SEMI-AUTOMATED MULTI-STANDARD CYBER MATURITY ASSESSMENT TOOL BASED ON NIST CSF 2.0, ISO/IEC 27001:2022, COBIT 2019 AND CIS CONTROLS V8
DOI:
https://doi.org/10.28925/2663-4023.2025.31.1004Keywords:
cyber maturity; multi-standard assessment; NIST CSF 2.0; ISO/IEC 27001:2022; COBIT 2019; CIS Controls v8; semi-automated assessment; expert group; correspondence matrix; roadmapAbstract
In today's cyber threat landscape, no software or hardware tool can fully compensate for the lack of a comprehensive approach to security management, which includes both technological and organizational aspects. Modern organizations are often forced to comply with the requirements of several international standards at the same time (NIST CSF 2.0, ISO/IEC 27001:2022, COBIT 2019, CIS Controls v8) due to regulatory obligations, customer requirements and internal policies, which leads to fragmentation of efforts, duplication of work and inefficient use of limited resources. This article is devoted to the development of a semi-automated multi-standard cyber maturity assessment tool that allows organizations to assess compliance with all four frameworks through a single point of entry — a structured survey using the NIST CSF 2.0 framework as a basic measurement tool, COBIT 2019 as a mechanism for determining the target state through prioritization of business processes, ISO/IEC 27001:2022 as a reference for documented controls, and CIS Controls v8 as additional practical detail for small and medium-sized organizations (SMEs). Based on a systematic analysis of scientific literature and practical cases, the necessity of using a mapping matrix between standards for automatic display of assessment results in terms of all four frameworks simultaneously is substantiated. The architecture of the tool is described and the logic of its operation is detailed: from the formation of an expert group and collection of organizational context to the automated assessment of the current state and generation of recommendations for the target.
The scientific novelty of the work is the development of a practical tool that combines methodological approaches, namely: multi-standard assessment of the organization's cyber maturity through a correspondence matrix between NIST CSF 2.0, ISO/IEC 27001:2022, COBIT 2019 and CIS Controls v8, which allows you to avoid duplication of efforts when complying with multiple standards; semi-automation of the assessment using objective structured questionnaires, which increases the reliability and repeatability of the results; validation of the results by an interdisciplinary expert group according to the "Human-in-the-Loop" principle, which ensures that the organizational context is taken into account. The role of the expert group as a validator of automatically generated data and a determiner of organizational priorities is characterized, which allows you to combine the advantages of automation with the flexibility of expert analysis. Particular attention is paid to the cost-effectiveness of the proposed solution through the use of publicly available tools (Microsoft Excel) and the possibility of phased implementation for MSOs through the CIS Controls implementation group system (IG1→IG2→IG3).
The results of the study can be used as a practical tool for organizations of any size: small organizations can start at the basic level (CIS IG1) and gradually build maturity, while large enterprises get a comprehensive overview of compliance with multiple standards through a single assessment model without duplication of effort.
