systems

Review
A Systematic Review of Risk Management Methodologies for
Complex Organizations in Industry 4.0 and 5.0
Juan Vicente Barraza de la Paz 1 , Luis Alberto Rodríguez-Picón 1, * , Víctor Morales-Rocha 2
and Soledad Vianey Torres-Argüelles 1

1 Department of Industrial Engineering and Manufacturing, Autonomous University of Ciudad Juárez,

Ciudad Juárez 32310, Chihuahua, Mexico; [email protected] (J.V.B.d.l.P.);
[email protected] (S.V.T.-A.)
2 Department of Electrical Engineering and Computing, Autonomous University of Ciudad Juárez,
Ciudad Juárez 32310, Chihuahua, Mexico; [email protected]
* Correspondence: [email protected]

Abstract: The large amount of information handled by organizations has increased their dependance
on information technologies, which has made information security management a complex task. This
is mainly because they cover areas such as physical and environmental security, organization structure,
human resources and the technologies used. Information security frameworks can minimize the
complexity through the different documents that contain guidelines, standards, and requirements to
establish the procedures, policies, and processes for every organization. However, the selection of an
appropriate framework is by itself a critical and important task, as the framework must adapt to the
characteristics of an organization. In this paper, a general vision of the newest versions of the NIST
CSF, ISO/IEC 27001:2022, and MAGERIT frameworks is provided by comparing their characteristics
in terms of their approaches to the identification, assessment, and treatment of risks. Furthermore,
their key characteristics are analyzed and discussed, which should facilitate the consideration of any
of these frameworks for the risk management of complex manufacturing organizations.
Citation: Barraza de la Paz, J.V.;
Rodríguez-Picón, L.A.;
Keywords: RMF; risk management; cybersecurity; ISO/IEC 27001; NIST CSF; MAGERIT
Morales-Rocha, V.; Torres-Argüelles,
S.V. A Systematic Review of Risk
Management Methodologies for
Complex Organizations in Industry
4.0 and 5.0. Systems 2023, 11, 218. 1. Introduction
https://doi.org/10.3390/ A fundamental aspect of Industry 4.0 (I4.0) is the enhanced interconnectivity of net-
systems11050218 works that utilize the Internet of Things (IoT) and the Internet of Services (IoS) via cyber-
Academic Editors: Amin
physical systems. In this context, the IoT refers to physical devices that are equipped with
Hosseinian-Far, Liz Varga microchips, software, sensors, and controllers that enable them to gather data. By contrast,
and Alireza Daneshkhah the IoS is concerned with the transmission of data via the internet [1].
After I4.0, the European Commission introduced Industry 5.0 (I5.0) as a response to
Received: 15 March 2023 societal challenges, aiming to prioritize human values and contribute to society’s needs. I5.0
Revised: 21 April 2023
is a transition to a sustainable, resilient, and human-centric industry, respecting production
Accepted: 21 April 2023
limits and workers’ well-being [2]. The shift from Industry 4.0 to Industry 5.0 requires
Published: 25 April 2023
updating enabling technologies and creating new applications. This transition is essential
for creating new value from critical rethinking of human resource [3]. The I5.0 vision takes
efficiency and productivity to the next level by putting the worker at the center of the
Copyright: © 2023 by the authors.
production process and prioritizing sustainability.
Licensee MDPI, Basel, Switzerland. The latest improvements in information and communication technologies have in-
This article is an open access article creased the use of I4.0 and I5.0. These developments have led to new cybersecurity risks
distributed under the terms and that organizations need to tackle. Over the past few years, the number of cyberattacks has
conditions of the Creative Commons surged, and organizations are implementing measures to mitigate the damages caused
Attribution (CC BY) license (https:// by these attacks [4,5]. This, in turn, has made data management and security one of the
creativecommons.org/licenses/by/ key facilitators of its realization [6,7]. Indeed, this has propagated the need to research
4.0/). new concepts and methods that allow us to increase and optimize the level of security

Systems 2023, 11, 218. https://doi.org/10.3390/systems11050218 https://www.mdpi.com/journal/systems

Systems 2023, 11, 218 2 of 19

information [8]. Therefore, authors such as Culot et al. [9] mention the need for information
security systems that can handle a holistic approach to face the complex challenges of today.
Agrawal [10] discusses some of the reasons why organizations should classify informa-
tion, among them being the protection of confidential information, contractual compliance,
compliance with regulations and the acquisition of competitive advantages. On the other
hand, Azmi [11] mentions that international organizations, countries, companies, and aca-
demic institutions have actively worked to develop cybersecurity frameworks to achieve
cyber resilience. Dawson [12] defines cybersecurity frameworks as those that provide
policies and procedures for the application and continuous management of information
security controls, providing frameworks that bring together elements such as education,
policies and technologies, adapting to preestablished requirements and also controlling
emerging requirements.
Lopes et al. [13] discuss how some of the advantages of implementing information
security systems, such as the ISO/IEC 27001, are the identification and elimination of
threats and vulnerabilities, a greater confidence in the interested parties, better awareness
in terms of security, and an increase in the ability to anticipate, manage and survive
a catastrophe. This guarantees business continuity, reducing the costs associated with
non-security and complying with current legislations. On the other hand, Cockcroft and
Ferruzola et al. [14,15] mention that the implementation of a cybersecurity framework
can be seen as an advantage when it comes to integrating business and cybersecurity
risk management, these being validated by the top management, thereby maintaining an
updated understanding of the cybersecurity risk.
The selection of cybersecurity frameworks for complex manufacturing organizations
should be made after carefully considering several factors. This is primarily because
complex manufacturing organizations require a comprehensive approach to risk manage-
ment that takes into account both structured and unstructured data. Additionally, the
selected frameworks must have demonstrated their effectiveness in similar contexts and
have gained industry recognition as best practices. This paper provides a systematic review
of cybersecurity frameworks, such as ISO/IEC 27001:2022, NIST CSF, and MAGERIT, with
a focus on their risk management methodologies. By comparing and contrasting the key
characteristics and proposed controls of these frameworks, this study aims to answer the
following research question: “What are the key characteristics and differences between the
risk management methodologies of the ISO/IEC 27001:2022, NIST CSF, and MAGERIT
frameworks, and how can they be applied effectively in complex organizations in I4.0
and I5.0”? This review aims to provide insights into how the ISO/IEC 27001:2022, NIST
CSF, and MAGERIT frameworks can be applied effectively in complex organizations in
I4.0 and 5.0. By analyzing their strengths and weaknesses, this paper offers a compre-
hensive understanding of the advantages and disadvantages of each framework in terms
of the risk management strategies. The results of this study will be useful for organiza-
tions seeking to implement effective risk management strategies that consider the unique
challenges posed by the enhanced interconnectivity of networks utilizing IoT and IoS via
cyber-physical systems.
The rest of the manuscript is organized as follows. In Section 2, a literature review
is presented where an analysis of published works is provided to denote the increase in
publications related to cybersecurity frameworks. In Section 3, a comparison of the security
management frameworks is presented based on the ISO/IEC 27001:2022, NIST CSF and
MAGERIT frameworks. In Section 4, a comparison is provided of the risk management
strategies, which covers the identification, assessment, treatment, and control of risks in
these three frameworks. In Section 5, a discussion about the characteristics of the three
considered frameworks is presented. Finally, in Section 6, the conclusions are given.

2. Literature Review
The emergence of Industry 4.0 and its associated technologies has resulted in new
risks for organizations [16]. Given this, organizations are dealing with a rise in cyber threats
Systems 2023, 11, 218 3 of 19

and the associated costs related to information security. For instance, the number of attacks
on IoT devices has grown considerably [17]. However, Griffy et al. [18] argue that these
problems are never tackled in isolation in the business world, and hence, it is crucial to take
a wider perspective given the agility that more and more companies use.
According to Falivene and Tucker [19], it is crucial to identify cybersecurity frame-
works that go beyond a mere checklist of best practices and avoid those that make even
expert-level tasks more complicated. Azmi [11], therefore, aims to integrate different view-
points on cybersecurity frameworks by using descriptive and pattern coding to create a
brief version that covers the action encouraged, the framework’s driver, environment, and
intended audience. Additionally, cybersecurity could be addressed by focusing on the five
pillars, which include human, organizational, infrastructure, technology, and legal and
regulatory aspects.
Tatiara et al. [20] study the factors that impede the adoption of information man-
agement systems and find that success depends on the involvement of all parties in the
implementation process. They recommend involving top management, regularly com-
municating employee policies, conducting periodic reviews of the implementation of
Information Security Management Systems (ISMS), keeping employees informed of any
improvements, clearly communicating roles, responsibilities, and authorities related to
ISMS to employees on a regular basis, developing work programs for the implementation
of information security systems and distributing them to staff, and frequently announcing
information security policies and objectives to employees.
Information security management frameworks enable the inclusion or combination
of various processes within their context to meet the requirements of the organizational
context. They provide specific taxonomies for categorizing risks, enabling organizations to
modify, retain, avoid or share risks as per their needs [21].

