Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

From COBIT to ISO 42001: Evaluating Cybersecurity Frameworks for Opportunities, Risks, and Regulatory Compliance in Commercializing Large Language Models

Timothy R. McIntosh, Teo Susnjak, Tong Liu, Paul Watters, Raza Nowrozy, Malka N. Halgamuge

TL;DR

This paper evaluates four leading cybersecurity GRC frameworks (NIST CSF 2.0, COBIT 2019, ISO 27001:2022, ISO 42001:2023) for integrating and governing Large Language Models (LLMs). It employs a tri-focal analysis with LLMs and human experts, plus a mapping rubric to assess opportunities, risks, and EU AI Act readiness, revealing substantial variance in LLM readiness and notable gaps in risk oversight, especially for hallucinations. ISO 27001 and ISO 42001 emerge as the strongest candidates for enabling LLM integration, while COBIT aligns well with EU AI Act expectations; however, all frameworks benefit from enhancements and human-expert-in-the-loop validation. The study advocates continuous, versioned evolution of cybersecurity frameworks to securely harness LLM opportunities and comply with AI legislation, emphasizing transparency, validation, and bias testing.

Abstract

This study investigated the integration readiness of four predominant cybersecurity Governance, Risk and Compliance (GRC) frameworks - NIST CSF 2.0, COBIT 2019, ISO 27001:2022, and the latest ISO 42001:2023 - for the opportunities, risks, and regulatory compliance when adopting Large Language Models (LLMs), using qualitative content analysis and expert validation. Our analysis, with both LLMs and human experts in the loop, uncovered potential for LLM integration together with inadequacies in LLM risk oversight of those frameworks. Comparative gap analysis has highlighted that the new ISO 42001:2023, specifically designed for Artificial Intelligence (AI) management systems, provided most comprehensive facilitation for LLM opportunities, whereas COBIT 2019 aligned most closely with the impending European Union AI Act. Nonetheless, our findings suggested that all evaluated frameworks would benefit from enhancements to more effectively and more comprehensively address the multifaceted risks associated with LLMs, indicating a critical and time-sensitive need for their continuous evolution. We propose integrating human-expert-in-the-loop validation processes as crucial for enhancing cybersecurity frameworks to support secure and compliant LLM integration, and discuss implications for the continuous evolution of cybersecurity GRC frameworks to support the secure integration of LLMs.

From COBIT to ISO 42001: Evaluating Cybersecurity Frameworks for Opportunities, Risks, and Regulatory Compliance in Commercializing Large Language Models

TL;DR

This paper evaluates four leading cybersecurity GRC frameworks (NIST CSF 2.0, COBIT 2019, ISO 27001:2022, ISO 42001:2023) for integrating and governing Large Language Models (LLMs). It employs a tri-focal analysis with LLMs and human experts, plus a mapping rubric to assess opportunities, risks, and EU AI Act readiness, revealing substantial variance in LLM readiness and notable gaps in risk oversight, especially for hallucinations. ISO 27001 and ISO 42001 emerge as the strongest candidates for enabling LLM integration, while COBIT aligns well with EU AI Act expectations; however, all frameworks benefit from enhancements and human-expert-in-the-loop validation. The study advocates continuous, versioned evolution of cybersecurity frameworks to securely harness LLM opportunities and comply with AI legislation, emphasizing transparency, validation, and bias testing.

Abstract

This study investigated the integration readiness of four predominant cybersecurity Governance, Risk and Compliance (GRC) frameworks - NIST CSF 2.0, COBIT 2019, ISO 27001:2022, and the latest ISO 42001:2023 - for the opportunities, risks, and regulatory compliance when adopting Large Language Models (LLMs), using qualitative content analysis and expert validation. Our analysis, with both LLMs and human experts in the loop, uncovered potential for LLM integration together with inadequacies in LLM risk oversight of those frameworks. Comparative gap analysis has highlighted that the new ISO 42001:2023, specifically designed for Artificial Intelligence (AI) management systems, provided most comprehensive facilitation for LLM opportunities, whereas COBIT 2019 aligned most closely with the impending European Union AI Act. Nonetheless, our findings suggested that all evaluated frameworks would benefit from enhancements to more effectively and more comprehensively address the multifaceted risks associated with LLMs, indicating a critical and time-sensitive need for their continuous evolution. We propose integrating human-expert-in-the-loop validation processes as crucial for enhancing cybersecurity frameworks to support secure and compliant LLM integration, and discuss implications for the continuous evolution of cybersecurity GRC frameworks to support the secure integration of LLMs.
Paper Structure (34 sections, 3 figures, 4 tables)

This paper contains 34 sections, 3 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related work
  3. Cybersecurity Framework Evaluation and Improvements
  4. LLM Threats in Cybersecurity
  5. Methodology
  6. Theoretical foundation
  7. Study design and validation
  8. Framework selection
  9. Procedure for LLM-related analysis
  10. Results
  11. LLM opportunities
  12. NIST CSF 2.0 (rating 5/7)
  13. COBIT 2019 (rating 6/7)
  14. ISO 27001:2022 (rating 7/7)
  15. ISO 42001:2023 (rating 7/7)
  16. ...and 19 more sections

Figures (3)

  • Figure 1: Flowchart of the analysis process with LLM and GRC experts in the loop
  • Figure 2: Comparison of cybersecurity GRC frameworks in LLM readiness
  • Figure 3: 1-Year plan Gantt chart to revise cybersecurity GRC frameworks