Next Article in Journal
Spatial-Temporal Differentiation and Spatial Interaction Effect Analysis of Residents’ Consumption Capacity and Consumption Upgrading in China
Previous Article in Journal
Exploring Trust in Human–AI Collaboration in the Context of Multiplayer Online Games
Previous Article in Special Issue
From Industry 4.0 to Construction 5.0: Exploring the Path towards Human–Robot Collaboration in Construction
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0

by
Juan Vicente Barraza de la Paz
1,
Luis Alberto Rodríguez-Picón
1,*,
Víctor Morales-Rocha
2 and
Soledad Vianey Torres-Argüelles
1
1
Department of Industrial Engineering and Manufacturing, Autonomous University of Ciudad Juárez, Ciudad Juárez 32310, Chihuahua, Mexico
2
Department of Electrical Engineering and Computing, Autonomous University of Ciudad Juárez, Ciudad Juárez 32310, Chihuahua, Mexico
*
Author to whom correspondence should be addressed.
Systems 2023, 11(5), 218; https://doi.org/10.3390/systems11050218
Submission received: 15 March 2023 / Revised: 21 April 2023 / Accepted: 21 April 2023 / Published: 25 April 2023
(This article belongs to the Special Issue Systems, Infrastructure, and Industry 5.0)

Abstract

:
The large amount of information handled by organizations has increased their dependance on information technologies, which has made information security management a complex task. This is mainly because they cover areas such as physical and environmental security, organization structure, human resources and the technologies used. Information security frameworks can minimize the complexity through the different documents that contain guidelines, standards, and requirements to establish the procedures, policies, and processes for every organization. However, the selection of an appropriate framework is by itself a critical and important task, as the framework must adapt to the characteristics of an organization. In this paper, a general vision of the newest versions of the NIST CSF, ISO/IEC 27001:2022, and MAGERIT frameworks is provided by comparing their characteristics in terms of their approaches to the identification, assessment, and treatment of risks. Furthermore, their key characteristics are analyzed and discussed, which should facilitate the consideration of any of these frameworks for the risk management of complex manufacturing organizations.

1. Introduction

A fundamental aspect of Industry 4.0 (I4.0) is the enhanced interconnectivity of networks that utilize the Internet of Things (IoT) and the Internet of Services (IoS) via cyber-physical systems. In this context, the IoT refers to physical devices that are equipped with microchips, software, sensors, and controllers that enable them to gather data. By contrast, the IoS is concerned with the transmission of data via the internet [1].
After I4.0, the European Commission introduced Industry 5.0 (I5.0) as a response to societal challenges, aiming to prioritize human values and contribute to society’s needs. I5.0 is a transition to a sustainable, resilient, and human-centric industry, respecting production limits and workers’ well-being [2]. The shift from Industry 4.0 to Industry 5.0 requires updating enabling technologies and creating new applications. This transition is essential for creating new value from critical rethinking of human resource [3]. The I5.0 vision takes efficiency and productivity to the next level by putting the worker at the center of the production process and prioritizing sustainability.
The latest improvements in information and communication technologies have increased the use of I4.0 and I5.0. These developments have led to new cybersecurity risks that organizations need to tackle. Over the past few years, the number of cyberattacks has surged, and organizations are implementing measures to mitigate the damages caused by these attacks [4,5]. This, in turn, has made data management and security one of the key facilitators of its realization [6,7]. Indeed, this has propagated the need to research new concepts and methods that allow us to increase and optimize the level of security information [8]. Therefore, authors such as Culot et al. [9] mention the need for information security systems that can handle a holistic approach to face the complex challenges of today.
Agrawal [10] discusses some of the reasons why organizations should classify information, among them being the protection of confidential information, contractual compliance, compliance with regulations and the acquisition of competitive advantages. On the other hand, Azmi [11] mentions that international organizations, countries, companies, and academic institutions have actively worked to develop cybersecurity frameworks to achieve cyber resilience. Dawson [12] defines cybersecurity frameworks as those that provide policies and procedures for the application and continuous management of information security controls, providing frameworks that bring together elements such as education, policies and technologies, adapting to preestablished requirements and also controlling emerging requirements.
Lopes et al. [13] discuss how some of the advantages of implementing information security systems, such as the ISO/IEC 27001, are the identification and elimination of threats and vulnerabilities, a greater confidence in the interested parties, better awareness in terms of security, and an increase in the ability to anticipate, manage and survive a catastrophe. This guarantees business continuity, reducing the costs associated with non-security and complying with current legislations. On the other hand, Cockcroft and Ferruzola et al. [14,15] mention that the implementation of a cybersecurity framework can be seen as an advantage when it comes to integrating business and cybersecurity risk management, these being validated by the top management, thereby maintaining an updated understanding of the cybersecurity risk.
The selection of cybersecurity frameworks for complex manufacturing organizations should be made after carefully considering several factors. This is primarily because complex manufacturing organizations require a comprehensive approach to risk management that takes into account both structured and unstructured data. Additionally, the selected frameworks must have demonstrated their effectiveness in similar contexts and have gained industry recognition as best practices. This paper provides a systematic review of cybersecurity frameworks, such as ISO/IEC 27001:2022, NIST CSF, and MAGERIT, with a focus on their risk management methodologies. By comparing and contrasting the key characteristics and proposed controls of these frameworks, this study aims to answer the following research question: “What are the key characteristics and differences between the risk management methodologies of the ISO/IEC 27001:2022, NIST CSF, and MAGERIT frameworks, and how can they be applied effectively in complex organizations in I4.0 and I5.0”? This review aims to provide insights into how the ISO/IEC 27001:2022, NIST CSF, and MAGERIT frameworks can be applied effectively in complex organizations in I4.0 and 5.0. By analyzing their strengths and weaknesses, this paper offers a comprehensive understanding of the advantages and disadvantages of each framework in terms of the risk management strategies. The results of this study will be useful for organizations seeking to implement effective risk management strategies that consider the unique challenges posed by the enhanced interconnectivity of networks utilizing IoT and IoS via cyber-physical systems.
The rest of the manuscript is organized as follows. In Section 2, a literature review is presented where an analysis of published works is provided to denote the increase in publications related to cybersecurity frameworks. In Section 3, a comparison of the security management frameworks is presented based on the ISO/IEC 27001:2022, NIST CSF and MAGERIT frameworks. In Section 4, a comparison is provided of the risk management strategies, which covers the identification, assessment, treatment, and control of risks in these three frameworks. In Section 5, a discussion about the characteristics of the three considered frameworks is presented. Finally, in Section 6, the conclusions are given.

2. Literature Review

The emergence of Industry 4.0 and its associated technologies has resulted in new risks for organizations [16]. Given this, organizations are dealing with a rise in cyber threats and the associated costs related to information security. For instance, the number of attacks on IoT devices has grown considerably [17]. However, Griffy et al. [18] argue that these problems are never tackled in isolation in the business world, and hence, it is crucial to take a wider perspective given the agility that more and more companies use.
According to Falivene and Tucker [19], it is crucial to identify cybersecurity frameworks that go beyond a mere checklist of best practices and avoid those that make even expert-level tasks more complicated. Azmi [11], therefore, aims to integrate different viewpoints on cybersecurity frameworks by using descriptive and pattern coding to create a brief version that covers the action encouraged, the framework’s driver, environment, and intended audience. Additionally, cybersecurity could be addressed by focusing on the five pillars, which include human, organizational, infrastructure, technology, and legal and regulatory aspects.
Tatiara et al. [20] study the factors that impede the adoption of information management systems and find that success depends on the involvement of all parties in the implementation process. They recommend involving top management, regularly communicating employee policies, conducting periodic reviews of the implementation of Information Security Management Systems (ISMS), keeping employees informed of any improvements, clearly communicating roles, responsibilities, and authorities related to ISMS to employees on a regular basis, developing work programs for the implementation of information security systems and distributing them to staff, and frequently announcing information security policies and objectives to employees.
Information security management frameworks enable the inclusion or combination of various processes within their context to meet the requirements of the organizational context. They provide specific taxonomies for categorizing risks, enabling organizations to modify, retain, avoid or share risks as per their needs [21].