Research Methodology
Cybersecurity frameworks are inherently complex and can be analyzed from various
research perspectives. In order to mitigate this complexity, we have opted for a systematic
approach in our literature review, guided by the methodological recommendations of
Tranfield et al., Xiao et al., and Lame et al. [22–24] as follows:
1. The research was carried out in two parts. Firstly, the data were obtained from
“Google Scholar”.
2. Initially, we used the keyword “Cybersecurity Frameworks” to identify the most
common cybersecurity frameworks.
3. From the first publication of 2018 to March 2023.
4. Document type “Article and Review”.
The search yielded 101 articles, among which the most mentioned frameworks were
NIST CSF and ISO/IEC 27001.
In the second part of the research, the keywords “NIST CSF” and “ISO/IEC 27001”
were searched in the “Scopus”, “IEEE”, and “Google Scholar” databases. Additionally, the
keyword “MAGERIT” was included to identify the scope and limitations of this method-
ology, which is being used in Spain and Latin America. The same date range and criteria
were used for the reviewed articles, resulting in 13,359 articles. Articles without peer
review were excluded and the articles were screened for duplicates, reducing the number
to 498 articles. Of these, 30 were not written in English or Spanish, leaving 468 articles.
Another screening of the titles, keywords, and abstracts was performed, resulting in the
selection of 94 articles. Finally, irrelevant articles to the main topic and those that did
not have the recommended frameworks were eliminated, resulting in 50 articles. The
entire process is illustrated in Figure 1 using the PRISMA (Preferred Reporting Items for
Systematic Reviews and Meta-Analyses) diagram.
 Systems 2023, 10, x FOR PEER REVIEW 4 of 21

Systems 2023, 11, 218 process is illustrated in Figure 1 using the PRISMA (Preferred Reporting Items for Sys- 4 of 19
tematic Reviews and Meta-Analyses) diagram.

Figure
Figure 1. 1. PRISMA
PRISMA flowflow diagram.
diagram.

Figure
Figure 2 shows
2 shows a steady
a steady increase
increase in theinnumber
the number of articles
of articles published
published each yeareach
fromyear from
2018
2018 to to 2023.
2023. In 2018,
In 2018, there
there were 60were 60published,
articles articles published,
while in 2019,while in 2019,
the number the number of
of articles
articles increased
increased to 72.
to 72. In 2020, In was
there 2020, there wasincrease
a significant a significant
in the increase
number ofinarticles,
the number
with 95of articles,
Systems 2023, 10, x FOR PEER REVIEW 5 of 21
with 95
articles articles
being being This
published. published. This trend
trend continued continued
in 2021, in 2021,increase
with a further with a to
further increase to
102 arti-
cles,
102followed
articles, by 112 in 2022.
followed by 112 in 2022.
As of March 2023, there were already 27 articles published, indicating that the trend
is expected to continue. It is important to note that the graph only shows the number of
100 97 articles published
articles published in the range of 2018–2023 and does not include any
before90or after this period. 91
80
Overall, the graph shows a significant78 increase in the number of publications in the
field 70
of cybersecurity frameworks such as NIST CSF, ISO/IEC 27001 and MAGERIT, indi-
cating60the growing interest in and 63 importance of this field in recent years.
55
50
40
30
20 22
8 10 7 12
10 4 3
7 4 3 2
0 1 1
2018 2019 2020 2021 2022 2023
ISO/IEC 27001 MAGERIT NIST CSF

Figure 2.
Figure 2. Publication
Publicationrate of common
rate cybersecurity
of common frameworks
cybersecurity in “Google
frameworks Scholar”,
in “Google “IEEE”, and
Scholar”, “IEEE”,
“Scopus”.
and “Scopus”.

Table 1 provides an exhaustive list of the most significant documents in the literature,
carefully selected based on the criteria outlined earlier. The documents have been rigor-
ously analyzed and classified into four distinct categories to enable ease of access and
comprehension for the reader.
Systems 2023, 11, 218 5 of 19

As of March 2023, there were already 27 articles published, indicating that the trend
is expected to continue. It is important to note that the graph only shows the number of
articles published in the range of 2018–2023 and does not include any articles published
before or after this period.
Overall, the graph shows a significant increase in the number of publications in
the field of cybersecurity frameworks such as NIST CSF, ISO/IEC 27001 and MAGERIT,
indicating the growing interest in and importance of this field in recent years.
Table 1 provides an exhaustive list of the most significant documents in the litera-
ture, carefully selected based on the criteria outlined earlier. The documents have been
rigorously analyzed and classified into four distinct categories to enable ease of access and
comprehension for the reader.

Table 1. Relevant documents in the literature.

ISO/IEC 27001 NIST CSF MAGERIT

Literature review [9,25,26] [27,28] [29–31]
Methodology comparison [32–36]
Case studies [37,38] [39–42] [15,43,44]
Implementation Guides [13,20,45–48] [49–51] -

These categories are as follows:

1. Literature review: This category comprises comprehensive literature reviews, encom-
passing both qualitative and quantitative studies, which provide a broad understand-
ing of the current state of knowledge on a particular topic.
2. Comparison of methodologies: This category includes studies that compare and
contrast different research methodologies, highlighting the strengths and weaknesses
of each approach.
3. Case studies: This category comprises in-depth analyses of specific cases, providing a
detailed understanding of the subject matter in question and offering insights that
may be applicable to similar situations.
4. Implementation guides: This category includes practical guides that provide step-
by-step instructions on how to implement specific methodologies or approaches
in practice, highlighting potential challenges and offering advice on how to over-
come them.
In summary, Table 1 presented herein aims to serve as a valuable resource for re-
searchers and practitioners alike, providing a comprehensive overview of the most relevant
documents in the literature and enabling the identification of useful information and
insights for their respective areas of interest.
The importance of information security management frameworks is increasing due to
the rising number of threats to sensitive data. Organizations are advised to combine the
best practices of various frameworks to create a comprehensive security framework suitable
for their unique needs and resources. Lopes (2019) and Diamantopoulou (2020) [13,45]
highlight that organizations that already have an ISMS in place not require a duplication
of effort to meet the General Data Protection Regulation (GDPR) requirements. Mylrea
(2018) [50] suggests that organizations with mature, proactive insider threat programs are
better positioned to identify, detect, and mitigate these threats.
The commonly used frameworks include NIST CSF, ISO/IEC 27001:2022 [52], and
MAGERIT [53], the latter of which is gaining acceptance in Latin America due to its easy
language and risk management process based on ISO/IEC 31000 [40,47]. The following
section will compare these frameworks to help organizations select the most appropriate
one for their needs.
 language and risk management process based on ISO/IEC 31000 [40,47]. The following
section will compare these frameworks to help organizations select the most appropriate
one for their needs.

Systems 2023, 11, 218 3. A Comparison of Information Security Management Frameworks 6 of 19

As risk management continues to gain importance within organizations, it is recom-

mended to combine the best practices of various frameworks rather than choosing one
3. Aanother
over Comparison of Information
[35]. This approach can Security
resultManagement Frameworks security framework
in a more comprehensive
that is As risk management
tailored continuesand
to the organization to gain importance
its available within organizations,
resources. it is recom-
Information security meth-
mended to
odologies combine
are criticalthe
forbest practices of various
safeguarding frameworkssensitive
an organization’s rather than choosing
data one over
and information.
another
These [35]. This approach
methodologies includecanaresult
set ofinprocesses
a more comprehensive security
and techniques framework
to identify, that isand
assess,
tailored to the organization and its available resources. Information
mitigate information security risks. Among the most commonly used are the NIST CSF, security methodolo-
gies are critical for safeguarding an organization’s sensitive data and information. These
ISO/IEC 27001:2022, and MAGERIT.
methodologies include a set of processes and techniques to identify, assess, and mitigate
The NIST CSF uses a universal and comprehensible language that adjusts to diverse
information security risks. Among the most commonly used are the NIST CSF, ISO/IEC
technologies,
27001:2022, and sectors, and purposes. It is based on risk and global standards, and it was
MAGERIT.
createdThefromNISTvarious perspectives
CSF uses a universal ofand
the comprehensible
private, academic, and public
language sectors.
that adjusts to The frame-
diverse
work
technologies, sectors, and purposes. It is based on risk and global standards, and it 3
includes five functions: Identify, Protect, Detect, Respond, and Recover. Figure
illustrates
was createdthe from
functions
variousthat depict the of
perspectives desired resultsacademic,
the private, using clear
andand easily
public comprehen-
sectors. The
sible language,
framework thus rendering
includes it relevant
five functions: Identify,to all forms
Protect, of risk
Detect, management.
Respond, and Recover. Figure 3
illustrates the functions that depict the desired results using clear and easily comprehensible
language, thus rendering it relevant to all forms of risk management.

