2690-6791ISSN (Online)
2769-786XISSN (Print)
Volume 17 , Issue 2 , PP: 458-487, 2025 | Cite this article as | XML | Html | PDF | Full Length Article
Saleh Alharbi 1 *
Doi: https://doi.org/10.54216/JISIoT.170230
The proliferation of Internet of Things (IoT) technologies has transformed digital ecosystems, creating highly interconnected environments that demand robust and adaptive cybersecurity governance. Despite their widespread adoption, existing Information Technology Governance (ITG) frameworks—such as the NIST Cybersecurity Framework (CSF), ISO/IEC 27001, Center for Internet Security (CIS) Controls, and ISA/IEC 62443 vary considerably in scope, applicability, and alignment with the unique characteristics of IoT infrastructures. The absence of a unified approach to address IoT-specific challenges such as device heterogeneity, data provenance, and real-time monitoring underscores the need for a comprehensive comparative analysis. This study conducts a qualitative synthesis and thematic comparison of leading cybersecurity governance frameworks to evaluate their effectiveness in ensuring compliance and resilience within IoT-enabled environments. Each framework was examined across recurring governance domains, including risk management orientation, scalability, control comprehensiveness, interoperability, and contextual adaptability. The analysis integrated findings from scholarly literature, international standards documentation, and expert reports, allowing the identification of emergent patterns, convergences, and gaps in the frameworks’ conceptual foundations and implementation practices. The findings indicate that NIST CSF provides a highly flexible, sector-neutral architecture fostering adaptive governance, whereas ISO/IEC 27001 offers formalized, audit-oriented structures suitable for organizations emphasizing certification and policy compliance. The CIS Controls framework emerges as practical and accessible, favoring rapid implementation and community-driven updates, while ISA/IEC 62443 demonstrates unparalleled domain specificity and defense-in-depth design for industrial and cyber-physical systems. Nevertheless, all frameworks exhibit limitations when addressing IoT-centric issues such as dynamic risk contexts, interoperability among heterogeneous devices, and integration of operational and information technology governance layers. The study concludes that a composite, layered governance approach—anchored in the structural rigor of ISO/IEC 27001, the adaptability of NIST CSF, the practicality of CIS Controls, and the industrial depth of ISA/IEC 62443—can offer a more holistic foundation for IoT cybersecurity compliance.
Internet of Things (IoT) , Governance structures , Cyber threats , Security incidents , IoT deployments , Security controls , Attack surface
[1] Melaku, H. M., “A dynamic and adaptive cybersecurity governance framework,” Journal of Cybersecurity and Privacy, vol. 3, no. 3, pp. 327–350, 2023.
[2] Zukis, B., “Information technology and cybersecurity governance in a digital world,” The Handbook of Board Governance, pp. 555–573, 2016.
[3] Lomas, E., “Information governance and cybersecurity: Framework for securing and managing information effectively and ethically,” in Cybersecurity for Information Professionals. Auerbach Publications, 2020, pp. 109–130.
[4] Al-Sartawi, A. M. A. M., “Information technology governance and cybersecurity at the board level,” International Journal of Critical Infrastructures, vol. 16, no. 2, pp. 150–161, 2020.
[5] A. B. Smith, J. T. Johnson, and R. K. Lee, “A comprehensive framework for cybersecurity risk management in organizations,” Journal of Information Security and Applications, vol. 66, pp. 103153, 2023, doi: 10.1016/j.jisa.2023.103153.
[6] Kekgathetse, M., B. Lucas, and M. Sebapalo, “A systematic review on cyber security integration in information technology governance,” in Proc. ICECER, IEEE, 2024.
[7] Maleh, Y., A. Sahid, and M. Belaissaoui, “A maturity framework for cybersecurity governance in organizations,” Edpacs, vol. 63, no. 6, pp. 1–22, 2021.
[8] Shaker, A. S., et al., “The role of information technology governance on enhancing cybersecurity and its reflection on investor confidence,” International Journal of Professional Business Review, vol. 8, no. 6, p. 7, 2023
[9] Judijanto, L., D. Hindarto, S. I. Wahjono, and A. Djunarto, “Edge of enterprise architecture in addressing cyber security threats and business risks,” International Journal of Software Engineering and Computer Science, vol. 3, no. 3, pp. 386–396, 2023.
[10] Yusif, S., and A. Hafeez-Baig, “A conceptual model for cybersecurity governance,” Journal of Applied Security Research, vol. 16, no. 4, pp. 490–513, 2021.
[11] Hossain, S. T., et al., “Local government cybersecurity landscape: A systematic review and conceptual framework,” Applied Sciences, vol. 14, no. 13, p. 5501, 2024.
[12] Ahmad, W., A. Rasool, A. R. Javed, T. Baker, and Z. Jalil, “Cyber security in IoT-based cloud computing: A comprehensive survey,” Electronics, vol. 11, no. 1, p. 16, 2021.
[13] Ampel, B. M., et al., “Improving threat mitigation through a cybersecurity risk management framework: A computational design science approach,” Journal of Management Information Systems, vol. 41, no. 1, pp. 236–265, 2024.
[14] Gangineni, V. N., et al., “Strengthening cybersecurity governance: The impact of firewalls on risk management,” International Journal of AI, BigData, Computational and Management Studies, vol. 2, pp. 10–63282, 2021.
[15] Malatji, M., A. L. Marnewick, and S. Von Solms, “Cybersecurity capabilities for critical infrastructure resilience,” Information & Computer Security, vol. 30, no. 2, pp. 255–279, 2022.
[16] Farayola, O. A., and O. L. Olorunfemi, “Ethical decision-making in IT governance: A review of models and frameworks,” International Journal of Science and Research Archive, vol. 11, no. 2, pp. 130–138, 2024.
[17] Delgado, M. F., et al., “Methodology based on the NIST cybersecurity framework as a proposal for cybersecurity management in government organizations,” 3C TIC, vol. 10, no. 2, pp. 123–141, 2021.
[18] Gani, A. B. D., and Y. Fernando, “The cybersecurity governance in changing the security psychology and security posture: insights into e-procurement,” International Journal of Procurement Management, vol. 14, no. 3, pp. 308–327, 2021.
[19] Al-Turkistani, H. F., S. Aldobaian, and R. Latif, “Enterprise architecture frameworks assessment: capabilities, cyber security and resiliency review,” in Proc. CAIDA, IEEE, 2021.
[20] Khraisat, A., and A. Alazab, “A critical review of intrusion detection systems in the Internet of Things,” Cybersecurity, vol. 4, no. 1, p. 18, 2021.
[21] Qudus, L., “Cybersecurity governance: Strengthening policy frameworks to address global cybercrime and data privacy challenges,” International Journal of Science and Research Archive, vol. 14, no. 1, pp. 1146–1163, 2025.
[22] Pemmasani, P. K., “National cybersecurity frameworks for critical infrastructure,” International Journal of Acta Informatica, vol. 2, no. 1, pp. 209–218, 2023.
[23] Tissir, N., S. El Kafhali, and N. Aboutabit, “Cybersecurity management in cloud computing: Semantic literature review and conceptual framework proposal,” Journal of Reliable Intelligent Environments, vol. 7, no. 2, pp. 69–84, 2021.
[24] Slapničar, S., et al., “A pathway model to five lines of accountability in cybersecurity governance,” International Journal of Accounting Information Systems, vol. 51, p. 100642, 2023.
[25] Tatineni, S., “AI-infused threat detection and incident response in cloud security,” International Journal of Science and Research, vol. 12, no. 11, pp. 998–1004, 2023.
[26] Shah, I. A., et al., “The influence of cybersecurity attacks on e-governance,” in Cybersecurity Measures for E-Government Frameworks, IGI Global, 2022, pp. 77–95.
[27] Razikin, K., and B. Soewito, “Cybersecurity decision support model for designing information technology security system based on risk analysis and cybersecurity framework,” Egyptian Informatics Journal, vol. 23, no. 3, pp. 383–404, 2022.
[28] Aminu, M., et al., “Enhancing cyber threat detection through real-time threat intelligence and adaptive defense mechanisms,” International Journal of Computer Applications Technology and Research, vol. 13, no. 8, pp. 11–27, 2024.
[29] Lee, I., “Internet of Things (IoT) cybersecurity: Literature review and IoT cyber risk management,” Future Internet, vol. 12, no. 9, p. 157, 2020.
[30] Amoo, O. O., et al., “Cybersecurity threats in the age of IoT: A review of protective measures,” International Journal of Science and Research Archive, vol. 11, no. 1, pp. 1304–1310, 2024.
[31] Altulaihan, E., M. A. Almaiah, and A. Aljughaiman, “Cybersecurity threats, countermeasures and mitigation techniques on the IoT,” Electronics, vol. 11, no. 20, p. 3330, 2022.
[32] Stoyanova, M., et al., “A survey on the Internet of Things (IoT) forensics: challenges, approaches, and open issues,” IEEE Communications Surveys & Tutorials, vol. 22, no. 2, pp. 1191–1221, 2020.
[33] Kandasamy, K., et al., “IoT cyber risk: A holistic analysis of cyber risk assessment frameworks, risk vectors, and risk ranking process,” EURASIP Journal on Information Security, no. 1, p. 8, 2020.
[34] Babikian, J., “Navigating legal frontiers: exploring emerging issues in cyber law,” Revista Española de Documentación Científica, vol. 17, no. 2, pp. 95–109, 2023.
[35] Michalec, O., S. Milyaeva, and A. Rashid, “Reconfiguring governance: How cyber security regulations are reconfiguring water governance,” Regulation & Governance, vol. 16, no. 4, pp. 1325–1342, 2022.
[36] Shah, Y., and S. Sengupta, “A survey on classification of cyber-attacks on IoT and IIoT devices,” in Proc. UEMCON, IEEE, 2020, pp. 0406–0413.
[37] Abosata, N., et al., “Internet of Things for system integrity: A comprehensive survey on security, attacks, and countermeasures for industrial applications,” Sensors, vol. 21, no. 11, p. 3654, 2021.
[38] Kok, C. H., and A. P. Teoh, “Conceptualizing cybersecurity management impact on performance: Agility and information technology governance,” in Proc. ICOCO, IEEE, 2021.
[39] Kanaan, A., et al., “Fortifying organizational cyber resilience,” International Journal of Computing, vol. 17, no. 1, pp. 1–14, 2025.
[40] Panteli, N., B. R. Nthubu, and K. Mersinas, “Being responsible in cybersecurity: A multi-layered perspective,” Information Systems Frontiers, pp. 1–19, 2025.
[41] Klinke, A., and O. Renn, “The coming of age of risk governance,” Risk Analysis, vol. 41, no. 3, pp. 544–557, 2021.
[42] Safitra, M. F., M. Lubis, and H. Fakhrurroja, “Counterattacking cyber threats: A framework for the future of cybersecurity,” Sustainability, vol. 15, no. 18, p. 13369, 2023.
[43] Mallick, M. A. I., and R. Nath, “Navigating the cybersecurity landscape,” World Scientific News, vol. 190, no. 1, pp. 1–69, 2024.
[44] Mishra, A., Y. I. Alzoubi, A. Q. Gill, and M. J. A. Anwar, “Cybersecurity enterprises’ policies: A comparative study,” Sensors, vol. 22, no. 2, p. 538, 2022.
[45] Obaidat, M. A., et al., “A comprehensive and systematic survey on the Internet of Things,” Computers, vol. 9, no. 2, p. 44, 2020.
[46] Ugbaja, U. S., et al., “Conceptual framework for role-based network access management,” International Journal of Social Science Exceptional Research, vol. 2, no. 1, pp. 211–221, 2023.
[47] Allioui, H., and Y. Mourdi, “Exploring the full potentials of IoT for better financial growth and stability,” Sensors, vol. 23, no. 19, p. 8015, 2023.
[48] Berlilana, T. N., et al., “Organization benefit as an outcome of organizational security adoption,” Sustainability, vol. 13, no. 24, p. 13761, 2021.
[49] Khan, A. A., et al., “Internet of Things (IoT) security with blockchain technology: A state-of-the-art review,” IEEE Access, vol. 10, pp. 122679–122695, 2022.
[50] Muzafar, S., M. Humayun, and S. J. Hussain, “Emerging cybersecurity threats in the eye of e-governance,” in Cybersecurity Measures for E-Government Frameworks, IGI Global, 2022, pp. 43–60.
[51] Butpheng, C., K.-H. Yeh, and H. Xiong, “Security and privacy in IoT-cloud-based e-health systems,” Symmetry, vol. 12, no. 7, p. 1191, 2020.
[52] Jarjoui, S., and R. Murimi, “A framework for enterprise cybersecurity risk management,” in Advances in Cybersecurity Management, Springer, 2021, pp. 139–161.
