Previous Article in Journal
Terminological Ambiguity in the Context of Product Certification
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Standards
Volume 5
Issue 4
10.3390/standards5040033
Review Report
standards-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Cybersecurity Strategy Development: Towards an Integrated Approach Based on COBIT and ISO 27000 Series Standards

Standards 2025, 5(4), 33; https://doi.org/10.3390/standards5040033
by Bilgin Metin 1, Sibel Berfun Sevim 1 and Martin Wynn 2,*
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Reviewer 3:
Kateryna Molodetska
Standards 2025, 5(4), 33; https://doi.org/10.3390/standards5040033
Submission received: 3 October 2025 / Revised: 21 November 2025 / Accepted: 27 November 2025 / Published: 5 December 2025

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

This paper addresses the challenge of developing cybersecurity strategies in the digital era by proposing an integrated approach combining COBIT 2019 framework with ISO 27000 family standards. The authors employ narrative synthesis and qualitative content analysis to examine how COBIT and ISO/IEC 27014 complement each other in addressing IT governance and information security governance respectively. A provisional conceptual framework with six key themes is developed, including IT strategy and digitalization, cybersecurity governance and culture, integrated risk and compliance management, performance monitoring, strategic alignment, and stakeholder engagement. The approach is illustrated through a worked case example of a Turkish fast-food company operating 700+ restaurants, demonstrating a three-step process: reviewing business-IT alignment, developing IT strategy, and defining cybersecurity strategy. The novelty lies in the systematic integration of multiple standards, though the practical validation remains limited to illustrative application rather than empirical implementation and assessment.

The paper addresses an important practical problem and makes a reasonable attempt at integrating existing frameworks. However, significant methodological weaknesses undermine the validity of the findings. The narrative synthesis lacks systematic rigor, the qualitative content analysis is poorly executed and documented, and the case study is illustrative rather than empirical. The framework appears somewhat arbitrary without clear derivation from the analysis, and there is no actual validation of the proposed approach in practice. These fundamental issues require substantial revision before the contribution can be properly assessed.


The authors claim to conduct "narrative synthesis" but provide no systematic search strategy, inclusion/exclusion criteria, database sources, search terms, or time periods. Lines 85-105 describe narrative synthesis conceptually but do not report how it was actually executed. Without knowing what literature was searched, how sources were selected, and what was excluded, the synthesis cannot be evaluated or replicated. The authors should provide a complete search protocol including databases searched (e.g., Web of Science, Scopus), search strings used, date ranges, inclusion/exclusion criteria, and a PRISMA-style flow diagram showing the selection process. This is standard practice even for narrative reviews in business and IS research.

While lines 106-132 claim to use "Mayring's structured approach" and "Schreier's practical guidelines" for content analysis, the actual execution is opaque. No coding scheme is presented, no inter-coder reliability is reported, no examples of coded text segments are shown, and the analysis process remains a black box. Table 2 shows results but not the analytical process. For a rigorous content analysis, the authors must provide: (1) the complete coding frame with definitions, (2) examples of coded text from COBIT and ISO documents, (3) coding rules and decision protocols, (4) evidence of systematic application (e.g., number of segments coded per category), and (5) if multiple coders were used, inter-rater reliability statistics.

You can ref these works to discuss limitation and future work by refing 
10.1109/TIFS.2025.3594873.

The six themes in the PCF (Figure 3, lines 300-309) appear somewhat arbitrary without clear traceability to the literature review or content analysis. The paper does not explicitly show how these six concepts emerged from the analysis of COBIT and ISO standards. Were these themes derived deductively from prior literature, inductively from the content analysis, or predetermined by the authors? The connection between the narrative synthesis (Section 3.1-3.3) and the PCF (Section 3.4) is unclear. The authors should provide explicit justification for why these six themes and not others, show how they map to findings from the literature and standards analysis, and demonstrate that they are comprehensive and mutually exclusive.


Lines 133-162 describe the case as "based on a real company profiled through secondary research sources and personal contacts" - this is fundamentally an illustrative example, not an empirical case study. The tables (3, 4, Appendix A) appear to be hypothetical constructions by the authors rather than actual company documents. There is no evidence the company actually implemented this framework, no interviews with company personnel, no documentation review, no validation of the recommendations. Yin's case study methodology (cited line 135) requires direct empirical investigation, not secondary illustration. The authors should either: (1) conduct a proper empirical case study with primary data collection, implementation, and validation, or (2) clearly label this as an "illustrative example" or "hypothetical scenario" and remove claims about demonstrating "practical applicability."