Figure 3. Functions of NIST CSF.

Figure ISO/IEC
3. Functions of NIST CSF.
27001:2022 outlines the necessary requirements to implement and sustain an
ISMS tailored to the unique needs of each organization. The primary objective of this system
is toISO/IEC
maintain 27001:2022 outlines the
the confidentiality, necessary
integrity, requirements
and availability to implement
of information andprevent
(CIA), sustain an
ISMS tailored
security to theand
breaches, unique needs business
guarantee of each organization. The primary
continuity. ISO/IEC objective
27001:2022 of this sys-
is certifiable,
tem
and is certificates
to maintainare thetypically
confidentiality,
valid for integrity, andFigure
three years. availability of information
4 illustrates (CIA),ofpre-
all the sections
ISO/IEC
vent 27001:2022.
security breaches, and guarantee business continuity. ISO/IEC 27001:2022 is
Longras et al. [48] conclude that the implementation and certification of ISO/IEC
27001 can be challenging due to various factors, such as the financial cost, lack of im-
plementation examples, difficulty in defining scope, setbacks in the interpretation of the
standard and documentation, resistance to change, and allocating roles or tasks to different
employees. Implementing an ISMS requires significant effort and changes in the organi-
zation’s activity, and organizations must perform a set of policies to comply with legal
requirements. However, the benefits of certification include increased compliance with
legal requirements, improved customer and competitive advantages, greater effectiveness,
and efficient investments to reduce security incidents [48].
The MAGERIT methodology is freely accessible and can be used without permission.
It is especially useful for organizations that fall under the National Security Scheme (ENS),
as it helps them comply with risk management and analysis principles. On the other hand,
MAGERIT is beneficial for entities that rely heavily on information technologies to achieve
their organizational goals and objectives. The methodology is composed of three books
that cover the method, catalog of elements, and technical guidelines.
Systems 2023, 10, x FOR PEER REVIEW 7 of 21

Systems 2023, 11, 218 certifiable, and certificates are typically valid for three years. Figure 4 illustrates
7 ofall
19 the
sections of ISO/IEC 27001:2022.

Figure 4. Sections of ISO/IEC 27001:2022.

Figure 4. Sections of ISO/IEC 27001:2022.
MAGERIT aligns with the ISO 31000 terminology and focuses on implementing
Longras
the et al. [48] conclude
“Risk Management Process”. that theprovides
It also implementation
a working and certification
framework of ISO/IEC
for governing
27001 can be
bodies challenging
to make informed due to various
decisions factors, such
by considering theas the associated
risks financial cost,
with lack of imple-
the use of
mentation examples,
information difficulty in defining scope, setbacks in the interpretation of the
technologies.
standardThe andobjective of Table 2 resistance
documentation, is to compare the NISTand
to change, CSFallocating
1.1, ISO/IECroles27001:2022,
or tasks toand differ-
ent MAGERIT
employees.v.3Implementing
methodologies.an The comparison
ISMS requires categories were
significant determined
effort based on
and changes inrec-
the or-
ommendations from articles such as [54,55] as well as the main components of each of the
ganization’s activity, and organizations must perform a set of policies to comply with le-
frameworks in order to outline their key characteristics, similarities and differences. In the
gal requirements. However, the benefits of certification include increased compliance with
first instance, it can be noted that the ISO/IEC 27001:2022 framework has the most recent
legalupdate
requirements,
in August 2022,improved customer
while NIST CSF 1.0and was competitive
initially producedadvantages, greaterineffective-
in 2014, updated 2018
ness,toand
NISTefficient
CSF 1.1, investments
and is currently tobeing
reduce security
updated in anincidents
open manner [48].with input from various
The MAGERIT
sectors. methodology
The latest update, NIST CSF is freely accessible
2.0, is still and can
in a concept paper beand
used without to
is expected permission.
be im-
It is especially useful for organizations that fall under the National Security Schemehas
plemented by winter 2024, depending on the community’s needs, while MAGERIT v.3 (ENS),
as itnot been
helps updated
them sincewith
comply October
risk2012. The structures
management andof the threeprinciples.
analysis frameworksOn arethe
configured
other hand,
differently.
MAGERIT ISO/IEC 27001:2022
is beneficial for entitiesconsists
that relyofheavily
11 sections, of which 0 totechnologies
on information 3 are optional, toand
achieve
includes Annex A, which outlines potential controls that may be used depending on the
their organizational goals and objectives. The methodology is composed of three books
organization. MAGERIT’s structure is more similar to ISO/IEC 27001:2022, as it shares the
that cover the method, catalog of elements, and technical guidelines.
ISO 31000 risk management structure and approaches security risk management holistically.
MAGERIT
This approachaligns
promoteswith the ISO 31000
adaptability, terminology
goal orientation, and focuses on
multi-stakeholder implementing
involvement, and the
“Risk Management
continuous Process”.
improvement It alsoa provides
through a working
systemic approach. Byframework
contrast, NIST forisgoverning
based on fivebodies
to make informed decisions by considering the risks associated
interconnected functions that help organizations comprehend security risks, safeguard theirwith the use of infor-
mation technologies.
systems and data, detect threats, respond to incidents effectively, and recover from them.
TheThe NIST CSF,
objective ISO/IEC
of Table 2 is27001:2022,
to compare andthe MAGERIT
NIST CSF cybersecurity
1.1, ISO/IEC frameworks
27001:2022, are and
built upon the foundation of risk management. This pivotal
MAGERIT v.3 methodologies. The comparison categories were determined based on rec- process entails identifying,
evaluating, and
ommendations from minimizing risksasto[54,55]
articles such uphold asan acceptable
well as the mainlevel.components
In the domain of risk
of each of the
management, ISO/IEC 31000 functions as a fundamental reference. In the next section, we
frameworks in order to outline their key characteristics, similarities and differences. In the
will expound upon some significant concepts associated with risk management, along with
firstthe
instance, it can be
methodologies noted that
employed theaforementioned
by the ISO/IEC 27001:2022 framework
cybersecurity has the most recent
frameworks.
update in August 2022, while NIST CSF 1.0 was initially produced in 2014, updated in
2018 to NIST CSF 1.1, and is currently being updated in an open manner with input from
various sectors. The latest update, NIST CSF 2.0, is still in a concept paper and is expected
to be implemented by winter 2024, depending on the community’s needs, while
MAGERIT v.3 has not been updated since October 2012. The structures of the three frame-
works are configured differently. ISO/IEC 27001:2022 consists of 11 sections, of which 0 to
3 are optional, and includes Annex A, which outlines potential controls that may be used
depending on the organization. MAGERIT’s structure is more similar to ISO/IEC
Systems 2023, 11, 218 8 of 19

Table 2. Comparison of information security management frameworks.

ISO/IEC 27001 NIST CSF MAGERIT

Updated August 2022 April 2018 October 2012
Security framework that seeks
International standard
Security framework for the to raise awareness of the
describing best practices for an
Description protection of operations and existence of risks and the need
information security
assets. to manage them in
management system.
organizations.
5 functions, 22 categories and 9 categories, 6 appendices,
11 sections, 0–3 non-mandatory
Structure 98 subcategories, 4 levels of catalog of elements and guide
and 4–10 mandatory, Annex A.
implementation. to techniques
Certifiable Yes No No
Mandatory documents Clauses 4 to 10 Not specified Not specified
Based Risk management Risk management Risk management
Non-voluntary and
Mechanisms Optional, self-certification Optional, self-certification.
independent audit
Provides the requirements for
establishing, implementing,
Implements the risk
maintaining, and continuously
management process within a
improving an information Optional guidelines, best
framework for the governing
security management system, as practices, and standards for
Scope bodies to make decisions,
well as the requirements for improving cybersecurity
taking into account the risks
assessing and addressing programs.
derived from the use of
information security risks
information technologies.
tailored to the needs of
organizations.
Technology independence Yes Yes Yes
Free download from the Free download from the
Availability Distributed commercially
official website official website

