Isaca NIST-COBIT-2019 - ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019

The implementation status is the information that should be collected for a Current Profile, because it indicates the degree to which the cybersecurity outcomes defined by the CSF Subcategories are currently being achieved by the organization12. The implementation status can be expressed using a four-level scale: Not Performed, Partially Performed, Performed, and Informative References Not Applicable34.

References: 1: Cybersecurity Framework Components | NIST 2: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 3: Framework Documents | NIST 4: REVIEW OF IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.

A gap assessment is the most critical process tool to performing Implementation Phase 3, as it helps to identify the current and desired states of the selected processes, and the gaps and potential solutions to bridge them. A gap assessment also helps to create a detailed business case and a high-level program plan for the implementation12.

References7 Phases in COBIT Implementation | COBIT Certification - SimplilearnCOBIT 2019 Design and Implementation COBIT Implementation, page 31.

Identifying quick wins for implementation first is the best approach to gain support for the process, as it can demonstrate the value and feasibility of the project, and motivate the stakeholders to overcome the resistance and embrace the change12. Quick wins are those actions that can be implemented rapidly and easily, and that can produce visible and measurable results3.

References7 Phases in COBIT Implementation | COBIT Certification - SimplilearnImplementing the NIST Cybersecurity Framework Using COBIT 2019, page 17.What is a Quick Win? - Definition from Techopedia

A clear understanding of the likelihood and impact of cybersecurity events is critical for the success of CSF Step 6, as it helps to prioritize the gaps and actions based on the risk assessment and the cost-benefit analysis of the proposed solutions12.

References7 Steps to Implement & Improve Cybersecurity with NISTNIST CSF: The seven-step cybersecurity framework process

The organization’s asset register should primarily align to configuration management, because it is a process that maintains an accurate and complete inventory of the organization’s I&T assets and their relationships12. Configuration management supports the implementation of Step 2: Orient and Step 3: Create a Current Profile, because it helps to identify the systems, people, assets, data, and capabilities that are within the scope of the cybersecurity program, and to assess their current cybersecurity outcomes34.

References: 1: COBIT 2019 Framework – ITSM Docs - ITSM Documents & Templates 2: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution 3: Cybersecurity Framework Components | NIST 4: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA

An important consideration when defining the roadmap in COBIT Implementation Phase 3 is the change-enablement implications, which refer to the potential impact of the proposed solutions on the people, culture, and behavior of the organization. This involves assessing the readiness and willingness of the stakeholders to adopt the changes, identifying the risks and barriers to change, and developing strategies to address them12.

References7 Phases in COBIT Implementation | COBIT Certification - SimplilearnCOBIT 2019 Design and Implementation COBIT Implementation, page 31.

According to the NIST Cybersecurity Framework, an organization should review cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events. This information can help the organization to identify potential threats, vulnerabilities, and consequences, and to assess the current and target profiles of its cybersecurity posture12.

ReferencesIdentifying and Estimating Cybersecurity Risk for Enterprise Risk Management, page 19.COBIT VS NIST : A Comprehensive Analysis - ITSM Docs

This represents a best practice for completing CSF Step 3: Create a Current Profile, because it involves collaborating with relevant stakeholders to identify the current cybersecurity outcomes and implementation status of the organization12. Engaging in a dialogue and obtaining input can help to ensure that the Current Profile reflects the business drivers, mission, objectives, and risk appetite of the organization, as well as the scope and boundaries of the cybersecurity program34.

References: 1: Cybersecurity Framework Components | NIST 2: Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide3 3: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 4: NIST CSF: The seven-step cybersecurity framework process5

A CSF Informative Reference within the CSF Core provides a citation to a related activity from another standard or guideline that can help an organization achieve the outcome described in a CSF Subcategory12. For example, the Informative Reference for ID.AM-1 (Physical devices and systems within the organization are inventoried) is COBIT 5 APO01.01, which states "Maintain an inventory of IT assets"3.

References: 1: Informative References: What are they, and how are they used? | NIST 2: Everything to Know About NIST CSF Informative References | Axio 3: NIST Cybersecurity Framework v1.1 - CSF Tools - Identity Digital