Research Methodology

Cybersecurity frameworks are inherently complex and can be analyzed from various research perspectives. In order to mitigate this complexity, we have opted for a systematic approach in our literature review, guided by the methodological recommendations of Tranfield et al., Xiao et al., and Lame et al. [22,23,24] as follows:
  • The research was carried out in two parts. Firstly, the data were obtained from “Google Scholar”.
  • Initially, we used the keyword “Cybersecurity Frameworks” to identify the most common cybersecurity frameworks.
  • From the first publication of 2018 to March 2023.
  • Document type “Article and Review”.
The search yielded 101 articles, among which the most mentioned frameworks were NIST CSF and ISO/IEC 27001.
In the second part of the research, the keywords “NIST CSF” and “ISO/IEC 27001” were searched in the “Scopus”, “IEEE”, and “Google Scholar” databases. Additionally, the keyword “MAGERIT” was included to identify the scope and limitations of this methodology, which is being used in Spain and Latin America. The same date range and criteria were used for the reviewed articles, resulting in 13,359 articles. Articles without peer review were excluded and the articles were screened for duplicates, reducing the number to 498 articles. Of these, 30 were not written in English or Spanish, leaving 468 articles. Another screening of the titles, keywords, and abstracts was performed, resulting in the selection of 94 articles. Finally, irrelevant articles to the main topic and those that did not have the recommended frameworks were eliminated, resulting in 50 articles. The entire process is illustrated in Figure 1 using the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) diagram.
Figure 2 shows a steady increase in the number of articles published each year from 2018 to 2023. In 2018, there were 60 articles published, while in 2019, the number of articles increased to 72. In 2020, there was a significant increase in the number of articles, with 95 articles being published. This trend continued in 2021, with a further increase to 102 articles, followed by 112 in 2022.
As of March 2023, there were already 27 articles published, indicating that the trend is expected to continue. It is important to note that the graph only shows the number of articles published in the range of 2018–2023 and does not include any articles published before or after this period.
Overall, the graph shows a significant increase in the number of publications in the field of cybersecurity frameworks such as NIST CSF, ISO/IEC 27001 and MAGERIT, indicating the growing interest in and importance of this field in recent years.
Table 1 provides an exhaustive list of the most significant documents in the literature, carefully selected based on the criteria outlined earlier. The documents have been rigorously analyzed and classified into four distinct categories to enable ease of access and comprehension for the reader.
These categories are as follows:
  • Literature review: This category comprises comprehensive literature reviews, encompassing both qualitative and quantitative studies, which provide a broad understanding of the current state of knowledge on a particular topic.
  • Comparison of methodologies: This category includes studies that compare and contrast different research methodologies, highlighting the strengths and weaknesses of each approach.
  • Case studies: This category comprises in-depth analyses of specific cases, providing a detailed understanding of the subject matter in question and offering insights that may be applicable to similar situations.
  • Implementation guides: This category includes practical guides that provide step-by-step instructions on how to implement specific methodologies or approaches in practice, highlighting potential challenges and offering advice on how to overcome them.
In summary, Table 1 presented herein aims to serve as a valuable resource for researchers and practitioners alike, providing a comprehensive overview of the most relevant documents in the literature and enabling the identification of useful information and insights for their respective areas of interest.
The importance of information security management frameworks is increasing due to the rising number of threats to sensitive data. Organizations are advised to combine the best practices of various frameworks to create a comprehensive security framework suitable for their unique needs and resources. Lopes (2019) and Diamantopoulou (2020) [13,45] highlight that organizations that already have an ISMS in place not require a duplication of effort to meet the General Data Protection Regulation (GDPR) requirements. Mylrea (2018) [50] suggests that organizations with mature, proactive insider threat programs are better positioned to identify, detect, and mitigate these threats.
The commonly used frameworks include NIST CSF, ISO/IEC 27001:2022 [52], and MAGERIT [53], the latter of which is gaining acceptance in Latin America due to its easy language and risk management process based on ISO/IEC 31000 [40,47]. The following section will compare these frameworks to help organizations select the most appropriate one for their needs.

3. A Comparison of Information Security Management Frameworks

As risk management continues to gain importance within organizations, it is recommended to combine the best practices of various frameworks rather than choosing one over another [35]. This approach can result in a more comprehensive security framework that is tailored to the organization and its available resources. Information security methodologies are critical for safeguarding an organization’s sensitive data and information. These methodologies include a set of processes and techniques to identify, assess, and mitigate information security risks. Among the most commonly used are the NIST CSF, ISO/IEC 27001:2022, and MAGERIT.
The NIST CSF uses a universal and comprehensible language that adjusts to diverse technologies, sectors, and purposes. It is based on risk and global standards, and it was created from various perspectives of the private, academic, and public sectors. The framework includes five functions: Identify, Protect, Detect, Respond, and Recover. Figure 3 illustrates the functions that depict the desired results using clear and easily comprehensible language, thus rendering it relevant to all forms of risk management.
ISO/IEC 27001:2022 outlines the necessary requirements to implement and sustain an ISMS tailored to the unique needs of each organization. The primary objective of this system is to maintain the confidentiality, integrity, and availability of information (CIA), prevent security breaches, and guarantee business continuity. ISO/IEC 27001:2022 is certifiable, and certificates are typically valid for three years. Figure 4 illustrates all the sections of ISO/IEC 27001:2022.
Longras et al. [48] conclude that the implementation and certification of ISO/IEC 27001 can be challenging due to various factors, such as the financial cost, lack of implementation examples, difficulty in defining scope, setbacks in the interpretation of the standard and documentation, resistance to change, and allocating roles or tasks to different employees. Implementing an ISMS requires significant effort and changes in the organization’s activity, and organizations must perform a set of policies to comply with legal requirements. However, the benefits of certification include increased compliance with legal requirements, improved customer and competitive advantages, greater effectiveness, and efficient investments to reduce security incidents [48].
The MAGERIT methodology is freely accessible and can be used without permission. It is especially useful for organizations that fall under the National Security Scheme (ENS), as it helps them comply with risk management and analysis principles. On the other hand, MAGERIT is beneficial for entities that rely heavily on information technologies to achieve their organizational goals and objectives. The methodology is composed of three books that cover the method, catalog of elements, and technical guidelines.
MAGERIT aligns with the ISO 31000 terminology and focuses on implementing the “Risk Management Process”. It also provides a working framework for governing bodies to make informed decisions by considering the risks associated with the use of information technologies.
The objective of Table 2 is to compare the NIST CSF 1.1, ISO/IEC 27001:2022, and MAGERIT v.3 methodologies. The comparison categories were determined based on recommendations from articles such as [54,55] as well as the main components of each of the frameworks in order to outline their key characteristics, similarities and differences. In the first instance, it can be noted that the ISO/IEC 27001:2022 framework has the most recent update in August 2022, while NIST CSF 1.0 was initially produced in 2014, updated in 2018 to NIST CSF 1.1, and is currently being updated in an open manner with input from various sectors. The latest update, NIST CSF 2.0, is still in a concept paper and is expected to be implemented by winter 2024, depending on the community’s needs, while MAGERIT v.3 has not been updated since October 2012. The structures of the three frameworks are configured differently. ISO/IEC 27001:2022 consists of 11 sections, of which 0 to 3 are optional, and includes Annex A, which outlines potential controls that may be used depending on the organization. MAGERIT’s structure is more similar to ISO/IEC 27001:2022, as it shares the ISO 31000 risk management structure and approaches security risk management holistically. This approach promotes adaptability, goal orientation, multi-stakeholder involvement, and continuous improvement through a systemic approach. By contrast, NIST is based on five interconnected functions that help organizations comprehend security risks, safeguard their systems and data, detect threats, respond to incidents effectively, and recover from them.
The NIST CSF, ISO/IEC 27001:2022, and MAGERIT cybersecurity frameworks are built upon the foundation of risk management. This pivotal process entails identifying, evaluating, and minimizing risks to uphold an acceptable level. In the domain of risk management, ISO/IEC 31000 functions as a fundamental reference. In the next section, we will expound upon some significant concepts associated with risk management, along with the methodologies employed by the aforementioned cybersecurity frameworks.