4. Risk Management Methodologies

Risk management is an essential process that involves the ongoing identification,
assessment, and mitigation of risks to maintain an acceptable level. It is a broad term that
encompasses risk assessment as one of its components. Risk management involves the
development, implementation, and monitoring of strategies to mitigate or transfer risks
to an acceptable level. ISO/IEC 31000 serves as a fundamental reference when discussing
risk management. This document defines risk management as a coordinated effort to
monitor and regulate the relationship with risks. In this sense, risk is defined as the result
of uncertainty regarding objectives, which can have positive or negative consequences
and can manifest as opportunities or threats [56]. Objectives may vary in their type and
category, and risk management can be conducted at various levels. Risk management
ought to be an integrated process within an organization’s overall management rather than
a separate or isolated activity. This integration ensures that risk management becomes a
standard practice and is conducted consistently and effectively [57].
Risk management models differ in their form and structure, although most models
adhere to a systematic approach that includes policies, procedures, and practices for
communication and consultation activities. This approach also entails a risk assessment
process consisting of preparation, evaluation of risk factors, assessment or determination of
risk, and control or treatment of the risk [58]. Risk management involves comprehending
the characteristics of a risk, including identifying when it is acceptable to take that risk. This
procedure involves evaluating multiple elements, such as chance, potential risk sources,
results, likelihoods, circumstances, scenarios, and the efficiency of preventive measures [57].
The main purpose of conducting risk management is to assist in decision making. This
entails evaluating choices against predetermined risk standards to determine if additional
measures are necessary. Possible actions could be taking no action, considering options to
address the risk, conducting an additional analysis, maintaining existing safeguards, or
Systems 2023, 11, 218 9 of 19

reassessing established goals. It is also crucial to document, share, and verify the outcomes
of the risk assessment to guarantee that well-informed choices are taken and risks are
effectively controlled [57].
When addressing risk, a process of selecting and executing solutions is employed,
involving multiple cycles that must include formulating and selecting options, planning
and implementing actions, evaluating their effectiveness, determining the acceptability of
the risk, and, if not accepted, undertaking additional treatments [57]. In Sections 4.1–4.3, we
present some of the key features of the risk management methodologies used by ISO/IEC
27001:2002 (ISO27005), NIST CSF (NIST SP 800-30, NIST SP 800-37, NIST SP 800-39), and
MAGERIT (MAGERIT). In Section 4.4 and its subsections, we compare the risk management
processes of these methodologies.

4.1. ISO/IEC 27005:2022

ISO/IEC 27001 recommends that organizations establish a risk management process
that is appropriate for their context, implement controls to mitigate identified risk, and
continually monitor and review the effectiveness of these controls. ISO/IEC 27005:2022
provides a guide to risk management and offers a systematic and structured approach to
managing risk and establishing and maintaining an effective risk management program.
This document is titled “Guidance on Information Security Risk Management for Infor-
mation Security, Cybersecurity, and Privacy Protection.” Its purpose is to offer advice that
assists organizations in the following:
• Fulfilling the actions required by ISO/IEC 27001:2022 to address information secu-
rity risks.
• Carrying out ISMS activities, particularly evaluating and assessing information security.
This document, which is now in its fourth edition under the name ISO/IEC 27005:2022,
applies to all organizations regardless of their industry, size, or type. The primary modi-
fications made to this edition compared to the 2018 third edition are that it is structured
to align with ISO/IEC 27001:2022, employs terminology from ISO 31000:2018, introduces
the concept of risk scenarios, presents a comparison of the event-based and asset-based
approaches to risk identification, and consolidates the annexes into a single one. It of-
fers advice on fulfilling the ISO/IEC 27001 requirements and provides actions to address
information security risks, detailed guidance on risk management, and instructions on
applying the ISO 31000 risk management guidelines in the context of information security.
It can also be used by individuals involved in information security risk management or by
organizations seeking to improve their information security risk management process. Its
main aim is to assist organizations in safeguarding their valuable information assets, such
as confidential and sensitive data.
Figure 5 illustrates the ISO/IEC 27005:2022 process that is carried out by following
these steps:
1. Establishing the context, which includes identifying and defining the scope, de-
termining the criteria for risk acceptance, and identifying any legal, regulatory, or
contractual requirements.
2. Conducting a risk assessment, which includes the following:
a. Identifying risks. Identifying the risks that could affect the CIA of the informa-
tion assets.
b. Analyzing risks. By assessing the likelihood and impact of the risks based on
the identified threats, vulnerabilities, and the existing controls.
c. Evaluating risks. Evaluating the risks by comparing the assessed risks with the
established risk criteria, which include the risk appetite and the risk tolerance
of the organization.
3. Treating iteratively the identified risks. Implementing controls or taking other actions
to reduce the likelihood or impact of the risk.
 Systems 2023, 11, 218 10 of 19

4. Implementing risk management processes. Establishing communication channels,

and monitoring and reviewing the risk management process.
Systems 2023, 10, x FOR PEER REVIEW 5. Utilizing management system processes. Integrating the risk management11process
of 21
with other management systems, such as quality or environmental management.
6. Documented information. Document all relevant information, such as risk assess-
ments, treatment plans, and management system processes.

Figure 5. Risk management process for ISO/IEC 27005:2022. Adapted with permission from ref. [59].
FigureCopyright
5. Risk management
remains withprocess
ISO. for ISO/IEC 27005:2022. Adapted with permission from ref.
[59]. Copyright remains with ISO.
4.2. NIST SP 800-30, NIST SP 800-37 and NIST SP 800-39
4.2. NIST SP 800-30,
NIST NIST SP 800-37
CSF incorporates riskand NIST SPas
assessment 800-39
part of its cybersecurity implementation
process,
NIST CSFalthough it does
incorporates not
risk specify a particular
assessment as part of risk management implementation
its cybersecurity methodology. In
addition to the CSF, NIST has released several publications,
process, although it does not specify a particular risk management methodology. such as NIST SP 800-30, NIST
In addi-
tion toSPthe
800-37,
CSF, and
NIST NIST
hasSP 800-39,several
released that address several aspects
publications, such asofNIST
risk management.
SP 800-30, NIST SP
NIST SP 800-30 provides guidance for conducting information security risk assess-
800-37, and NIST SP 800-39, that address several aspects of risk management.
ments, including identifying assets, threats, and vulnerabilities, and determining the
NIST SP 800-30 provides guidance for conducting information security risk assess-
likelihood and impact of risks. NIST SP 800-30 focuses on identifying and assessing risks to
ments, including identifying assets, threats, and vulnerabilities, and determining the like-
information systems and how those risks may impact the organization. The last version of
lihoodNIST
andSP impact
800-30, ofRev.
risks.
1, NIST SP 800-30infocuses
was published July 2012on[60].
identifying and assessing risks to
information systems and how those risks may impact
NIST SP 800-37 offers a detailed description of the risk the organization.
managementThe last version
framework (RMF)
of NISTandSPprovides
800-30, Rev. 1, wasonpublished
guidance in July
how to apply it 2012 [60].
to information systems and organizations.
NIST
The RMFSP 800-37 offers and
is a rigorous a detailed
adaptabledescription
process forof managing
the risk management framework
security and privacy risks,
(RMF)encompassing
and providesthe guidance on howoftoinformation
categorization apply it to information
security, the systems
selectionand organiza-
of appropriate
tions.controls,
The RMF is aimplementation
their rigorous and adaptable process
and evaluation, thefor managing of
authorization security
systemandand privacy
common
risks, controls, and continuous
encompassing monitoring.ofThe
the categorization focus of NIST
information SP 800-37
security, the is on the implementation
selection of appropri-
ate controls, their implementation and evaluation, the authorization of system and com-
mon controls, and continuous monitoring. The focus of NIST SP 800-37 is on the imple-
mentation of the RMF and how risks can be effectively managed throughout the entire
information system life cycle. The latest version of NIST SP 800-37, Rev. 2, was published
 Systems 2023, 11, 218 11 of 19

of the RMF and how risks can be effectively managed throughout the entire information
system life cycle. The latest version of NIST SP 800-37, Rev. 2, was published in December
Systems 2023, 10, x FOR PEER REVIEW2018 [51]. 12 of 21
NIST SP 800-39 provides guidelines for enterprise-wide IT risk management. This
publication focuses on organization-wide IT risk management, including the assessment
and management of IT risks that may impact the organization as a whole. NIST SP 800-39
also includes the management of IT risks related to external vendors and third parties, as
also includes the management of IT risks related to external vendors and third parties, as
well
wellas
asthe
the management
management of ofinformation
information security
security incidents.
incidents. TheThe
last last version
version of NIST
of NIST 800-
800-39,
39, Rev.
Rev. 2, was
2, was published
published in November
in November 2019.2019.
FigureFigure 6 provides
6 provides a shortadescription
short description of the
of the steps
steps involved in implementing NIST SP
involved in implementing NIST SP 800-39 [61].800-39 [61].

Figure
Figure6.6.Steps
Stepsfor
forimplementing NIST 800-39.
implementing NIST 800-39.

