NIST-COBIT-2019: ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019

According to the TM Forum's Business Process Framework (eTOM), the business/process level is responsible for defining the business strategy, objectives, and requirements, as well as monitoring and controlling the performance and quality of the processes1. The implementation/operations level is responsible for designing, developing, and executing the processes that deliver and support the services1. When coordinating framework implementation, these two levels collaborate to assess changes in current and future risks, such as market trends, customer expectations, regulatory compliance, security threats, and operational issues2. This helps them to align the processes with the business goals and outcomes, and to identify and mitigate any potential gaps or challenges3.

One of the objectives of CSF Step 6 is to translate improvement opportunities into justifiable, contributing projects, which means to develop an action plan that addresses the gaps between the current and target profiles, and that aligns with the organization's mission drivers, risk appetite, and resource constraints12.

Reference Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide, page 8. NIST CSF: The seven-step cybersecurity framework process

The goals cascade is a mechanism that translates the stakeholder needs into specific, actionable, and customized goals at different levels of the enterprise12. The stakeholder needs are the drivers of the governance system and reflect the expectations and requirements of the internal and external parties that have an interest or influence on the enterprise34. The goals cascade supports the prioritization of management objectives based on the stakeholder needs, as well as the alignment of the enterprise goals, the alignment goals, and the governance and management objectives12.

A CSF Informative Reference within the CSF Core provides a citation to a related activity from another standard or guideline that can help an organization achieve the outcome described in a CSF Subcategory12. For example, the Informative Reference for ID.AM-1 (Physical devices and systems within the organization are inventoried) is COBIT 5 APO01.01, which states 'Maintain an inventory of IT assets'3.

The Identify function provides foundational activities for the effective use of the Cybersecurity Framework, because it assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities12. This understanding enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs12. The Identify function includes outcome categories such as Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management12.

The seven high-level CSF steps generally align to the high-level phases of the COBIT 2019 implementation guide, which are: What are the drivers?; Where are we now?; Where do we want to be?; What needs to be done?; How do we get there?; Did we get there?; and How do we keep the momentum going?12. These phases provide a structured approach for implementing a governance system using COBIT 2019, and can be mapped to the CSF steps of Prioritize and Scope, Orient, Create a Current Profile, Conduct a Risk Assessment, Create a Target Profile, Determine, Analyze and Prioritize Gaps, and Implement Action Plan34.