4. Risk Management Methodologies

Risk management is an essential process that involves the ongoing identification, assessment, and mitigation of risks to maintain an acceptable level. It is a broad term that encompasses risk assessment as one of its components. Risk management involves the development, implementation, and monitoring of strategies to mitigate or transfer risks to an acceptable level. ISO/IEC 31000 serves as a fundamental reference when discussing risk management. This document defines risk management as a coordinated effort to monitor and regulate the relationship with risks. In this sense, risk is defined as the result of uncertainty regarding objectives, which can have positive or negative consequences and can manifest as opportunities or threats [56]. Objectives may vary in their type and category, and risk management can be conducted at various levels. Risk management ought to be an integrated process within an organization’s overall management rather than a separate or isolated activity. This integration ensures that risk management becomes a standard practice and is conducted consistently and effectively [57].
Risk management models differ in their form and structure, although most models adhere to a systematic approach that includes policies, procedures, and practices for communication and consultation activities. This approach also entails a risk assessment process consisting of preparation, evaluation of risk factors, assessment or determination of risk, and control or treatment of the risk [58]. Risk management involves comprehending the characteristics of a risk, including identifying when it is acceptable to take that risk. This procedure involves evaluating multiple elements, such as chance, potential risk sources, results, likelihoods, circumstances, scenarios, and the efficiency of preventive measures [57].
The main purpose of conducting risk management is to assist in decision making. This entails evaluating choices against predetermined risk standards to determine if additional measures are necessary. Possible actions could be taking no action, considering options to address the risk, conducting an additional analysis, maintaining existing safeguards, or reassessing established goals. It is also crucial to document, share, and verify the outcomes of the risk assessment to guarantee that well-informed choices are taken and risks are effectively controlled [57].
When addressing risk, a process of selecting and executing solutions is employed, involving multiple cycles that must include formulating and selecting options, planning and implementing actions, evaluating their effectiveness, determining the acceptability of the risk, and, if not accepted, undertaking additional treatments [57]. In Section 4.1, Section 4.2 and Section 4.3, we present some of the key features of the risk management methodologies used by ISO/IEC 27001:2002 (ISO27005), NIST CSF (NIST SP 800-30, NIST SP 800-37, NIST SP 800-39), and MAGERIT (MAGERIT). In Section 4.4 and its subsections, we compare the risk management processes of these methodologies.

4.1. ISO/IEC 27005:2022

ISO/IEC 27001 recommends that organizations establish a risk management process that is appropriate for their context, implement controls to mitigate identified risk, and continually monitor and review the effectiveness of these controls. ISO/IEC 27005:2022 provides a guide to risk management and offers a systematic and structured approach to managing risk and establishing and maintaining an effective risk management program. This document is titled “Guidance on Information Security Risk Management for Information Security, Cybersecurity, and Privacy Protection.” Its purpose is to offer advice that assists organizations in the following:
  • Fulfilling the actions required by ISO/IEC 27001:2022 to address information security risks.
  • Carrying out ISMS activities, particularly evaluating and assessing information security.
This document, which is now in its fourth edition under the name ISO/IEC 27005:2022, applies to all organizations regardless of their industry, size, or type. The primary modifications made to this edition compared to the 2018 third edition are that it is structured to align with ISO/IEC 27001:2022, employs terminology from ISO 31000:2018, introduces the concept of risk scenarios, presents a comparison of the event-based and asset-based approaches to risk identification, and consolidates the annexes into a single one. It offers advice on fulfilling the ISO/IEC 27001 requirements and provides actions to address information security risks, detailed guidance on risk management, and instructions on applying the ISO 31000 risk management guidelines in the context of information security. It can also be used by individuals involved in information security risk management or by organizations seeking to improve their information security risk management process. Its main aim is to assist organizations in safeguarding their valuable information assets, such as confidential and sensitive data.
Figure 5 illustrates the ISO/IEC 27005:2022 process that is carried out by following these steps:
  • Establishing the context, which includes identifying and defining the scope, determining the criteria for risk acceptance, and identifying any legal, regulatory, or contractual requirements.
  • Conducting a risk assessment, which includes the following:
    • Identifying risks. Identifying the risks that could affect the CIA of the information assets.
    • Analyzing risks. By assessing the likelihood and impact of the risks based on the identified threats, vulnerabilities, and the existing controls.
    • Evaluating risks. Evaluating the risks by comparing the assessed risks with the established risk criteria, which include the risk appetite and the risk tolerance of the organization.
  • Treating iteratively the identified risks. Implementing controls or taking other actions to reduce the likelihood or impact of the risk.
  • Implementing risk management processes. Establishing communication channels, and monitoring and reviewing the risk management process.
  • Utilizing management system processes. Integrating the risk management process with other management systems, such as quality or environmental management.
  • Documented information. Document all relevant information, such as risk assessments, treatment plans, and management system processes.

4.2. NIST SP 800-30, NIST SP 800-37 and NIST SP 800-39

NIST CSF incorporates risk assessment as part of its cybersecurity implementation process, although it does not specify a particular risk management methodology. In addition to the CSF, NIST has released several publications, such as NIST SP 800-30, NIST SP 800-37, and NIST SP 800-39, that address several aspects of risk management.
NIST SP 800-30 provides guidance for conducting information security risk assessments, including identifying assets, threats, and vulnerabilities, and determining the likelihood and impact of risks. NIST SP 800-30 focuses on identifying and assessing risks to information systems and how those risks may impact the organization. The last version of NIST SP 800-30, Rev. 1, was published in July 2012 [60].
NIST SP 800-37 offers a detailed description of the risk management framework (RMF) and provides guidance on how to apply it to information systems and organizations. The RMF is a rigorous and adaptable process for managing security and privacy risks, encompassing the categorization of information security, the selection of appropriate controls, their implementation and evaluation, the authorization of system and common controls, and continuous monitoring. The focus of NIST SP 800-37 is on the implementation of the RMF and how risks can be effectively managed throughout the entire information system life cycle. The latest version of NIST SP 800-37, Rev. 2, was published in December 2018 [51].
NIST SP 800-39 provides guidelines for enterprise-wide IT risk management. This publication focuses on organization-wide IT risk management, including the assessment and management of IT risks that may impact the organization as a whole. NIST SP 800-39 also includes the management of IT risks related to external vendors and third parties, as well as the management of information security incidents. The last version of NIST 800-39, Rev. 2, was published in November 2019. Figure 6 provides a short description of the steps involved in implementing NIST SP 800-39 [61].