4.3.MAGERIT
4.3. MAGERIT
TheCSAE
The CSAE (Consejo
(Consejo Superior
Superior de deAdministración
AdministraciónElectrónica)
Electrónica)created and
created advocates
and advocates
for MAGERIT, recognizing the growing significance of information systems
for MAGERIT, recognizing the growing significance of information systems for both for both public
pub-
administration and society as a whole in achieving their goals. Robust
lic administration and society as a whole in achieving their goals. Robust securitysecurity measures
must be implemented to manage these systems and maintain the confidence of service users.
measures must be implemented to manage these systems and maintain the confidence of
The objective of MAGERIT is to raise awareness among organizations about the need
service users.
to manage risks systematically, with the aim of keeping them under control and preparing
The objective
for evaluation, of MAGERIT
audit, is to
certification, orraise awareness
accreditation among organizations
processes. The methodologyaboutaims
the need
to
toensure
manage risks systematically, with the aim of keeping them under control
uniformity in the reports that include the findings and conclusions of the riskand preparing
for evaluation,
analysis audit, certification,
and management orUltimately,
activities. accreditation processes.
MAGERIT aimsThe methodology
to implement aims to
security
ensure uniformity in the reports that include the findings
measures that support the confidence of users of services. and conclusions of the risk anal-
ysis and management activities. Ultimately, MAGERIT aims
The methodology is composed of three main stages, which are as follows: to implement security
measures
• Needsthat support
analysis andthefeasibility
confidence of users
study: Thisof services.
phase involves defining the scope of the
The methodology is composed of three main
risk analysis and conducting a feasibility assessment stages, of
which are as follows:
risk management using the
• MAGERIT
Needs methodology.
analysis and feasibility study: This phase involves defining the scope of the
risk analysis and conducting a feasibility assessment of risk management using the
MAGERIT methodology.
• Risk analysis: During this stage, the organization’s information assets are identified
and evaluated for associated information security risks. The identification of assets,
threats, vulnerabilities, and potential impacts is included, as well as the assessment
Systems 2023, 11, 218 12 of 19

• Risk analysis: During this stage, the organization’s information assets are identified
and evaluated for associated information security risks. The identification of assets,
threats, vulnerabilities, and potential impacts is included, as well as the assessment of
the likelihood and impact of the risks.
• Risk management: In this stage, plans for managing risks are developed and imple-
mented to address the risks identified during the analysis phase. Risk management
plans may include implementing information security controls, accepting risks, trans-
ferring risks, or mitigating risks through protective measures.
MAGERIT employs various risk assessment methods, including threat and vulner-
ability analysis, impact analysis, and business risk analysis, to evaluate information se-
curity risks. The approach also highlights the significance of efficient communication
and cooperation among different stakeholders within the organization during the risk
management process.
After analyzing the ISO/IEC 27001, NIST CSF, and MAGERIT standards, it is evident
that effective risk management is a critical component of a robust information security
program. In summary, risk management is the process of identifying, assessing, and
prioritizing risks and implementing strategies to mitigate or eliminate those risks. It
involves identifying potential threats, vulnerabilities, and assets at risk, assessing the
likelihood and potential impact of each risk, and developing and implementing controls to
manage or eliminate them.

4.4. Risk Management Process Comparison

By using a risk management approach, organizations can prioritize their security
efforts and focus on the most critical areas. The risk management process should be an
ongoing, iterative process that adapts to changing threats and business needs. Overall,
it is a vital part of any organization’s security program. The goal of risk management is
to develop and implement strategies that reduce the likelihood and impact of identified
risks. Sections 4.4.1–4.4.3 elaborate on how NIST CSF, ISO/IEC 27001:2022 and MAGERIT
undertake these processes by highlighting the similarities and differences among them
concerning the identification of risks, risk assessment, and treatment and control.

4.4.1. Identifying Potential Risks

To safeguard information security in any organization, it is crucial to identify potential
risks. The ISO/IEC 27001:2022, NIST 800-39, and MAGERIT methodologies employ a series
of procedures to achieve this goal. Table 3 summarizes the key steps involved in risk iden-
tification. These steps involve comprehending the context, recognizing critical processes
and assets, identifying possible threats and vulnerabilities, evaluating the probability and
impact of risks, prioritizing them, and devising response plans.
ISO/IEC 27001:2022, NIST CSF, and MAGERIT provide guidance on risk identification
and management, with ISO/IEC 27001:2022 focusing on identifying risks to the CIA of
information, NIST CSF focusing on identifying risks to critical infrastructure and infor-
mation systems, and MAGERIT focusing on identifying, assessing, and prioritizing risks
to information systems, including identifying potential attackers or actors responsible for
an attack. The frameworks suggest various techniques and methodologies, such as threat
catalogs or analysis techniques, including SWOT (Strengths, Weaknesses, Opportunities,
and Threats) or FMEA (Failure Mode and Effect Analysis), the NIST SP 800-30, NIST SP
800-37 or NIST SP 800-39 documents, and the MAGERIT methodology, to help identify
relevant risks and vulnerabilities.
Even though the procedures listed in the table may seem similar, they must be tailored
to suit the complexity and extent of the information security system in question. Further-
more, they must be continuously maintained as an ongoing process to ensure that risks are
accurately identified and addressed.
Systems 2023, 11, 218 13 of 19

Table 3. Process of risk identification for each methodology.

Risk Identification ISO/IEC 27001:2022 NIST MAGERIT

Understanding the Context Understand the scope and objectives of the information system to identify critical assets.
The organization is responsible
for the ongoing management of
an ISMS, including the
Identify critical processes to be
Process identification necessary processes and their
protected and relevant assets.
interrelationships, to comply
with the requirements
established in this document.
Use the MAGERIT
Use standard threat catalogs or Use the NIST framework to methodology to identify
analysis techniques such as identify relevant threats, such relevant threats, including the
Identify Threats
FMEA or SWOT to identify as NIST SP 800-30, NIST SP identification of actors that
potential threats. 800-37 or NIST SP 800-39. could be responsible for
an attack.
Vulnerability Identification Identify weaknesses or weak points in the system that can be exploited by threats.
Impact Assessment Determine the potential impact on assets and the business in the event of a security incident.
Probability Evaluation Determine the probability of a threat exploiting a vulnerability and causing an impact.
Risk Prioritization Prioritize risks based on the combination of impact and probability.
Response Planning Develop a plan to mitigate or address identified and accepted risks.

4.4.2. Risk Assessment

Risk assessment is the process of identifying, analyzing, and evaluating risks to deter-
mine the likelihood and potential impact of those risks. The main goal of risk assessment
is to identify potential risks and provide information that can be used to make in-formed
decisions about how to manage those risks [62]
Risk assessment processes commonly utilize qualitative assessment methods, which
rely on subjective understanding and evaluation of risks. However, the results obtained
from these methods may be somewhat subjective. By contrast, quantitative methods
employ specific risk indicators, resulting in more objective and reasonable outcomes based
on numerical data and statistics. Hybrid methods exist that combine aspects of both
the qualitative and quantitative approaches, effectively addressing the complexity of risk
assessment. These methods have also been expanded to handle uncertainty factors and
evaluate safety risks in financial terms [58,63].
In this phase, the likely impact of every potential threat on each of the recognized assets
is assessed, taking into account the CIA and non-repudiation of the information. While this
step is not typically part of the risk assessment process, it can be inferred from appropriate
security measures implemented to safeguard the CIA of the information. The latter is a
crucial aspect, although it is not specifically evaluated directly in the risk assessment.
Risk assessment is founded on threat assessment, which involves identifying potential
vulnerabilities and the ways in which they could be exploited. A threat vector, on the
other hand, refers to the path taken by an attacker to target the system. Threat sources are
categorized into four types—adversarial, accidental, structural, and environmental—which
can be either internal or external.
• Adversarial threats originate from individuals, groups, organizations, or nations.
• Accidental threats refer to unintentional actions.
• Structural threats are caused by equipment or software failures.
• Environmental threats arise from external disasters, which can be either natural or
human-made, such as fires and floods.
Organizations evaluate and regularly monitor their operational risks through risk
assessments to ensure that their risk management aligns with their business goals.
 • Adversarial threats originate from individuals, groups, organizations, or nations.
• Accidental threats refer to unintentional actions.
• Structural threats are caused by equipment or software failures.
• Environmental threats arise from external disasters, which can be either natural or
human-made, such as fires and floods.
Systems 2023, 11, 218 14 of 19
Organizations evaluate and regularly monitor their operational risks through risk
assessments to ensure that their risk management aligns with their business goals.
• Assessing the likelihood of an attack originating from a human threat source can be
• Assessing the likelihood of an attack originating from a human threat source can be
challenging and may involve evaluating factors such as skill level, motive, oppor-
challenging and may involve evaluating factors such as skill level, motive, opportunity,
tunity, and size.
and size.
• Vulnerability assessment, on the other hand, takes into account several factors, such
• Vulnerability assessment, on the other hand, takes into account several factors, such as
as exploitability, ease of detection, intrusion detection, and awareness. A combina-
exploitability, ease of detection, intrusion detection, and awareness. A combination of
tion of historical and estimated data should be used to provide the most accurate
historical and estimated data should be used to provide the most accurate probability
probability of an event occurring.
of an event occurring.
•• The magnitude of impact should be determined, which can be classified on a scale
The magnitude of impact should be determined, which can be classified on a scale
ranging from very low to very high or negligible to catastrophic impact.
ranging from very low to very high or negligible to catastrophic impact.
4.4.3. Treatment
4.4.3. Treatment andand Control
Control
The ISO/IEC
The ISO/IEC 27001:2022
27001:2022 and
and MAGERIT
MAGERITguidelines
guidelinesemphasize
emphasizethatthatthe
theselection
selectionofofaa
control must
control must be be based
based on
on the
the results
results and
and conclusions
conclusions derived
derived from
from the
the risk
risk analysis
analysis and
and
assessment process.
assessment process. Figure
Figure 77 shows
shows the
the control
control measures,
measures, which
which are
are categorized
categorizedby byfamily
family
in each of the standards. ISO/IEC 27001:2022 classifies them into four categories, while
in each of the standards. ISO/IEC 27001:2022 classifies them into four categories, while
NIST 800-53
NIST 800-53 Rev.
Rev. 55 has
has 20
20 categories,
categories, and
and MAGERIT
MAGERIT has has 16
16 categories,
categories, which
which areare quite
quite
similar to
similar tothose
thoseofofNIST,
NIST,with
withminor
minorvariations
variationsininthe
thenaming
naming conventions
conventions of of
thethe catego-
categories.
ries.figure
The The figure
shows shows a short
a short description
description of these
of these categories
categories per family.
per family.

