Comparative Analysis and Design of Cybersecurity Maturity Assessment Methodology Using NIST CSF, COBIT, ISO/IEC 27002 and PCI DSS

Diah Sulistyowati - Universitas Indonesia, Depok, Indonesia
Fitri Handayani - National Cyber and Crypto Agency, Depok, Indonesia
Yohan Suryanto - Universitas Indonesia, Depok, Indonesia

Citation Format:



Data or Information security in today's digital era is crucial in every organization that needs to pay attention. Management of organizational information is one of the components in realizing Good Corporate Governance. The measure of an adequate level of protection is an indicator of the cybersecurity awareness aspects of an organization's business processes in the short, medium, and long term, especially in the field that deals with information and communication technology (ICT). To make this happen, it requires a security standard that is appropriate and follows its needs to help organizations know the maturity level of cybersecurity in protecting its information security. The ABC organization is one of the Government agencies that manage the critical infrastructure and Indonesian digital economies. The organization has currently implemented several international security standards through its planning, implementation, evaluation document, and ICT activities.  However, based on the national information security readiness assessment, information security management readiness results are still not optimal. In this study, an analysis of the NIST, ISO 27002, COBIT, and PCI DSS security standards has been carried out, which are ABC organizational security standards in managing ICT by assigned tasks and functions. Furthermore, the analysis result is used as materials for drafting a cybersecurity maturity framework through the four standard approaches that have become the basis for ICT management. The proposed concept of twenty-one integrated cybersecurity categories is expected to be a capital in measure ICT management performance in ABC organizations.


ICT, Cybersecurity Maturity, NIST, ISO 27002, COBIT and PCI DSS

Full Text:



The World Bank Group, “World Bank’s Asia Pacific GDP Informationâ€, 2020, available:

Pusat Operasi Keamanan Siber Nasional, Badan Siber dan Sandi Negara, Annual Report January-Desember 2019, Indonesia Cyber Security Monitoring Report

Straub Jeremy, “Software Engineering: The First Line of Defense for Cybersecurityâ€, IEEE, 2020

Mohammed Idi and Musa Bade Aliyu, “Cybersecurity Capability Maturity Model For Network Systemâ€, IEEE, 2019.

Drivas G., Chatzopoulu A., Maglaras L., Lambrinoudakis C., Cook, “A NIS Directive compliant Cybersecurity Maturity Assessment Frameworkâ€, IEEE, 2020.

Putra Adyan P.G., Humani F., Zakiy F.W., Shihab M.R., Ranti B, “Maturity Assessment of Cyber Security in The Workforce Management Domain: A Case Study in Bank Indonesiaâ€, 2020.

Overview Of The Nist Cybersecurity Framework, May 2018, available: (

Roy P Prameet, “A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security Standardâ€, IEEE, 2020

Motii Malik, Semma Alami, “ Towards a new approach to pooling COBIT 5 and ITIL V3 with ISO/IEC 27002 for better use of ITG in the Moroccan parliamentâ€, 2017.

Jufri Mt., Hendayun M., Suharto T, “Risk-assessment based academic information System security policy using octave Allegro and ISO 27002â€, IEEE, 2017.

Rizal A.A., Sarno R., Sungkono K.R, “COBIT 5 for Analysing Information Technology Governance Maturity Level on Masterplan E-Governmentâ€, IEEE, 2020.

ISACA, COBIT 2019 Framework: Governance and Management Objectives, ISACA, 2019

Dupuis M., Bejan C., Bishop M., David S., Lagesse B, “Design Patterns for Compensating Controls for Securing Financial Sessionâ€, IEEE, 2019.

Elluri L., Nagar A., Joshi K.P, “An Integrated Knowledge Graph to Automate GDPR and PCI DSS Complianceâ€, IEEE, 2018.

PCI DSS Quick Reference Guide, Understanding the Payment Card Industry Data Security Standard version 3.2.1, 2018 available: