2. Home
  3. ARCHIVE
  4. 2025
  5. VOL 47, NO 5 (2025)
  6. pp. 56-74

Comparative analysis of new Ukrainian and international information security standards

O. Potenko, M. Komarov, V. Artemchuk, V. Zubok, S. Honchar

Èlektron. model. 2025, 47(5):56-74

https://doi.org/10.15407/emodel.47.05.056

ABSTRACT

The article provides a comparative analysis of leading international cybersecurity standards (NIST SP 800-53, NIST SP 800-171, ISO/IEC 27001/27002, CMMC 2.0, BSI IT-Grundschutz, ANSSI, ISM) and modern Ukrainian regulatory documents (ND TZI 2.5-004-99, ND TZI 3.6-006-24, ND TZI 2.3-025-24). The structure, terminology, content of control measures and ap­proaches to their implementation and evaluation are considered. Particular attention is paid to the harmonization of Ukrainian standards with international requirements, as well as the identification of current challenges in the field of information security regulation. The results of the study can be used to improve the national cyber security policy, support compliance in IT infrastructure, and develop information security management systems.

A comparative analysis of leading international cybersecurity standards (NIST SP 800-53, NIST SP 800-171, ISO/IEC 27001/27002, CMMC 2.0, BSI IT-Grundschutz, ANSSI, ISM) and modern Ukrainian regulatory documents (ND TZI 2.5-004-99, ND TZI 3.6-006-24, ND TZI 2.3-025-24) was conducted. The structure, terminology, content, and approaches to implementing and evaluating control measures are considered. Particular attention is paid to the harmonization of Ukrainian standards with international requirements, as well as the identification of current challenges in the field of information security regulation. The results of the study can be used to improve national cyber defense policy, support compliance in IT infrastructure, and develop information security management systems.

KEYWORDS

Cybersecurity, cyber threats, security assessment, information security stan­-dards, risk-oriented approach, information security management systems (ISMS).

REFERENCES

  1. NIST SP 800‑53 Rev. 5: Security and Privacy Controls for Information Systems and Orga-nizations. URL: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final (date of access: 25.08.2025).
  2. NIST SP 800‑53A Rev. 5: Assessment Procedures for Security and Privacy Controls in Information Systems and Organizations. [Електронний ресурс]. URL: https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final (date of access: 25.08.2025).
  3. NIST SP 800‑37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. URL: https://csrc.nist.gov/pubs/sp/800/37/r2/final (date of access: 25.08.2025).
  4. NIST SP 800‑171 Rev. 3: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. URL: https://csrc.nist.gov/pubs/sp/800/171/r3/final (date of access: 25.08.2025).
  5. NIST SP 800‑171A Rev. 3: Assessment Procedures for NIST SP 800‑171. Режим доступу. URL: https://csrc.nist.gov/pubs/sp/800/171/a/r3/final (date of access: 25.08.2025).
  6. CIS Controls v8.1. [Електронний ресурс]. Режим доступу: https://www.cisecurity.org/controls/cis-controls-navigator (date of access: 25.08.2025).
  7. Center for Internet Security: 18 security controls you need. URL: https://www.threatshub.org/blog/center-for-internet-security-18-security-controls-you-need/ (date of access: 25.08.2025).
  8. Cybersecurity Maturity Model Certification 2.13 (CMMC 2.13): Cybersecurity Maturity Model Certification (CMMC) Model Overview. URL:https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdf (date of access: 25.08.2025).
  9. 52.204‑21: Basic Safeguarding of Covered Contractor Information Systems. URL: https://www.acquisition.gov/far/52.204-21 (date of access: 25.08.2025).
  10. NIST SP 800‑172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800‑171. URL: https://csrc.nist.gov/ pubs/sp/800/172/final (date of access: 25.08.2025).
  11. CMMC Assessment Guide Level 2 Version 2.13 September 2024. URL: https://dodcio>. defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2.pdf (date of access: 25.08.2025).
  12. CMMC Scoping Guide Level 2 Version 2.13 September 2024. URL: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2.pdf (date of access: 25.08.2025).
  13. CMMC Hashing Guide Version 2.13 September 2024. URL: https://dodcio.defense.gov/Portals/0/Documents/CMMC/HashingGuide.pdf (date of access: 25.08.2025).
  14. ISO/IEC 27001 : 2022. URL: https://www.iso.org/standard/27001 (date of access: 25.08.2025).
  15. ISO/IEC 27002 : 2022. URL: https://www.iso.org/standard/75652.html (date of access: 25.08.2025).
  16. ISO/IEC 27019 : 2024. URL:https://www.iso.org/standard/85056.html (date of access: 25.08.2025).
  17. BSI IT‑Grundschutz (Baseline Protection). URL: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz.html (date of access: 25.08.2025).
  18. BSI‑Standard 200-1: Information Security Management Systems (ISMS). Режим доступу: URL: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2001_en_pdf.html?nn=908032 (date of access: 25.08.2025).
  19. BSI‑Standard 200-2: IT‑Grundschutz‑Methodology. URL: https://www.bsi.bund.de/ SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2002_en_pdf. html?nn=908032 (date of access: 25.08.2025).
  20. BSI‑Standard 200-3: Risk Analysis based on IT‑Grundschutz. URL: https://www.bsi. bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2003_en_ pdf.html?nn=908032 (date of access: 25.08.2025).
  21. GUIDE DʼHYGIÈNE INFORMATIQUE RENFORCER LA SÉCURITÉ DE SON SYSTÈME DʼINFORMATION EN 42 MESURES. URL: https://cyber.gouv.fr/publications/guide-dhygiene-informatique (date of access: 25.08.2025).
  22. EBIOS Risk Manager — The method. URL: https://cyber.gouv.fr/publications/ebios-risk-manager-method (date of access: 25.08.2025).
  23. ANSSI SecNumCloud: the highest level of security for sensitive and critical data. URL: https://www.ovhcloud.com/en-gb/compliance/secnumcloud/ (date of access: 25.08.2025).
  24. Information security manual Last updated: June 2025. URL: https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/ism
  25. Information security manual Last updated: June 2025. URL: https://www.cyber.gov.au/sites/default/files/2025-07/Information%20security%20manual%20(June%202025).pdf (date of access: 25.08.2025).
  26. NIST Cybersecurity Framework. URL: https://www.nist.gov/cyberframework (date of access: 25.08.2025).
  27. ND TZI 2.5-004-99 Criteria for Assessing the Information Security of Computer Systems Against Unauthorized Access. URL: https://cip.gov.ua/services/cm/api/attachment/download?id=66094 (date of access: 25.08.2025).
  28. DoD 5200.28‑STD: Department of Defense Trusted Computer System Evaluation Criteria. URL: https://csrc.nist.gov/files/pubs/conference/1998/10/08/proceedings-of-the-21st-nissc- 1998/final/docs/early-cs-papers/dod85.pdf (date of access: 25.08.2025).
  29. Potenko O.S. Determination of the Functional Profile of Automated System Protection: Monograph / Potenko O.S. Kyiv: Institute of Modeling Problems in Energy named after H.E. Pukhov NAS of Ukraine, 2024. 146 p.
  30. ND TZI 2.7-010-09: Guidelines for Evaluating the Level of Assurance of Correct Implementation of Security Functionality in Information Protection Means Against Unauthorized Access. URL: https://cip.gov.ua/services/cm/api/attachment/download?id=66104 (date of access: 25.08.2025).
  31. ND TZI 3.6-006-24: Procedure for Selecting Information Protection Measures, the Protection of Which is Mandated by Law and Does Not Constitute State Secret, for Information Systems. URL: https://cip.gov.ua/services/cm/api/attachment/download?id=66109 (date of access: 25.08.2025).
  32. ND TZI 2.3-025-24: Methodology for Evaluating Information Protection Measures, the Protection of Which is Mandated by Law and Does Not Constitute State Secret, for Information Systems. Volume 1. URL: https://cip.gov.ua/services/cm/api/attachment/download?id=66105 (date of access: 25.08.2025).
  33. ND TZI 2.3-025-24: Methodology for Evaluating Information Protection Measures, the Protection of Which is Mandated by Law and Does Not Constitute State Secret, for Information Systems. Volume 2. URL: https://cip.gov.ua/services/cm/api/attachment/download?id=66108 (date of access: 25.08.2025).
  34. ND TZI 2.3-025-24: Methodology for Evaluating Information Protection Measures, the Protection of Which is Mandated by Law and Does Not Constitute State Secret, for Information Systems. Volume 3. URL: https://cip.gov.ua/services/cm/api/attachment/download?id=66107 (date of access: 25.08.2025).

Full text: PDF