Figure 7.
Figure 7. Controls
Controls categories
categories by
by framework.
framework.

5.
5. Discussion
Risk
Risk management
management isisan anindispensable
indispensableprocess
processfor
formaintaining
maintaininginformation
information security in
security
any organization. There are several methodologies available for conducting risk management,
in any organization. There are several methodologies available for conducting risk man-
each with each
agement, its own unique
with approach
its own uniqueand characteristics.
approach This section This
and characteristics. aims section
to highlight
aims the
to
distinctions between three frameworks, ISO/IEC 27001:2022, NIST CSF and MAGERIT, and
provide recommendations for selecting a specific approach based on particular circumstances.
ISO/IEC 27001:2022 is centered on information security management and prioritizes
the identification of information assets, evaluation of the associated risks, and implemen-
tation of relevant control measures. One of the advantages of ISO/IEC 27001:2022 is its
structured and process-oriented approach, which facilitates effective and efficient informa-
tion security management. However, the implementation of ISO/IEC 27001:2022 can be
expensive and demands significant investments in terms of time and resources. When it
comes to the IoT and IoS, ISO/IEC 27001 can be used to ensure the CIA of data exchanged
through these systems. The standard can also be used to manage risks associated with the
use of IoT and IoS devices in an organization’s network.
Systems 2023, 11, 218 15 of 19

The NIST CSF functions are presented in a user-friendly language that can be applied
to various types of risk management. The framework is self-assessing and offers flexibility
in the selection of a risk management methodology. Organizations can choose from among
NIST’s publications, such as NIST SP 800-30 for information security risk assessment, NIST
SP 800-37 for the implementation of the information security risk management framework,
and NIST SP 800-39 for enterprise-wide IT risk management. Alternatively, they can select
any other methodology that meets their specific requirements. NIST CSF can be applied to
the IoT and IoS to help organizations identify and manage the cybersecurity risks associated
with these systems. For example, the Identify function can help organizations understand
the types of IoT and IoS devices used in their networks, while the Protect function can help
organizations secure these devices and the data they transmit.
MAGERIT, developed by the Spanish government, concentrates on managing in-
formation security risks in the public sector through a life cycle approach that covers
identifying assets, threats, vulnerabilities, and risks, selecting security measures, imple-
menting controls, and continually monitoring them. Its strength lies in its all-encompassing
approach, which enables a thorough and methodical assessment of information security
risks. Nonetheless, the MAGERIT approach may be too intricate for smaller and less
complex organizations. MAGERIT can be used to manage risks associated with the IoT
and IoS by identifying the assets, threats, vulnerabilities, and impacts of these systems. The
framework can also be used to select appropriate controls to manage the risks associated
with IoT and IoS devices.
The NIST CSF, ISO/IEC 27001, and MAGERIT frameworks can be applied to the IoT
in a similar manner as they are applied to other information systems. However, there
are some specific considerations that need to be taken into account when applying these
frameworks to the IoT. Some of these considerations are as follows:
• Scalability: IoT systems can have a large number of devices, which can make it difficult
to scale the application of these frameworks.
• Diversity of devices: IoT devices come in different shapes, sizes, and functionalities.
This can make it challenging to identify and classify all the risks associated with
these devices.
• Real-time nature: Many IoT systems operate in real time, which can make it difficult
to implement some of the risk management processes outlined in these frameworks.
• Data privacy: IoT devices generate a lot of data, and these data can be sensitive.
Therefore, privacy and security considerations should be given a higher priority in
IoT systems.
Despite these challenges, the frameworks can be applied to the IoT by adapting their
application to the specific requirements of these systems. For example, risk assessments
should be conducted regularly to identify new risks and to determine the effectiveness
of existing controls. Additionally, security controls should be implemented in a layered
approach to ensure that all the components of the IoT system are adequately protected.
Finally, organizations should ensure that they have a clear understanding of the data that
are being collected and stored by IoT devices and implement appropriate measures to
protect these data.
In addition, the role of structured and unstructured data in complex organizations can-
not be overstated, particularly when it comes to cybersecurity. With the exponential growth
of data in recent years, it has become increasingly challenging for organizations to manage
and secure their information effectively. In particular, unstructured data (data that lack a
predefined data model or structure) pose a significant challenge [64]. Unstructured data
can take many forms, including text documents, images, audio and video files, social media
posts, and email messages. Such data are often generated and stored in disparate systems
and locations, making the data difficult to track and secure. Furthermore, unstructured
data are susceptible to cyber threats such as malware, phishing attacks, and data breaches.
To address these challenges, these frameworks provide a structured approach to
managing cybersecurity risks, including those associated with unstructured data. For
Systems 2023, 11, 218 16 of 19

example, ISO/IEC 27001 requires organizations to identify the types of information they
process, including unstructured data, and implement appropriate controls to protect that
information. MAGERIT might be used in a public organization to identify and assess
the risks associated with both types of data. NIST CSF might be used to provide specific
guidance on how to implement security controls for both structured and unstructured data
in complex organizations.
To ensure information security and business continuity, organizations should evaluate
their needs and choose a risk assessment methodology that aligns with their objectives and
available resources. Smaller and less complex organizations may find ISO/IEC 27001 benefi-
cial due to its structured and process-based approach. Conversely, larger and more complex
organizations may prefer NIST CSF or MAGERIT, which offer a detailed and holistic ap-
proach. Ultimately, selecting a methodology and conducting a risk assessment are essential
for all organizations to protect their information assets and maintain business continuity.

6. Conclusions
It should be emphasized that the implementation of cybersecurity frameworks for
the IoT requires meticulous planning and execution, which involves identifying assets,
evaluating risks, and establishing suitable security controls to safeguard the assets to ensure
the sufficient protection of the devices and the data they handle and transmit.
The three information security standards, ISO/IEC 27001:2022, NIST CSF, and MAGERIT,
have distinct approaches to information security management and are applicable in different
geographic contexts and sectors. ISO/IEC 27001:2022 is a widely accepted international stan-
dard that focuses on information security management and provides guidelines for protecting
and managing information and offers the option of certification to demonstrate compliance
with the standard. NIST CSF, on the other hand, focuses more on implementing information
security solutions and is more suitable for government organizations in the United States.
MAGERIT, developed by the Spanish government, concentrates on risk assessment and man-
agement at the organizational level, and it can be applied to different types of organizations
in Spain. In any case, the appropriate standard to use depends on the specific needs and
objectives of the organization. Despite having some similarities, each standard has its own
unique strengths and weaknesses, and choosing any of them can enhance an organization’s
information security. However, it is crucial to carefully consider which standard is most
suitable for an organization’s security needs and requirements. One recommendation
for future work is studying the maturity of the cybersecurity frameworks of Mexican
companies, which could be done through a data mining analysis of major organizations.
This study would involve collecting and analyzing data related to cybersecurity practices,
policies, and procedures from a sample of organizations in different sectors, such as finance,
healthcare, and government. The analysis could focus on various aspects of cybersecurity,
including risk management, threat detection and response, incident management, and
employee training and awareness.

