybersecurity standards to be better equipped to identify, detect, and respond to cyberattacks. [23]

Cybersecurity frameworks are flexible and can provide users with the freedom to choose some parts or the whole model, methods, or technical practices, offering general and adoptable guidelines, as well as offering suggestions to be applied within the organization. [24] Implementation costs can be reduced as a result of the flexibility of cybersecurity frameworks. This can be effective to protect the infrastructure against cyber threats and secure critical sectors in the nation and economy. Therefore, cybersecurity frameworks have been developed by academic institutions, international organizations, countries, and corporations to ensure cyber resilience. [25] Businesses that seek to successfully implement cybersecurity standards are dependent on cybersecurity frameworks to harmonize policy, business, and technological approaches that are effective to mitigate cybersecurity issues and address cyber risks. [26] Thus, to ensure the protection of data and the infrastructure in organizations, businesses, and governments, cybersecurity standards and frameworks are required. [27]

The difference between a standard and a framework is summarized in Table 1.

Standard	Framework
Table 1. Difference between a standard and a framework.
▪ Standards are documents that determine procedures, specifications, and guidelines to ensure the safety, reliability, and consistency of services, products, and systems. ▪ Standards can be developed by a company or country into a proprietary standard or local regulation standard. ▪ Standards are guides to comply with the implementing organization in accordance with legal or regulatory provisions. ▪ Standards can be used together with other standards to complement and strengthen other requirements. ▪ Some standards are "open" to all types of businesses and government organizations; others are "closed," which means they are specific to certain industries or businesses. ▪ A standard details what must be done to comply with the standard, by explaining and providing methods one by one in order to complete the process.	▪ Frameworks are general guidelines that cover a wide range of domains and components in organizations; however, the steps to follow are not specifically determined. ▪ A framework determines the basics to establish something or accomplish a goal. ▪ A framework is employed for determining the quality standards that should be achieved, describing the scope, defining evaluation and implementation, and summarizing the objectives and outcomes.

Cybersecurity and information security standards

Cybersecurity standards, as key parts of IT governance, are consulted to ensure that an organization is following its policies and strategy in cybersecurity. [3] Therefore, by relying on cybersecurity standards, an organization can turn its cybersecurity policies into measurable actions. Cybersecurity standards clarify functional and assurance steps that should be taken to achieve the objectives of the organization in terms of cybersecurity. It may seem costly for a business to invest in the implementation of cybersecurity standards; however, the confidence and trust that it brings are more beneficial for the organization. [28]

Written cybersecurity standard documents describe requirements to be respected by the organization and are easy to be controlled by stakeholders or relevant auditors. However, standards do not include how to achieve the standard requirements. The most popular and frequently used cybersecurity standards, referred to in this paper, are shown in Figure 1. It is important to note that cybersecurity frameworks may not be limited to what is presented in the scope of this study, since new frameworks are constantly being published based on demands. In a general classification, the ISO 27000 series, BSI, and SoGP are provided. Additionally, some standards that are common in industry are presented in the "Industry Related" category.

References

↑ "What is a standard?". Standards Australia. 2022. https://www.standards.org.au/standards-development/what-is-standard. Retrieved 01 February 2022.
↑ "ISO/IEC Directives, Part 2: Rules for the structure and drafting of International Standards" (PDF). International Organization for Standardization, International Electrotechnical Commission. 2011. https://boss.cen.eu/media/yypjl3mn/iso_iec_directives_part2.pdf.

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added.