Cybersecurity Strategy Development: Towards an Integrated
Approach Based on COBIT and ISO 27000 Series Standards

Metin, Bilgin; Berfun Sevim, Sibel; Wynn, Martin G

You are here : University of Gloucestershire > Research > Research Repository

Cybersecurity Strategy Development: Towards an Integrated Approach Based on COBIT and ISO 27000 Series Standards

Tools

Metin, Bilgin, Berfun Sevim, Sibel and Wynn, Martin G ORCID: https://orcid.org/0000-0001-7619-6079 (2025) Cybersecurity Strategy Development: Towards an Integrated Approach Based on COBIT and ISO 27000 Series Standards. Standards, 5 (4). art 033. doi:doi.org/10.3390/ standards5040033

[thumbnail of 15650 Metin, B et al (2025) Cybersecurity Strategy Development - Towards an Integrated Approach Based on COBIT and ISO 27000 Series Standards.pdf]

Preview

Text
15650 Metin, B et al (2025) Cybersecurity Strategy Development - Towards an Integrated Approach Based on COBIT and ISO 27000 Series Standards.pdf - Published Version
Available under License Creative Commons Attribution 4.0.
Download (1MB) | Preview

Official URL: https://doi.org/10.3390/standards5040033

Abstract

This article presents a practical guide for developing a cybersecurity strategy that integrates COBIT 2019 with the ISO/IEC 27000 series of standards. Although COBIT 2019 provides strong frameworks for IT strategy and governance, it does not specifically prescribe a cybersecurity strategy. This article addresses this gap in the strategy literature by building upon the ISO/IEC 27000 series, which is designed to be adaptable for organizations of all types and sizes, as well as being suitable for various regulatory and technological environments. First, a synthesis of COBIT 2019 and the ISO/IEC standards (particularly 27014, 27001, 27036, and 27701) identifies six key themes for a cybersecurity strategy. A more specific qualitative content analysis of ISO/IEC 27014 (which focuses on board-level information security governance) and COBIT 2019 (which outlines execution mechanics) confirms the validity of these themes with traceability at the clause and objective levels. To operationalize these themes, a three-step method is put forward: setting alignment objectives and scope; translating these into IT strategy decisions using COBIT governance and management objectives and practices; and establishing a cybersecurity strategy through ISO/IEC 27001. Additionally, ISO/IEC 27701 for privacy and ISO/IEC 27036 for supplier governance are incorporated where relevant. An illustrative example is provided using anonymized data from public sources, and the applicability and limitations of the research findings are discussed.

Item Type:	Article
Article Type:	Article
Uncontrolled Keywords:	IT strategy; Cybersecurity strategy; Digitalization; Business objectives; IT governance; COBIT; Strategy alignment; ISO 27001; ISO 27014; ISO 27036; ISO 27701
Related URLs:	Publisher
Subjects:	T Technology > T Technology (General)
Divisions:	Schools and Research Institutes > School of Business, Computing and Social Sciences
Depositing User:	Martin Wynn
Date Deposited:	12 Dec 2025 21:58
Last Modified:	15 Dec 2025 15:15
URI:	https://eprints.glos.ac.uk/id/eprint/15650

University Staff: Request a correction | Repository Editors: Update this record

CORE (COnnecting REpositories)

University Of Gloucestershire

Find Us On Social Media:

Other University Web Sites

Staffnet (Staff Only)

University of Gloucestershire, The Park, Cheltenham, Gloucestershire, GL50 2RH. Telephone +44 (0)844 8010001.

© UoG 2008-24
Knowledge Base
Accessibility
Privacy and Cookies
Disclaimer
Comments concerning this page to Webmaster