Author Contributions: Conceptualization, J.V.B.d.l.P. and L.A.R.-P.; methodology, J.V.B.d.l.P. and

L.A.R.-P.; validation, L.A.R.-P., V.M.-R. and S.V.T.-A.; formal analysis, J.V.B.d.l.P. and L.A.R.-P.;
investigation, J.V.B.d.l.P.; resources, V.M.-R. and S.V.T.-A.; data curation, J.V.B.d.l.P.; writing—original
draft preparation, J.V.B.d.l.P. and L.A.R.-P.; writing—review and editing, J.V.B.d.l.P., L.A.R.-P., S.V.T.-A.
and V.M.-R.; visualization, S.V.T.-A. and V.M.-R.; funding acquisition, S.V.T.-A. All authors have read
and agreed to the published version of the manuscript.
Funding: The APC was founded by the Autonomous University of Ciudad Juarez.
Data Availability Statement: No data available.
Conflicts of Interest: The authors declare no conflict of interest.
Systems 2023, 11, 218 17 of 19

References
1. Burritt, R.; Christ, K. Industry 4.0 and environmental accounting: A new revolution? Asian J. Sustain. Soc. Responsib. 2016, 1, 23–38.
[CrossRef]
2. Waheed, A.; Alharthi, M.; Khan, S.Z.; Usman, M. Role of Industry 5.0 in Leveraging the Business Performance: Investi-
gating Impact of Shared-Economy on Firms’ Performance with Intervening Role of i5.0 Technologies. SAGE Open 2022, 12,
21582440221094608. [CrossRef]
3. Golovianko, M.; Terziyan, V.; Branytskyi, V.; Malyk, D. Industry 4.0 vs. Industry 5.0: Co-Existence, Transition, or a Hybrid.
Procedia Comput. Sci. 2023, 217, 102–113. [CrossRef]
4. Bakon, K.; Holczinger, T.; Sule, Z.; Jasko, S.; Abonyi, J. Scheduling under Uncertainty for Industry 4.0 and 5.0. IEEE Access 2022,
10, 74977–75017. [CrossRef]
5. Kumar, S.; Mallipeddi, R.R. Impact of cybersecurity on operations and supply chain management: Emerging trends and future
research directions. Prod. Oper. Manag. 2022, 31, 4488–4500. [CrossRef]
6. Raptis, T.P.; Passarella, A.; Conti, M. Data management in industry 4.0: State of the art and open challenges. IEEE Access 2019,
7, 97052–97093. [CrossRef]
7. Lowry, P.B.; Dinev, T.; Willison, R. Why security and privacy research lies at the centre of the information systems (IS) artefact:
Proposing a bold research agenda. Eur. J. Inf. Syst. 2017, 26, 546–563. [CrossRef]
8. Dotsenko, S.; Illiashenko, O.; Kamenskyi, S.; Kharchenko, V. Integrated Security Management System for Enterprises in
Industry 4.0. Inf. Secur. Int. J. 2019, 43, 294–304. [CrossRef]
9. Culot, G.; Nassimbeni, G.; Podrecca, M.; Sartor, M. The ISO/IEC 27001 information security management standard: Literature
review and theory-based research agenda. TQM J. 2021, 33, 76–105. [CrossRef]
10. Agrawal, V. A Framework for the Information Classification in ISO 27005 Standard. In Proceedings of the 4th IEEE International
Conference on Cyber Security and Cloud Computing, CSCloud 2017 and 3rd IEEE International Conference of Scalable and
Smart Cloud, SSC 2017, New York, NY, USA, 26–28 June 2017.
11. Azmi, R.; Tibben, W.; Win, K.T. Review of cybersecurity frameworks: Context and shared concepts. J. Cyber Policy 2018, 3, 258–283.
[CrossRef]
12. Dawson, M. Hyper-connectivity: Intricacies of national and international cyber securities. In PQDT—Glob; London Metropolitan
University: London, UK, 2017.
13. Lopes, I.M.; Guarda, T.; Oliveira, P. Implementation of ISO 27001 Standards as GDPR Compliance Facilitator. J. Inf. Syst. Eng.
Manag. 2019, 4, em0089. [CrossRef]
14. Cockcroft, S. What is the nist framework. ITNOW 2020, 62, 48–49. [CrossRef]
15. Ferruzola Gómez, E.; Duchimaza, S.J.; Ramos Holguín, J.; Alejandro Lindao, M. Plan de contingencia para los equipos y sistemas
informáticos utilizando la metodología MAGERIT. Rev. Científica Tecnológica UPSE 2019, 6, 34–41. [CrossRef]
16. Popchev, I.; Radeva, I.; Nikolova, I. Aspects of the Evolution from Risk Management to Enterprise Global Risk Management. Eng.
Sci. 2021, LVIII, 16–30. [CrossRef]
17. Ahmad, R.; Alsmadi, I. Machine learning approaches to IoT security: A systematic literature review[Formula presented]. Internet
Things 2021, 14, 100365. [CrossRef]
18. Griffy-Brown, C.; Chun, M.; Lazarikos, D. Emerging Technologies and Cyber Risk: How do we secure the Internet of Things (IoT)
environment? J. Appl. Bus. Econ. 2019, 21, 70–79. [CrossRef]
19. Falivene, L.; Tucker, B. Unifying Cyber Risk: Cyber Risk Maturity Model v1 Cyber Risk Maturity Model Construction Process & Maturity
Model Document; Universidad de Buenos Aires: Buenos Aires, Argentina, 2021.
20. Tatiara, R.; Fajar, A.N.; Siregar, B.; Gunawan, W. Analysis of factors that inhibiting implementation of Information Security
Management System (ISMS) based on ISO 27001. In Proceedings of the Journal of Physics: Conference Series, Medan, Indonesia,
28–30 November 2018; Volume 978.
21. Lambrinoudakis, C.; Gritzalis, S.; Xenakis, C.; Katsikas, S.; Karyda, M.; Tsochou, A.; Papadatos, K.; Rantos, K.; Pavlosoglou, Y.;
Gasparinatos, S.; et al. Compendium of Risk Management Frameworks with Potential Interoperability: Supplement to the Inter-
operable EU Risk Management Framework Report; European Union Agency for Cybersecurity (ENISA): Athens, Greece, 2022;
ISBN 9789292045548.
22. Tranfield, D.; Denyer, D.; Smart, P. Towards a Methodology for Developing Evidence-Informed Management Knowledge by
Means of Systematic Review. Br. J. Manag. 2003, 14, 207–222. [CrossRef]
23. Xiao, Y.; Watson, M. Guidance on Conducting a Systematic Literature Review. J. Plan. Educ. Res. 2019, 39, 93–112. [CrossRef]
24. Lame, G. Systematic literature reviews: An introduction. Proc. Int. Conf. Eng. Des. ICED 2019, 1, 1633–1642. [CrossRef]
25. Ali, R.F.; Dominic, P.D.D.; Ali, S.E.A.; Rehman, M.; Sohail, A. Information security behavior and information security policy
compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Appl.
Sci. 2021, 11, 3383. [CrossRef]
26. Tissir, N.; El Kafhali, S.; Aboutabit, N. Cybersecurity management in cloud computing: Semantic literature review and conceptual
framework proposal. J. Reliab. Intell. Environ. 2021, 7, 69–84. [CrossRef]
Systems 2023, 11, 218 18 of 19

27. Krumay, B.; Bernroider, E.W.N.; Walser, R. Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastruc-
tures: A Literature Review Considering the NIST Cybersecurity Framework. In Proceedings of the Lecture Notes in Computer
Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Olso, Norway, 28–30
November 2018; Volume 11252.
28. Chidukwai, A.; Zander, S.; Koutsakis, P. A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research
Focus and Recommendations. IEEE Access 2022, 10, 85701–85719. [CrossRef]
29. Gritzalis, D.; Iseppi, G.; Mylonas, A.; Stavrou, V. Exiting the risk assessment maze: A meta-survey. ACM Comput. Surv. 2018,
51, 1–30. [CrossRef]
30. Pappalardo, S.M.; Niemiec, M.; Bozhilova, M.; Stoianov, N.; Dziech, A.; Stiller, B. Multi-sector assessment framework—A new
approach to analyse cybersecurity challenges and opportunities. In Proceedings of the Communications in Computer and
Information Science, Kraków, Poland, 8–9 October 2020; Volume 1284.
31. Santos-Olmo, A.; Sánchez, L.E.; Álvarez, E.; Rosado, D.G.; Fernandez-Medina, E. Revisión Sistemática de Análisis de Riesgos Aso-
ciativos y Jerárquicos. Periodo 2014–2019. In Proceedings of the Seguridad Informática. X Congreso Iberoamericano(CIBSI 2020),
Bogota, Colombia, 22–24 January 2020; pp. 139–147.
32. Hurtado, M. Gestión de Riesgo Metodologías Octave y Magerit. In Repos Inst Univ Pilot Colomb; Universidad Piloto de Colombia:
Bogota, Colombia, 2018.
33. Khaleefah, A.D. Methodologies, Requirements and Challenges of Cybersecurity Frameworks: A Review. Int. J. Wirel. Microw.
Technol. 2023, 13, 1–13. [CrossRef]
34. Bawono, M.W.A.; Soetomo, M.A.; Apriatin, T. Analysis correlation of the Implementation Framework COBIT 5, ITIL V3 and ISO
27001 for ISO 10002 Customer satisfaction. ACMIT Proc. 2021, 7, 31–46. [CrossRef]
35. Roy, P.P. A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security
Standard. In Proceedings of the 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering
Applications (NCETSTEA), Durgapur, India, 7–8 February 2020; Volume 53, pp. 27001–27003. [CrossRef]
36. García, F.Y.H.; Moreta, L.M.L. Maturity Model for the Risk Analysis of Information Assets based on Methodologies MAGERIT,
OCTAVE y MEHARI; Focused on Shipping Companies. In Proceedings of the Applications in Software Engineering—Proceedings
of the 7th International Conference on Software Process Improvement, CIMPS 2018, Guadalajara, Mexico, 17–19 October 2018.
37. Yoseviano, H.F.; Retnowardhani, A. The use of ISO/IEC 27001: 2009 to analyze the risk and security of information system
assets: Case study in xyz, ltd. In Proceedings of the 2018 International Conference on Information Management and Technology,
ICIMTech 2018, Jakarta, Indonesia, 3–5 September 2018.
38. Carvalho, C.; Marques, E. Adapting ISO 27001 to a Public Institution. In Proceedings of the Iberian Conference on Information
Systems and Technologies, CISTI, Coimbra, Portugal, 19–22 June 2019.
39. ALDhanhani, M.J.; Jizat, J.E.M. Review of Cyber Security on Oil and Gas Industry in United Arab Emirates: Analysis on the
Effectiveness of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Turk. J. Comput. Math.
Educ. 2021, 12, 714–720.
40. Ibrahim, A.; Valli, C.; McAteer, I.; Chaudhry, J. A security review of local government using NIST CSF: A case study. J. Supercomput.
2018, 74, 5171–5186. [CrossRef]
41. Amiruddin, A.; Afiansyah, H.G.; Nugroho, H.A. Cyber-Risk Management Planning Using NIST CSF v1.1, NIST SP 800-53 Rev. 5,
and CIS Controls v8. In Proceedings of the 3rd International Conference on Informatics, Multimedia, Cyber, and Information
System, ICIMCIS 2021, Jakarta, Indonesia, 28–29 October 2021.
42. Udroiu, A.M.; Dumitrache, M.; Sandu, I. Improving the cybersecurity of medical systems by applying the NIST framework. In
Proceedings of the 2022 14th International Conference on Electronics, Computers and Artificial Intelligence, ECAI 2022, Ploiesti,
Romania, 30 June–1 July 2022.
43. García, F.Y.H.; Moreta, L.M.L. Model for measuring the maturity of the risk analysis of information assets in the context of
shipping companies. RISTI—Rev. Iber. Sist. E Tecnol. Inf. 2019, 2019, 1–17. [CrossRef]
44. Pillajo-García, P.; Avila-Pesantez, D. Análisis de ciberseguridad en plataformas e-learning: Revisión sistemática de la literatura.
Rev. Perspect. 2023, 5, 19–30.
45. Diamantopoulou, V.; Tsohou, A.; Karyda, M. From ISO/IEC 27002:2013 information security controls to personal data protection
controls: Guidelines for GDPR compliance. In Proceedings of the Lecture Notes in Computer Science (Including Subseries Lecture
Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Luxembourg City, Luxembourg, 26–27 September 2020;
Volume 11980.
46. Mirtsch, M.; Kinne, J.; Blind, K. Exploring the Adoption of the International Information Security Management System Standard
ISO/IEC 27001: A Web Mining-Based Analysis. IEEE Trans. Eng. Manag. 2021, 68, 87–100. [CrossRef]
47. Putra, D.S.K.; Tistiyani, S.; Sunaringtyas, S.U. The Use of ISO/IEC 27001 Family of Standards in Regulatory Requirements in
Some Countries. In Proceedings of the 2021 2nd International Conference on ICT for Rural Development, IC-ICTRuDev 2021,
Jogjakarta, Indonesia, 27–28 October 2021.
48. Longras, A.; Pereira, T.; Cameiro, P.; Pinto, P. On the Track of ISO/IEC 27001:2013 Implementation Difficulties in Portuguese
Organizations. In Proceedings of the 9th International Conference on Intelligent Systems 2018: Theory, Research and Innovation
in Applications, IS 2018—Proceedings, Funchal, Portugal, 25–27 September 2018.
Systems 2023, 11, 218 19 of 19

49. Yvon, T. Exploring Factors Limiting Implementation of the National Institute of Standards and Technology Cybersecurity Framework;
Colorado Technical University: Colorado Springs, CO, USA, 2020.
50. Mylrea, M.; Gourisetti, S.N.G.; Larimer, C.; Noonan, C. Insider threat cybersecurity framework webtool & methodology:
Defending against complex cyber-physical threats. In Proceedings of the 2018 IEEE Symposium on Security and Privacy
Workshops, SPW 2018, San Francisco, CA, USA, 24 May 2018.
51. National Institute of Standards and Technology [NIST]. Risk Management Framework for Information Systems and Organizations;
Special Publication 800-37 Rev. 2; National Institute of Standards and Technology [NIST]: Gaithersburg, MD, USA, 2018.
[CrossRef]
52. Malatji, M. Management of enterprise cyber security: A review of ISO/IEC 27001:2022. In Proceedings of the 2023 International
Conference on Cyber Management and Engineering, CyMaEn 2023, Bangkok, Thailand, 26–27 January 2023.
53. Ortega, L.; Medina, L. Riesgos Tecnológicos en Pequeñas Empresas. Una Revisión a sus Incidentes en la Gestión Organizacional; Fundación
Universitaria Panamericana: Bogota, Colombia, 2020.
54. Kurii, Y.; Opirskyy, I. Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:2013. In Proceedings of the CEUR
Workshop Proceedings, Kyiv, Ukraine, 13 October 2022; Volume 3288.
55. Sulistyowati, D.; Handayani, F.; Suryanto, Y. Comparative analysis and design of cybersecurity maturity assessment methodology
using nist csf, cobit, iso/iec 27002 and pci dss. Int. J. Inform. Vis. 2020, 4, 225–230. [CrossRef]
56. Silva Rampini, G.H.; Takia, H.; Tobal Berssaneti, F. Critical Success Factors of Risk Management with the Advent of ISO 31000
2018—Descriptive and Content Analyzes. Procedia Manuf. 2019, 39, 894–903. [CrossRef]
57. ISO 31000:2018; Risk Management—Guidelines. ISO: Geneva, Switzerland, 2017.
58. Li, S.; Bi, F.; Chen, W.; Miao, X.; Liu, J.; Tang, C. An improved information security risk assessments method for cyber-physical-
social computing and networking. IEEE Access 2018, 6, 10311–10319. [CrossRef]
59. ISO/IEC 27005:2022; Information Security, Cybersecurity and Privacy Protection—Guidance on Managing Information Security
Risks. ISO: Geneva, Switzerland, 2022.
60. National Institute of Standards and Technology [NIST]. Guide for Conducting Risk Assessments; Special Publication 800-30 Rev. 1;
National Institute of Standards and Technology [NIST]: Gaithersburg, MD, USA, 2012.
61. National Institute of Standards and Technology [NIST]. Managing Information Security Risk Organization, Mission, and Information
System View; Special Publication 800-39; National Institute of Standards and Technology [NIST]: Gaithersburg, MD, USA, 2011.
62. Crespo Martínez, E. Ecu@Risk, Una metodología para la gestión de Riesgos aplicada a las MPYMEs. Enfoque UTE 2017, 8, 107–121.
[CrossRef]
63. Hariyanti, E.; Djunaidy, A.; Siahaan, D.O. A Conceptual Model for Information Security Risk Considering Business Process
Perspective. In Proceedings of the 2018 4th International Conference on Science and Technology, ICST 2018, Yogyakarta, Indonesia,
7–8 August 2018.
64. Canelón, J.; Huerta, E.; Leal, N.; Ryan, T. Unstructured data for cybersecurity and internal control. In Proceedings of the Annual
Hawaii International Conference on System Sciences, Maui, HI, USA, 7–10 January 2020.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.