The three-step process (Section 4.2) is presented prescriptively but never validated. There is no evidence it was actually implemented, no assessment of whether it produces better outcomes than alternatives, no feedback from practitioners who tried to apply it, and no comparison with other approaches. The paper claims to address "growing concerns amongst industry practitioners" (lines 27-29) but provides no practitioner input or validation. The authors should either: (1) implement and evaluate the framework in real organizational settings with before/after assessments, (2) obtain expert validation through Delphi studies or focus groups, (3) conduct comparative analysis with alternative approaches, or (4) clearly acknowledge this limitation and frame contributions as conceptual/prescriptive rather than validated.

The illustrative case focuses on a single company in the Turkish fast-food sector with specific characteristics (digital-first, 70% digital orders, cloud-based infrastructure). The applicability to other sectors (manufacturing, healthcare, government), company sizes (SMEs, global enterprises), or geographic contexts (different regulatory environments) remains unclear. The authors acknowledge this limitation briefly (lines 455-456) but do not adequately discuss boundary conditions or contextualize when their approach would/wouldn't apply. The authors should: (1) explicitly discuss the scope and boundaries of their framework, (2) identify which organizational characteristics make the approach more/less suitable, (3) provide multiple brief examples across different contexts, or (4) discuss how the framework would need adaptation for different scenarios.

 

Author Response

Please see uploaded file.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

Manuscript Title: Cybersecurity Strategy Development: Towards an Integrated Approach based on COBIT and ISO standards

comment:

The authors present a comprehensive and timely study on developing an integrated approach to cybersecurity strategy by combining the COBIT 2019 framework with the ISO 27000 family of standards. The proposed three-step process and the provisional conceptual framework are valuable contributions with clear practical implications. However, to further strengthen the manuscript and enhance its impact, the following points should be addressed.

  1. The article points out that COBIT lacks a dedicated cybersecurity strategic framework. However, it fails to clearly elaborate on the specific complementary mechanisms of standards such as ISO 27014 in the integration process. It is necessary to explicitly explain how the expertise of ISO 27014 in information security governance can complement each other to form a comprehensive cybersecurity governance system.
  2. The three-step method proposed in the article does not clearly state its innovative aspects compared to existing methods. It emphasizes how this method is the first to systematically integrate COBIT with multiple ISO standards and provides an actionable and structured implementation path.
  3. The case company is a Turkish fast-food chain enterprise, and its business model and technical architecture have certain unique characteristics. Further explanation is provided regarding the representativeness of this case, and the discussion focuses on how this framework can be applied to other industries or organizations of different sizes.
  4. The article emphasizes "safety culture" and "top-level support", but fails to delve into the possible organizational resistance, skill gaps or cultural barriers that may arise when implementing this framework in actual organizations.
  5. The conclusion section summarizes the research findings, but does not provide clear suggestions for the specific actions of practitioners.

Author Response

Please see uploaded file.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

The article proposes a practical approach to cybersecurity strategy by aligning COBIT 2019 with the ISO/IEC 27000 family, especially ISO/IEC 27014. The authors describe a two-phase design:  a narrative review and qualitative content analysis to build a conceptual framework,  an illustrative organizational case to demonstrate a three-step process for strategy integration.
The topic fits the scope of Standards and is relevant for practitioners who govern and manage enterprise security. The paper’s practical orientation is valuable; however, methodological transparency, case validation, and presentation quality require substantial strengthening before the work is publishable.
- The “exemplary case” relies on secondary sources and personal contacts without clear provenance, artifacts, or performance metrics: identify sources and justify any anonymization; show concrete outcomes of the three-step process.
- Check factual statements (Jaguar Land Rover example) for spelling and reliability, prefer peer-reviewed or authoritative technical sources over news items.
- There are problems with terminology consistency: “information security” fnd “cybersecurity.” Define terms and apply consistently, particularly in mapping COBIT domains to ISO standards. Avoid treating them as full synonyms.
- Revise the abstract to state, in one tight paragraph: the problem, the integrated process, what is new, and the main results demonstrated by the case.
Overall, the paper makes a relevant and timely contribution, but it requires minor revisions to strengthen methodological rigor and empirical validation before it can be considered for publication.

Author Response

Please see uploaded file.

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

The revision addressed all my concerns.

Author Response

Thank you for your positive review of our amended version.

Back to TopTop