Downloads
References
IBM Security. (2025). Cost of a Data Breach Report 2025. IBM Corporation. https://www.ibm.com/reports/data-breach
Morgan, S. (2025). Cybercrime To Cost The World $12.2 Trillion Annually By 2031. Cybersecurity Ventures. https://cybersecurityventures.com/official-cybercrime-report-2025/
NinjaOne. (2025). 7 SMB Cybersecurity Statistics for 2025. https://www.ninjaone.com/blog/smb-cybersecurity-statistics/
UK Government. (2025). Cyber Security Breaches Survey 2025. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025
BD Emerson. (2024). Must-Know Small Business Cybersecurity Statistics for 2025. https://www.bdemerson.com/article/small-business-cybersecurity-statistics
Legit Security. (2025). Top IT Security Frameworks. https://www.legitsecurity.com/aspm-knowledge-base/top-it-security-frameworks
Dawgen Global. (2023). Beyond NIST: Integrating Multiple Frameworks for Robust Cybersecurity Audits. https://www.dawgen.global/beyond-nist-integrating-multiple-frameworks-for-robust-cybersecurity-audits/
Asokan, V. (2025). Comparative Analysis of Cybersecurity Frameworks: NIST, ISO 27001:2022, SOC 2, & COBIT. LinkedIn. https://www.linkedin.com/pulse/comparative-analysis-cybersecurity-frameworks-nist-iso-vikram-asokan-zeznf
National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0. NIST CSWP 29. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
International Journal of Advanced Computer Science and Applications. (2025). Cybersecurity and the NIST Framework: A Systematic Review of its Implementation and Effectiveness Against Cyber Threats, vol. 16(6). http://thesai.org/Publications/ViewPaper?Volume=16&Issue=6&Code=ijacsa&SerialNo=72
Center for Internet Security. (2024). CIS Critical Security Controls Version 8.1. https://www.cisecurity.org/controls/v8-1
Center for Internet Security. (2021). CIS Controls Implementation Groups. https://www.cisecurity.org/controls/implementation-groups
Cloud Security Alliance. (2024). NIST CSF vs Other Cybersecurity Frameworks. https://cloudsecurityalliance.org/articles/nist-csf-vs-other-cybersecurity-frameworks
Orna. (2024). NIST, ISO, COBIT, ITIL: Which Cyber Framework Rules Them All? https://www.orna.app/post/nist-iso-cobit-itil-which-cyber-framework-rules-them-all
McIntosh, T. R., Susnjak, T., Liu, T., Watters, P., Nowrozy, R., & Halgamuge, M. N. (2024). From COBIT to ISO 42001: Evaluating Cybersecurity Frameworks for Opportunities, Risks, and Regulatory Compliance in Commercializing Large Language Models. Computers & Security, vol. 143, 103920. https://doi.org/10.1016/j.cose.2024.103920
Tetteh, A. K., & Asare, P. (2024). Cybersecurity Needs for SMEs. Issues in Information Systems, vol. 25(3), pages 235-246.
Armenia, S., & Centra, A. (2021). A Dynamic Simulation Approach to Support the Evaluation of Cyber Security Investments. Decision Support Systems, vol. 147, 113580. https://doi.org/10.1016/j.dss.2021.113580
PwC. (2025). Global Digital Trust Insights 2025. TechInformed. https://techinformed.com/cybersecurity-2025-key-stats/
Gjeta, L., & Bashota, A. (2024). Digital Transformation in SMEs: Identifying Cybersecurity Risks and Developing Effective Mitigation Strategies. Global Journal of Engineering and Technology Advances, vol. 19(2), pages 116-125.
ENISA (2024). Cybersecurity Maturity Assessment for Small and Medium Enterprises. https://www.enisa.europa.eu/tools/cybersecurity-maturity-assessment-for-small-and-medium-enterprises
Van Niekerk, J., & Von Solms, R. (2019). Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework. African Journal of Information and Communication, vol. 23, pages 21-39. https://www.scielo.org.za/pdf/ajic/v23/02.pdf
Ozkan, B. Y., & Spruit, M. (2020). Assessing and improving cybersecurity maturity for SMEs: Standardization aspects. arXiv preprint arXiv:2007.01751.
Ahmed, M., & Panda, S. (2024). SoK: Identifying Limitations and Bridging Gaps of Cybersecurity Capability Maturity Models (CCMMs). arXiv preprint arXiv:2408.16140. https://arxiv.org/pdf/2408.16140.pdf
Curtin, M., & Moran, B. (2024). Development of a Cyber Risk Assessment Tool for Irish Small Business Owners. arXiv preprint arXiv:2408.16124. https://arxiv.org/pdf/2408.16124.pdf
Shevchenko, S. , Zhdanovа Y. , & Kravchuk, K. (2021). Information protection model based on information security risk assessment for small and medium-sized business. Cybersecurity: Education, Science, Technique, 2(14), 158–175. https://doi.org/10.28925/2663-4023.2021.14.158175
Dziuba, L., & Chmyr, O. (2022). Assessment of information security risks using methodsof mathematical statistics. Bulletin of Lviv State University of Life Safety, 26, 47-54. https://doi.org/https://doi.org/10.32447/20784643.26.2022.06
Journal of Strategic Defense and Policy Studies. (2025). A Meta-Analysis of Cybersecurity Framework Integration in GRC Platforms: Evidence from U.S. Enterprise Audits. https://jsdp-journal.org/index.php/jsdp/article/view/10
Sulistyowati, D., Handayani, F., & Suryanto, Y. (2020). Comparative Analysis and Design of Cybersecurity Maturity Assessment Methodology Using NIST CSF, COBIT, ISO/IEC 27002 and PCI DSS. JOIV: International Journal on Informatics Visualization, vol. 4(4), pages 225-232. https://doi.org/10.30630/joiv.4.4.482
Center for Internet Security. (2024). CIS Controls v8.1 Mapping to NIST CSF 2.0. https://www.cisecurity.org/insights/white-papers/cis-controls-v8-1-mapping-to-nist-csf-2-0
Yousaf, A., & Khan, M. (2025). STPA-Cyber: A Semi-Automated Cyber Risk Assessment Framework. Computers & Security, vol. 151, 104024
Ontario Cyber Security Expert Panel. (2022). Report to the Minister of Public and Business Service Delivery. https://files.ontario.ca/mpbsd-cyber-security-expert-panel-report-en-2022-09-22.pdf
ISACA. (2024). The Three Lines Model in Cybersecurity Governance and Risk Management. https://www.isaca.org/resources/isaca-journal/issues/2024/volume-1/the-three-lines-model-in-cybersecurity-governance-and-risk-management
ISO/IEC. (2022). ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection. International Organization for Standardization.
Scrut Automation. (2025). ISO 27001:2022 Annex A Controls List. https://www.scrut.io/hub/iso-27001/iso-27001-controls
ISACA. (2019). COBIT 2019 Framework: Introduction and Methodology. https://www.isaca.org/resources/cobit
ISACA. (2020). Using COBIT 2019 to Plan and Execute an Organization's Transformation Strategy. https://www.isaca.org/resources/news-and-trends/industry-news/2020/using-cobit-2019
Center for Internet Security. (2024). CIS Controls v8 Guide. https://www.cisecurity.org/controls
Center for Internet Security. (2022). CIS Controls v8 Implementation Groups Handout. Arkansas Department of Education. https://dese.ade.arkansas.gov/Files/CIS_Controls_v8_Implementation_Groups_handout
Center for Internet Security. (2023). Implementation Guide for Small- and Medium-Sized Enterprises CIS Controls IG1. https://www.cisecurity.org/insights/white-papers/implementation-guide-for-small-and-medium-sized-enterprises
Cyrisma. (2024). What's New in the CIS Critical Controls Version 8.1? https://www.cyrisma.com/whats-new-in-the-cis-critical-controls-v-8-1/
CMMI Institute. (2018). Capability Maturity Model Integration (CMMI) for Development, Version 2.0. https://cmmiinstitute.com/cmmi
NIST. (2024). NIST Cybersecurity Framework 2.0 Reference Tool. https://csrc.nist.gov/projects/cybersecurity-framework/filters
World Economic Forum. (2021). Cyber Risk Governance. https://www.weforum.org/publications/cyber-risk-governance/
Kostiuk, Yu. V., Skladannyi, P. M., Bebeshko, B. T., Khorolska, K. V., Rzaieva, S. L., & Vorokhob, M. V. (2025). Information and communication systems security. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Kostiuk, Yu. V., Skladannyi, P. M., Hulak, H. M., Bebeshko, B. T., Khorolska, K. V., & Rzaieva, S. L. (2025). Information security systems. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Hulak, H. M., Zhyltsov, O. B., Kyrychok, R. V., Korshun, N. V., & Skladannyi, P. M. (2023). Enterprise information and cyber security. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Юлія Жданова, Світлана Шевченко, Олексій Кія
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