4.3. MAGERIT

The CSAE (Consejo Superior de Administración Electrónica) created and advocates for MAGERIT, recognizing the growing significance of information systems for both public administration and society as a whole in achieving their goals. Robust security measures must be implemented to manage these systems and maintain the confidence of service users.
The objective of MAGERIT is to raise awareness among organizations about the need to manage risks systematically, with the aim of keeping them under control and preparing for evaluation, audit, certification, or accreditation processes. The methodology aims to ensure uniformity in the reports that include the findings and conclusions of the risk analysis and management activities. Ultimately, MAGERIT aims to implement security measures that support the confidence of users of services.
The methodology is composed of three main stages, which are as follows:
  • Needs analysis and feasibility study: This phase involves defining the scope of the risk analysis and conducting a feasibility assessment of risk management using the MAGERIT methodology.
  • Risk analysis: During this stage, the organization’s information assets are identified and evaluated for associated information security risks. The identification of assets, threats, vulnerabilities, and potential impacts is included, as well as the assessment of the likelihood and impact of the risks.
  • Risk management: In this stage, plans for managing risks are developed and implemented to address the risks identified during the analysis phase. Risk management plans may include implementing information security controls, accepting risks, transferring risks, or mitigating risks through protective measures.
MAGERIT employs various risk assessment methods, including threat and vulnerability analysis, impact analysis, and business risk analysis, to evaluate information security risks. The approach also highlights the significance of efficient communication and cooperation among different stakeholders within the organization during the risk management process.
After analyzing the ISO/IEC 27001, NIST CSF, and MAGERIT standards, it is evident that effective risk management is a critical component of a robust information security program. In summary, risk management is the process of identifying, assessing, and prioritizing risks and implementing strategies to mitigate or eliminate those risks. It involves identifying potential threats, vulnerabilities, and assets at risk, assessing the likelihood and potential impact of each risk, and developing and implementing controls to manage or eliminate them.

4.4. Risk Management Process Comparison

By using a risk management approach, organizations can prioritize their security efforts and focus on the most critical areas. The risk management process should be an ongoing, iterative process that adapts to changing threats and business needs. Overall, it is a vital part of any organization’s security program. The goal of risk management is to develop and implement strategies that reduce the likelihood and impact of identified risks. Section 4.4.1, Section 4.4.2 and Section 4.4.3 elaborate on how NIST CSF, ISO/IEC 27001:2022 and MAGERIT undertake these processes by highlighting the similarities and differences among them concerning the identification of risks, risk assessment, and treatment and control.

4.4.1. Identifying Potential Risks

To safeguard information security in any organization, it is crucial to identify potential risks. The ISO/IEC 27001:2022, NIST 800-39, and MAGERIT methodologies employ a series of procedures to achieve this goal. Table 3 summarizes the key steps involved in risk identification. These steps involve comprehending the context, recognizing critical processes and assets, identifying possible threats and vulnerabilities, evaluating the probability and impact of risks, prioritizing them, and devising response plans.
ISO/IEC 27001:2022, NIST CSF, and MAGERIT provide guidance on risk identification and management, with ISO/IEC 27001:2022 focusing on identifying risks to the CIA of information, NIST CSF focusing on identifying risks to critical infrastructure and information systems, and MAGERIT focusing on identifying, assessing, and prioritizing risks to information systems, including identifying potential attackers or actors responsible for an attack. The frameworks suggest various techniques and methodologies, such as threat catalogs or analysis techniques, including SWOT (Strengths, Weaknesses, Opportunities, and Threats) or FMEA (Failure Mode and Effect Analysis), the NIST SP 800-30, NIST SP 800-37 or NIST SP 800-39 documents, and the MAGERIT methodology, to help identify relevant risks and vulnerabilities.
Even though the procedures listed in the table may seem similar, they must be tailored to suit the complexity and extent of the information security system in question. Furthermore, they must be continuously maintained as an ongoing process to ensure that risks are accurately identified and addressed.

4.4.2. Risk Assessment

Risk assessment is the process of identifying, analyzing, and evaluating risks to determine the likelihood and potential impact of those risks. The main goal of risk assessment is to identify potential risks and provide information that can be used to make in-formed decisions about how to manage those risks [62]
Risk assessment processes commonly utilize qualitative assessment methods, which rely on subjective understanding and evaluation of risks. However, the results obtained from these methods may be somewhat subjective. By contrast, quantitative methods employ specific risk indicators, resulting in more objective and reasonable outcomes based on numerical data and statistics. Hybrid methods exist that combine aspects of both the qualitative and quantitative approaches, effectively addressing the complexity of risk assessment. These methods have also been expanded to handle uncertainty factors and evaluate safety risks in financial terms [58,63].
In this phase, the likely impact of every potential threat on each of the recognized assets is assessed, taking into account the CIA and non-repudiation of the information. While this step is not typically part of the risk assessment process, it can be inferred from appropriate security measures implemented to safeguard the CIA of the information. The latter is a crucial aspect, although it is not specifically evaluated directly in the risk assessment.
Risk assessment is founded on threat assessment, which involves identifying potential vulnerabilities and the ways in which they could be exploited. A threat vector, on the other hand, refers to the path taken by an attacker to target the system. Threat sources are categorized into four types—adversarial, accidental, structural, and environmental—which can be either internal or external.
  • Adversarial threats originate from individuals, groups, organizations, or nations.
  • Accidental threats refer to unintentional actions.
  • Structural threats are caused by equipment or software failures.
  • Environmental threats arise from external disasters, which can be either natural or human-made, such as fires and floods.
Organizations evaluate and regularly monitor their operational risks through risk assessments to ensure that their risk management aligns with their business goals.
  • Assessing the likelihood of an attack originating from a human threat source can be challenging and may involve evaluating factors such as skill level, motive, opportunity, and size.
  • Vulnerability assessment, on the other hand, takes into account several factors, such as exploitability, ease of detection, intrusion detection, and awareness. A combination of historical and estimated data should be used to provide the most accurate probability of an event occurring.
  • The magnitude of impact should be determined, which can be classified on a scale ranging from very low to very high or negligible to catastrophic impact.

4.4.3. Treatment and Control

The ISO/IEC 27001:2022 and MAGERIT guidelines emphasize that the selection of a control must be based on the results and conclusions derived from the risk analysis and assessment process. Figure 7 shows the control measures, which are categorized by family in each of the standards. ISO/IEC 27001:2022 classifies them into four categories, while NIST 800-53 Rev. 5 has 20 categories, and MAGERIT has 16 categories, which are quite similar to those of NIST, with minor variations in the naming conventions of the categories. The figure shows a short description of these categories per family.

5. Discussion

Risk management is an indispensable process for maintaining information security in any organization. There are several methodologies available for conducting risk management, each with its own unique approach and characteristics. This section aims to highlight the distinctions between three frameworks, ISO/IEC 27001:2022, NIST CSF and MAGERIT, and provide recommendations for selecting a specific approach based on particular circumstances.
ISO/IEC 27001:2022 is centered on information security management and prioritizes the identification of information assets, evaluation of the associated risks, and implementation of relevant control measures. One of the advantages of ISO/IEC 27001:2022 is its structured and process-oriented approach, which facilitates effective and efficient information security management. However, the implementation of ISO/IEC 27001:2022 can be expensive and demands significant investments in terms of time and resources. When it comes to the IoT and IoS, ISO/IEC 27001 can be used to ensure the CIA of data exchanged through these systems. The standard can also be used to manage risks associated with the use of IoT and IoS devices in an organization’s network.
The NIST CSF functions are presented in a user-friendly language that can be applied to various types of risk management. The framework is self-assessing and offers flexibility in the selection of a risk management methodology. Organizations can choose from among NIST’s publications, such as NIST SP 800-30 for information security risk assessment, NIST SP 800-37 for the implementation of the information security risk management framework, and NIST SP 800-39 for enterprise-wide IT risk management. Alternatively, they can select any other methodology that meets their specific requirements. NIST CSF can be applied to the IoT and IoS to help organizations identify and manage the cybersecurity risks associated with these systems. For example, the Identify function can help organizations understand the types of IoT and IoS devices used in their networks, while the Protect function can help organizations secure these devices and the data they transmit.
MAGERIT, developed by the Spanish government, concentrates on managing information security risks in the public sector through a life cycle approach that covers identifying assets, threats, vulnerabilities, and risks, selecting security measures, implementing controls, and continually monitoring them. Its strength lies in its all-encompassing approach, which enables a thorough and methodical assessment of information security risks. Nonetheless, the MAGERIT approach may be too intricate for smaller and less complex organizations. MAGERIT can be used to manage risks associated with the IoT and IoS by identifying the assets, threats, vulnerabilities, and impacts of these systems. The framework can also be used to select appropriate controls to manage the risks associated with IoT and IoS devices.
The NIST CSF, ISO/IEC 27001, and MAGERIT frameworks can be applied to the IoT in a similar manner as they are applied to other information systems. However, there are some specific considerations that need to be taken into account when applying these frameworks to the IoT. Some of these considerations are as follows:
  • Scalability: IoT systems can have a large number of devices, which can make it difficult to scale the application of these frameworks.
  • Diversity of devices: IoT devices come in different shapes, sizes, and functionalities. This can make it challenging to identify and classify all the risks associated with these devices.
  • Real-time nature: Many IoT systems operate in real time, which can make it difficult to implement some of the risk management processes outlined in these frameworks.
  • Data privacy: IoT devices generate a lot of data, and these data can be sensitive. Therefore, privacy and security considerations should be given a higher priority in IoT systems.
Despite these challenges, the frameworks can be applied to the IoT by adapting their application to the specific requirements of these systems. For example, risk assessments should be conducted regularly to identify new risks and to determine the effectiveness of existing controls. Additionally, security controls should be implemented in a layered approach to ensure that all the components of the IoT system are adequately protected. Finally, organizations should ensure that they have a clear understanding of the data that are being collected and stored by IoT devices and implement appropriate measures to protect these data.
In addition, the role of structured and unstructured data in complex organizations cannot be overstated, particularly when it comes to cybersecurity. With the exponential growth of data in recent years, it has become increasingly challenging for organizations to manage and secure their information effectively. In particular, unstructured data (data that lack a predefined data model or structure) pose a significant challenge [64]. Unstructured data can take many forms, including text documents, images, audio and video files, social media posts, and email messages. Such data are often generated and stored in disparate systems and locations, making the data difficult to track and secure. Furthermore, unstructured data are susceptible to cyber threats such as malware, phishing attacks, and data breaches.
To address these challenges, these frameworks provide a structured approach to managing cybersecurity risks, including those associated with unstructured data. For example, ISO/IEC 27001 requires organizations to identify the types of information they process, including unstructured data, and implement appropriate controls to protect that information. MAGERIT might be used in a public organization to identify and assess the risks associated with both types of data. NIST CSF might be used to provide specific guidance on how to implement security controls for both structured and unstructured data in complex organizations.
To ensure information security and business continuity, organizations should evaluate their needs and choose a risk assessment methodology that aligns with their objectives and available resources. Smaller and less complex organizations may find ISO/IEC 27001 beneficial due to its structured and process-based approach. Conversely, larger and more complex organizations may prefer NIST CSF or MAGERIT, which offer a detailed and holistic approach. Ultimately, selecting a methodology and conducting a risk assessment are essential for all organizations to protect their information assets and maintain business continuity.

6. Conclusions

It should be emphasized that the implementation of cybersecurity frameworks for the IoT requires meticulous planning and execution, which involves identifying assets, evaluating risks, and establishing suitable security controls to safeguard the assets to ensure the sufficient protection of the devices and the data they handle and transmit.
The three information security standards, ISO/IEC 27001:2022, NIST CSF, and MAGERIT, have distinct approaches to information security management and are applicable in different geographic contexts and sectors. ISO/IEC 27001:2022 is a widely accepted international standard that focuses on information security management and provides guidelines for protecting and managing information and offers the option of certification to demonstrate compliance with the standard. NIST CSF, on the other hand, focuses more on implementing information security solutions and is more suitable for government organizations in the United States. MAGERIT, developed by the Spanish government, concentrates on risk assessment and management at the organizational level, and it can be applied to different types of organizations in Spain. In any case, the appropriate standard to use depends on the specific needs and objectives of the organization.
Despite having some similarities, each standard has its own unique strengths and weaknesses, and choosing any of them can enhance an organization’s information security. However, it is crucial to carefully consider which standard is most suitable for an organization’s security needs and requirements. One recommendation for future work is studying the maturity of the cybersecurity frameworks of Mexican companies, which could be done through a data mining analysis of major organizations. This study would involve collecting and analyzing data related to cybersecurity practices, policies, and procedures from a sample of organizations in different sectors, such as finance, healthcare, and government. The analysis could focus on various aspects of cybersecurity, including risk management, threat detection and response, incident management, and employee training and awareness.

Author Contributions

Conceptualization, J.V.B.d.l.P. and L.A.R.-P.; methodology, J.V.B.d.l.P. and L.A.R.-P.; validation, L.A.R.-P., V.M.-R. and S.V.T.-A.; formal analysis, J.V.B.d.l.P. and L.A.R.-P.; investigation, J.V.B.d.l.P.; resources, V.M.-R. and S.V.T.-A.; data curation, J.V.B.d.l.P.; writing—original draft preparation, J.V.B.d.l.P. and L.A.R.-P.; writing—review and editing, J.V.B.d.l.P., L.A.R.-P., S.V.T.-A. and V.M.-R.; visualization, S.V.T.-A. and V.M.-R.; funding acquisition, S.V.T.-A. All authors have read and agreed to the published version of the manuscript.

Funding

The APC was founded by the Autonomous University of Ciudad Juarez.

Data Availability Statement

No data available.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Burritt, R.; Christ, K. Industry 4.0 and environmental accounting: A new revolution? Asian J. Sustain. Soc. Responsib. 2016, 1, 23–38. [Google Scholar] [CrossRef]
  2. Waheed, A.; Alharthi, M.; Khan, S.Z.; Usman, M. Role of Industry 5.0 in Leveraging the Business Performance: Investigating Impact of Shared-Economy on Firms’ Performance with Intervening Role of i5.0 Technologies. SAGE Open 2022, 12, 21582440221094608. [Google Scholar] [CrossRef]
  3. Golovianko, M.; Terziyan, V.; Branytskyi, V.; Malyk, D. Industry 4.0 vs. Industry 5.0: Co-Existence, Transition, or a Hybrid. Procedia Comput. Sci. 2023, 217, 102–113. [Google Scholar] [CrossRef]
  4. Bakon, K.; Holczinger, T.; Sule, Z.; Jasko, S.; Abonyi, J. Scheduling under Uncertainty for Industry 4.0 and 5.0. IEEE Access 2022, 10, 74977–75017. [Google Scholar] [CrossRef]
  5. Kumar, S.; Mallipeddi, R.R. Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions. Prod. Oper. Manag. 2022, 31, 4488–4500. [Google Scholar] [CrossRef]
  6. Raptis, T.P.; Passarella, A.; Conti, M. Data management in industry 4.0: State of the art and open challenges. IEEE Access 2019, 7, 97052–97093. [Google Scholar] [CrossRef]
  7. Lowry, P.B.; Dinev, T.; Willison, R. Why security and privacy research lies at the centre of the information systems (IS) artefact: Proposing a bold research agenda. Eur. J. Inf. Syst. 2017, 26, 546–563. [Google Scholar] [CrossRef]
  8. Dotsenko, S.; Illiashenko, O.; Kamenskyi, S.; Kharchenko, V. Integrated Security Management System for Enterprises in Industry 4.0. Inf. Secur. Int. J. 2019, 43, 294–304. [Google Scholar] [CrossRef]
  9. Culot, G.; Nassimbeni, G.; Podrecca, M.; Sartor, M. The ISO/IEC 27001 information security management standard: Literature review and theory-based research agenda. TQM J. 2021, 33, 76–105. [Google Scholar] [CrossRef]
  10. Agrawal, V. A Framework for the Information Classification in ISO 27005 Standard. In Proceedings of the 4th IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and Smart Cloud, SSC 2017, New York, NY, USA, 26–28 June 2017. [Google Scholar]
  11. Azmi, R.; Tibben, W.; Win, K.T. Review of cybersecurity frameworks: Context and shared concepts. J. Cyber Policy 2018, 3, 258–283. [Google Scholar] [CrossRef]
  12. Dawson, M. Hyper-connectivity: Intricacies of national and international cyber securities. In PQDT—Glob; London Metropolitan University: London, UK, 2017. [Google Scholar]
  13. Lopes, I.M.; Guarda, T.; Oliveira, P. Implementation of ISO 27001 Standards as GDPR Compliance Facilitator. J. Inf. Syst. Eng. Manag. 2019, 4, em0089. [Google Scholar] [CrossRef]
  14. Cockcroft, S. What is the nist framework. ITNOW 2020, 62, 48–49. [Google Scholar] [CrossRef]
  15. Ferruzola Gómez, E.; Duchimaza, S.J.; Ramos Holguín, J.; Alejandro Lindao, M. Plan de contingencia para los equipos y sistemas informáticos utilizando la metodología MAGERIT. Rev. Científica Tecnológica UPSE 2019, 6, 34–41. [Google Scholar] [CrossRef]
  16. Popchev, I.; Radeva, I.; Nikolova, I. Aspects of the Evolution from Risk Management to Enterprise Global Risk Management. Eng. Sci. 2021, LVIII, 16–30. [Google Scholar] [CrossRef]
  17. Ahmad, R.; Alsmadi, I. Machine learning approaches to IoT security: A systematic literature review[Formula presented]. Internet Things 2021, 14, 100365. [Google Scholar] [CrossRef]
  18. Griffy-Brown, C.; Chun, M.; Lazarikos, D. Emerging Technologies and Cyber Risk: How do we secure the Internet of Things (IoT) environment? J. Appl. Bus. Econ. 2019, 21, 70–79. [Google Scholar] [CrossRef]
  19. Falivene, L.; Tucker, B. Unifying Cyber Risk: Cyber Risk Maturity Model v1 Cyber Risk Maturity Model Construction Process & Maturity Model Document; Universidad de Buenos Aires: Buenos Aires, Argentina, 2021. [Google Scholar]
  20. Tatiara, R.; Fajar, A.N.; Siregar, B.; Gunawan, W. Analysis of factors that inhibiting implementation of Information Security Management System (ISMS) based on ISO 27001. In Proceedings of the Journal of Physics: Conference Series, Medan, Indonesia, 28–30 November 2018; Volume 978. [Google Scholar]
  21. Lambrinoudakis, C.; Gritzalis, S.; Xenakis, C.; Katsikas, S.; Karyda, M.; Tsochou, A.; Papadatos, K.; Rantos, K.; Pavlosoglou, Y.; Gasparinatos, S.; et al. Compendium of Risk Management Frameworks with Potential Interoperability: Supplement to the Interoperable EU Risk Management Framework Report; European Union Agency for Cybersecurity (ENISA): Athens, Greece, 2022; ISBN 9789292045548. [Google Scholar]
  22. Tranfield, D.; Denyer, D.; Smart, P. Towards a Methodology for Developing Evidence-Informed Management Knowledge by Means of Systematic Review. Br. J. Manag. 2003, 14, 207–222. [Google Scholar] [CrossRef]
  23. Xiao, Y.; Watson, M. Guidance on Conducting a Systematic Literature Review. J. Plan. Educ. Res. 2019, 39, 93–112. [Google Scholar] [CrossRef]
  24. Lame, G. Systematic literature reviews: An introduction. Proc. Int. Conf. Eng. Des. ICED 2019, 1, 1633–1642. [Google Scholar] [CrossRef]
  25. Ali, R.F.; Dominic, P.D.D.; Ali, S.E.A.; Rehman, M.; Sohail, A. Information security behavior and information security policy compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Appl. Sci. 2021, 11, 3383. [Google Scholar] [CrossRef]
  26. Tissir, N.; El Kafhali, S.; Aboutabit, N. Cybersecurity management in cloud computing: Semantic literature review and conceptual framework proposal. J. Reliab. Intell. Environ. 2021, 7, 69–84. [Google Scholar] [CrossRef]
  27. Krumay, B.; Bernroider, E.W.N.; Walser, R. Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastructures: A Literature Review Considering the NIST Cybersecurity Framework. In Proceedings of the Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Olso, Norway, 28–30 November 2018; Volume 11252. [Google Scholar]
  28. Chidukwai, A.; Zander, S.; Koutsakis, P. A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and Recommendations. IEEE Access 2022, 10, 85701–85719. [Google Scholar] [CrossRef]
  29. Gritzalis, D.; Iseppi, G.; Mylonas, A.; Stavrou, V. Exiting the risk assessment maze: A meta-survey. ACM Comput. Surv. 2018, 51, 1–30. [Google Scholar] [CrossRef]
  30. Pappalardo, S.M.; Niemiec, M.; Bozhilova, M.; Stoianov, N.; Dziech, A.; Stiller, B. Multi-sector assessment framework—A new approach to analyse cybersecurity challenges and opportunities. In Proceedings of the Communications in Computer and Information Science, Kraków, Poland, 8–9 October 2020; Volume 1284. [Google Scholar]
  31. Santos-Olmo, A.; Sánchez, L.E.; Álvarez, E.; Rosado, D.G.; Fernandez-Medina, E. Revisión Sistemática de Análisis de Riesgos Asociativos y Jerárquicos. Periodo 2014–2019. In Proceedings of the Seguridad Informática. X Congreso Iberoamericano(CIBSI 2020), Bogota, Colombia, 22–24 January 2020; pp. 139–147. [Google Scholar]
  32. Hurtado, M. Gestión de Riesgo Metodologías Octave y Magerit. In Repos Inst Univ Pilot Colomb; Universidad Piloto de Colombia: Bogota, Colombia, 2018. [Google Scholar]
  33. Khaleefah, A.D. Methodologies, Requirements and Challenges of Cybersecurity Frameworks: A Review. Int. J. Wirel. Microw. Technol. 2023, 13, 1–13. [Google Scholar] [CrossRef]
  34. Bawono, M.W.A.; Soetomo, M.A.; Apriatin, T. Analysis correlation of the Implementation Framework COBIT 5, ITIL V3 and ISO 27001 for ISO 10002 Customer satisfaction. ACMIT Proc. 2021, 7, 31–46. [Google Scholar] [CrossRef]
  35. Roy, P.P. A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security Standard. In Proceedings of the 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications (NCETSTEA), Durgapur, India, 7–8 February 2020; Volume 53, pp. 27001–27003. [Google Scholar] [CrossRef]
  36. García, F.Y.H.; Moreta, L.M.L. Maturity Model for the Risk Analysis of Information Assets based on Methodologies MAGERIT, OCTAVE y MEHARI; Focused on Shipping Companies. In Proceedings of the Applications in Software Engineering—Proceedings of the 7th International Conference on Software Process Improvement, CIMPS 2018, Guadalajara, Mexico, 17–19 October 2018. [Google Scholar]
  37. Yoseviano, H.F.; Retnowardhani, A. The use of ISO/IEC 27001: 2009 to analyze the risk and security of information system assets: Case study in xyz, ltd. In Proceedings of the 2018 International Conference on Information Management and Technology, ICIMTech 2018, Jakarta, Indonesia, 3–5 September 2018. [Google Scholar]
  38. Carvalho, C.; Marques, E. Adapting ISO 27001 to a Public Institution. In Proceedings of the Iberian Conference on Information Systems and Technologies, CISTI, Coimbra, Portugal, 19–22 June 2019. [Google Scholar]
  39. ALDhanhani, M.J.; Jizat, J.E.M. Review of Cyber Security on Oil and Gas Industry in United Arab Emirates: Analysis on the Effectiveness of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Turk. J. Comput. Math. Educ. 2021, 12, 714–720. [Google Scholar]
  40. Ibrahim, A.; Valli, C.; McAteer, I.; Chaudhry, J. A security review of local government using NIST CSF: A case study. J. Supercomput. 2018, 74, 5171–5186. [Google Scholar] [CrossRef]
  41. Amiruddin, A.; Afiansyah, H.G.; Nugroho, H.A. Cyber-Risk Management Planning Using NIST CSF v1.1, NIST SP 800-53 Rev. 5, and CIS Controls v8. In Proceedings of the 3rd International Conference on Informatics, Multimedia, Cyber, and Information System, ICIMCIS 2021, Jakarta, Indonesia, 28–29 October 2021. [Google Scholar]
  42. Udroiu, A.M.; Dumitrache, M.; Sandu, I. Improving the cybersecurity of medical systems by applying the NIST framework. In Proceedings of the 2022 14th International Conference on Electronics, Computers and Artificial Intelligence, ECAI 2022, Ploiesti, Romania, 30 June–1 July 2022. [Google Scholar]
  43. García, F.Y.H.; Moreta, L.M.L. Model for measuring the maturity of the risk analysis of information assets in the context of shipping companies. RISTI—Rev. Iber. Sist. E Tecnol. Inf. 2019, 2019, 1–17. [Google Scholar] [CrossRef]
  44. Pillajo-García, P.; Avila-Pesantez, D. Análisis de ciberseguridad en plataformas e-learning: Revisión sistemática de la literatura. Rev. Perspect. 2023, 5, 19–30. [Google Scholar]
  45. Diamantopoulou, V.; Tsohou, A.; Karyda, M. From ISO/IEC 27002:2013 information security controls to personal data protection controls: Guidelines for GDPR compliance. In Proceedings of the Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Luxembourg City, Luxembourg, 26–27 September 2020; Volume 11980. [Google Scholar]
  46. Mirtsch, M.; Kinne, J.; Blind, K. Exploring the Adoption of the International Information Security Management System Standard ISO/IEC 27001: A Web Mining-Based Analysis. IEEE Trans. Eng. Manag. 2021, 68, 87–100. [Google Scholar] [CrossRef]
  47. Putra, D.S.K.; Tistiyani, S.; Sunaringtyas, S.U. The Use of ISO/IEC 27001 Family of Standards in Regulatory Requirements in Some Countries. In Proceedings of the 2021 2nd International Conference on ICT for Rural Development, IC-ICTRuDev 2021, Jogjakarta, Indonesia, 27–28 October 2021. [Google Scholar]
  48. Longras, A.; Pereira, T.; Cameiro, P.; Pinto, P. On the Track of ISO/IEC 27001:2013 Implementation Difficulties in Portuguese Organizations. In Proceedings of the 9th International Conference on Intelligent Systems 2018: Theory, Research and Innovation in Applications, IS 2018—Proceedings, Funchal, Portugal, 25–27 September 2018. [Google Scholar]
  49. Yvon, T. Exploring Factors Limiting Implementation of the National Institute of Standards and Technology Cybersecurity Framework; Colorado Technical University: Colorado Springs, CO, USA, 2020. [Google Scholar]
  50. Mylrea, M.; Gourisetti, S.N.G.; Larimer, C.; Noonan, C. Insider threat cybersecurity framework webtool & methodology: Defending against complex cyber-physical threats. In Proceedings of the 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018, San Francisco, CA, USA, 24 May 2018. [Google Scholar]
  51. National Institute of Standards and Technology [NIST]. Risk Management Framework for Information Systems and Organizations; Special Publication 800-37 Rev. 2; National Institute of Standards and Technology [NIST]: Gaithersburg, MD, USA, 2018. [Google Scholar] [CrossRef]
  52. Malatji, M. Management of enterprise cyber security: A review of ISO/IEC 27001:2022. In Proceedings of the 2023 International Conference on Cyber Management and Engineering, CyMaEn 2023, Bangkok, Thailand, 26–27 January 2023. [Google Scholar]
  53. Ortega, L.; Medina, L. Riesgos Tecnológicos en Pequeñas Empresas. Una Revisión a sus Incidentes en la Gestión Organizacional; Fundación Universitaria Panamericana: Bogota, Colombia, 2020. [Google Scholar]
  54. Kurii, Y.; Opirskyy, I. Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:2013. In Proceedings of the CEUR Workshop Proceedings, Kyiv, Ukraine, 13 October 2022; Volume 3288. [Google Scholar]
  55. Sulistyowati, D.; Handayani, F.; Suryanto, Y. Comparative analysis and design of cybersecurity maturity assessment methodology using nist csf, cobit, iso/iec 27002 and pci dss. Int. J. Inform. Vis. 2020, 4, 225–230. [Google Scholar] [CrossRef]
  56. Silva Rampini, G.H.; Takia, H.; Tobal Berssaneti, F. Critical Success Factors of Risk Management with the Advent of ISO 31000 2018—Descriptive and Content Analyzes. Procedia Manuf. 2019, 39, 894–903. [Google Scholar] [CrossRef]
  57. ISO 31000:2018; Risk Management—Guidelines. ISO: Geneva, Switzerland, 2017.
  58. Li, S.; Bi, F.; Chen, W.; Miao, X.; Liu, J.; Tang, C. An improved information security risk assessments method for cyber-physical-social computing and networking. IEEE Access 2018, 6, 10311–10319. [Google Scholar] [CrossRef]
  59. ISO/IEC 27005:2022; Information Security, Cybersecurity and Privacy Protection—Guidance on Managing Information Security Risks. ISO: Geneva, Switzerland, 2022.
  60. National Institute of Standards and Technology [NIST]. Guide for Conducting Risk Assessments; Special Publication 800-30 Rev. 1; National Institute of Standards and Technology [NIST]: Gaithersburg, MD, USA, 2012. [Google Scholar]
  61. National Institute of Standards and Technology [NIST]. Managing Information Security Risk Organization, Mission, and Information System View; Special Publication 800-39; National Institute of Standards and Technology [NIST]: Gaithersburg, MD, USA, 2011. [Google Scholar]
  62. Crespo Martínez, E. Ecu@Risk, Una metodología para la gestión de Riesgos aplicada a las MPYMEs. Enfoque UTE 2017, 8, 107–121. [Google Scholar] [CrossRef]
  63. Hariyanti, E.; Djunaidy, A.; Siahaan, D.O. A Conceptual Model for Information Security Risk Considering Business Process Perspective. In Proceedings of the 2018 4th International Conference on Science and Technology, ICST 2018, Yogyakarta, Indonesia, 7–8 August 2018. [Google Scholar]
  64. Canelón, J.; Huerta, E.; Leal, N.; Ryan, T. Unstructured data for cybersecurity and internal control. In Proceedings of the Annual Hawaii International Conference on System Sciences, Maui, HI, USA, 7–10 January 2020. [Google Scholar]
Figure 1. PRISMA flow diagram.
Figure 1. PRISMA flow diagram.
Systems 11 00218 g001
Figure 2. Publication rate of common cybersecurity frameworks in “Google Scholar”, “IEEE”, and “Scopus”.
Figure 2. Publication rate of common cybersecurity frameworks in “Google Scholar”, “IEEE”, and “Scopus”.
Systems 11 00218 g002
Figure 3. Functions of NIST CSF.
Figure 3. Functions of NIST CSF.
Systems 11 00218 g003
Figure 4. Sections of ISO/IEC 27001:2022.
Figure 4. Sections of ISO/IEC 27001:2022.
Systems 11 00218 g004
Figure 5. Risk management process for ISO/IEC 27005:2022. Adapted with permission from ref. [59]. Copyright remains with ISO.
Figure 5. Risk management process for ISO/IEC 27005:2022. Adapted with permission from ref. [59]. Copyright remains with ISO.
Systems 11 00218 g005
Figure 6. Steps for implementing NIST 800-39.
Figure 6. Steps for implementing NIST 800-39.
Systems 11 00218 g006
Figure 7. Controls categories by framework.
Figure 7. Controls categories by framework.
Systems 11 00218 g007
Table 1. Relevant documents in the literature.
Table 1. Relevant documents in the literature.
ISO/IEC 27001NIST CSFMAGERIT
Literature review[9,25,26][27,28][29,30,31]
Methodology comparison[32,33,34,35,36]
Case studies[37,38][39,40,41,42][15,43,44]
Implementation Guides[13,20,45,46,47,48][49,50,51]-
Table 2. Comparison of information security management frameworks.
Table 2. Comparison of information security management frameworks.
ISO/IEC 27001NIST CSFMAGERIT
UpdatedAugust 2022April 2018October 2012
DescriptionInternational standard describing best practices for an information security management system.Security framework for the protection of operations and assets.Security framework that seeks to raise awareness of the existence of risks and the need to manage them in organizations.
Structure11 sections, 0–3 non-mandatory and 4–10 mandatory, Annex A.5 functions, 22 categories and 98 subcategories, 4 levels of implementation.9 categories, 6 appendices, catalog of elements and guide to techniques
CertifiableYesNoNo
Mandatory documentsClauses 4 to 10Not specifiedNot specified
BasedRisk managementRisk managementRisk management
MechanismsNon-voluntary and independent auditOptional, self-certificationOptional, self-certification.
ScopeProvides the requirements for establishing, implementing, maintaining, and continuously improving an information security management system, as well as the requirements for assessing and addressing information security risks tailored to the needs of organizations.Optional guidelines, best practices, and standards for improving cybersecurity programs.Implements the risk management process within a framework for the governing bodies to make decisions, taking into account the risks derived from the use of information technologies.
Technology independenceYesYesYes
AvailabilityDistributed commerciallyFree download from the official websiteFree download from the official website
Table 3. Process of risk identification for each methodology.
Table 3. Process of risk identification for each methodology.
Risk IdentificationISO/IEC 27001:2022NISTMAGERIT
Understanding the ContextUnderstand the scope and objectives of the information system to identify critical assets.
Process identificationThe organization is responsible for the ongoing management of an ISMS, including the necessary processes and their interrelationships, to comply with the requirements established in this document. Identify critical processes to be protected and relevant assets.
Identify ThreatsUse standard threat catalogs or analysis techniques such as FMEA or SWOT to identify potential threats.Use the NIST framework to identify relevant threats, such as NIST SP 800-30, NIST SP 800-37 or NIST SP 800-39.Use the MAGERIT methodology to identify relevant threats, including the identification of actors that could be responsible for an attack.
Vulnerability IdentificationIdentify weaknesses or weak points in the system that can be exploited by threats.
Impact AssessmentDetermine the potential impact on assets and the business in the event of a security incident.
Probability EvaluationDetermine the probability of a threat exploiting a vulnerability and causing an impact.
Risk PrioritizationPrioritize risks based on the combination of impact and probability.
Response PlanningDevelop a plan to mitigate or address identified and accepted risks.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Barraza de la Paz, J.V.; Rodríguez-Picón, L.A.; Morales-Rocha, V.; Torres-Argüelles, S.V. A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0. Systems 2023, 11, 218. https://doi.org/10.3390/systems11050218

AMA Style

Barraza de la Paz JV, Rodríguez-Picón LA, Morales-Rocha V, Torres-Argüelles SV. A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0. Systems. 2023; 11(5):218. https://doi.org/10.3390/systems11050218

Chicago/Turabian Style

Barraza de la Paz, Juan Vicente, Luis Alberto Rodríguez-Picón, Víctor Morales-Rocha, and Soledad Vianey Torres-Argüelles. 2023. "A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0" Systems 11, no. 5: 218. https://doi.org/10.3390/systems11050218

APA Style

Barraza de la Paz, J. V., Rodríguez-Picón, L. A., Morales-Rocha, V., & Torres-Argüelles, S. V. (2023). A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0. Systems, 11(5), 218. https://doi.org/10.3390/systems11050218

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop