Evaluating cyber resilience frameworks for e-government: applicability of NIST CSF, ISO/IEC 27001 and COBIT 2019 in developing country contexts Open Access

The digitalisation of public services has reshaped governance, positioning e-government systems as essential platforms for administrative efficiency, inclusive service delivery and citizen engagement. These systems process sensitive personal information and support core public functions such as identity verification, licensing, taxation and social assistance. As reliance on digital infrastructure increases, exposure to persistent and sophisticated cyber threats also grows, with the potential to disrupt service continuity, compromise data protection and erode public trust. United Nations (2024) notes that developing countries continue to face challenges in bridging the digital divide, securing adequate financing and strengthening cybersecurity capabilities. These challenges are central to sustaining resilience in digital government environments. Empirical studies similarly indicate that while e-government adoption can improve efficiency and transparency, insufficient cybersecurity readiness, particularly in developing contexts, undermines these benefits and heightens operational risk (Afiyah, 2024; Silva et al., 2024).

Against this backdrop, cyber resilience, understood as the capacity of systems to anticipate, withstand, recover from and adapt to cyber disruptions, has become a strategic governance priority (Ross et al., 2021). International frameworks such as the NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001:2022 and COBIT 2019 provide structured approaches for managing cyber risk, aligning security with governance objectives and supporting adaptive capability. However, in many developing-country public-sector environments characterised by legacy infrastructure, skills shortages and institutional fragmentation, the conceptual fit and contextual alignment of these frameworks remain contested (Muller, 2015; Bernardo et al., 2025).

South Africa illustrates these challenges. Public institutions contend with chronic underinvestment in digital transformation, limited technical expertise and fragmented governance and oversight arrangements (Phahlamohlaka et al., 2022). While national policy instruments such as the National Cybersecurity Policy Framework (NCPF), the Protection of Personal Information Act (POPIA) and the Cybercrimes Act provide a formal regulatory foundation, the absence of a fully integrated and operationalised national cybersecurity strategy has contributed to persistent gaps in coordination, capacity and implementation across spheres of government (Phahlamohlaka et al., 2022). As a result, cybersecurity governance remains uneven, with a tendency towards reactive incident management rather than proactive resilience-building. Case-based analyses further highlight weaknesses in compliance monitoring, overlapping institutional mandates and resource constraints, which have been associated with high-profile security breaches and limited deterrence effects (Watney, 2024). These conditions complicate the contextual alignment of international CSFs that typically assume sustained coordination, continuous improvement and formalised governance mechanisms.

This paper responds to this gap by offering a comparative, literature-based and context-sensitive evaluation of three widely adopted frameworks, namely, NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019, within the South African public-sector context. While each framework has been examined independently in prior research (Ibrahim et al., 2018; Culot et al., 2021; De Haes et al., 2020), limited scholarship has comparatively synthesised their respective strengths and limitations for developing-country e-government environments characterised by governance fragmentation and resource constraints. The study advances a conceptual hybrid cyber resilience framework that integrates the modular flexibility of NIST CSF, the procedural discipline of ISO/IEC 27001 and the governance orientation of COBIT 2019. In doing so, it contributes to information security and governance scholarship by illustrating how established international standards may be analytically recombined to inform context-sensitive cyber resilience thinking in under-resourced public-sector settings.

E-government platforms have evolved from administrative utilities into critical components of national digital infrastructure, underpinning public service delivery, data management and civic participation. By enabling process automation, improving data accuracy and expanding service reach, they offer opportunities to reduce socio-economic and geographic disparities when supported by inclusive policy frameworks and resilient digital infrastructure (United Nations, 2024; World Bank, 2023). In this regard, the study engages with broader development debates concerning inclusive digital governance and resilient public infrastructure, which are reflected in Sustainable Development Goals 10 and 11. At the same time, the increasing centrality of e-government platforms has heightened their exposure to cyber threats that exploit institutional capacity constraints, technological gaps and governance weaknesses.

Global assessments consistently highlight these vulnerabilities (United Nations, 2024), while country-specific studies report parallel challenges across developing contexts. In Brazil, for example, digital inequality, elevated cybercrime levels and shortages of ICT professionals have been identified as persistent obstacles to cyber resilience (IISS, 2023). Broader analyses of developing-country environments similarly emphasise outdated infrastructure, limited human capacity and institutional fragility as recurring constraints (Kayode-Ajala, 2024; Uwaoma and Enkhtaivan, 2024; Muller, 2015). In South Africa, comparable dynamics are evident, with studies documenting sustained skills shortages, governance gaps and under-resourced institutions (Veerasamy et al., 2024; Moyana and Chuma, 2023). High-profile cybersecurity incidents reported in the public domain have further underscored deficiencies in incident detection, response and recovery capability (Pieterse, 2021). These challenges persist despite the existence of legislative and policy instruments such as the Cybercrimes Act, POPIA and the NCPF, which have often been unevenly implemented across institutional and subnational contexts (Sutherland, 2017; Phahlamohlaka et al., 2022).

In response to these risks, governments increasingly reference internationally recognised cybersecurity and governance frameworks. NIST CSF 2.0 emphasises risk-based governance and cross-organisational communication (Pascoe et al., 2024; Protiviti, 2024). ISO/IEC 27001:2022 provides a formalised information security management system (ISMS), with a focus on systematic risk assessment and documented controls (Culot et al., 2021; ISO/IEC 27005, 2022b). COBIT 2019 integrates cybersecurity into broader IT governance by linking oversight mechanisms to organisational objectives (Antariksa et al., 2025). However, the conceptual alignment and contextual suitability of these frameworks remain contested in developing-country public sectors characterised by uneven institutional maturity, resource constraints and skills shortages (Sutherland, 2017; Phahlamohlaka et al., 2022; Bernardo et al., 2025).

Against this backdrop, the present study undertakes a comparative, literature-based assessment of the governance alignment and contextual fit of NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019. The analysis informs the development of a conceptual hybrid cyber resilience framework intended to support analytical reasoning and future empirical inquiry into cybersecurity governance in developing-country e-government environments.

The paper addresses the following research questions:

Cyber resilience in e-government extends the general notion of resilience beyond technical safeguards to encompass governance, institutional and societal dimensions. Whereas traditional cybersecurity approaches prioritised perimeter defences and threat prevention, resilience emphasises adaptability and continuity under disruption (Araujo et al., 2024; Tzavara and Vassiliadis, 2024). In this context, resilience is not simply about protecting systems, but about ensuring that critical public services, such as identity verification, licensing and social welfare, remain functional even when digital infrastructures are compromised (Zuo et al., 2021).

Key features of resilience-oriented strategies include proactive risk governance, real-time monitoring, adaptive recovery planning and continuous improvement. These elements are particularly salient in developing-country settings, where systemic vulnerabilities are exacerbated by outdated ICT infrastructure, shortages of skilled personnel and fiscal constraints (Veerasamy et al., 2024; Safitri et al., 2024; SANS Institute, 2021). Achieving resilience, therefore, requires embedding strategic planning, regulatory alignment and sustained capacity development into the design and management of digital public services (Pieterse, 2021).

The NIST CSF 2.0 represents one of the most widely adopted models for organising and managing cybersecurity risks. Its six interrelated functions, namely, Govern, Identify, Protect, Detect, Respond and Recover, offer a high-level structure for aligning security with organisational objectives (NIST, 2024). The framework is designed to be flexible, enabling adaptation to diverse institutional contexts through three components: the Core, which defines desired outcomes; Organisational Profiles, which capture current and target states; and Implementation Tiers, which reflect maturity levels.

A significant enhancement in version 2.0 is the addition of the Govern function, which explicitly links cybersecurity with enterprise risk management, regulatory compliance and supply chain oversight. This shift is particularly relevant for fragmented governance environments, such as South Africa’s multi-tiered system, where provincial and municipal authorities often operate without strong coordination (Phahlamohlaka et al., 2022).

Despite its strengths, CSF 2.0 is intentionally non-prescriptive. While this flexibility allows tailoring to local missions and risk appetites, it can also introduce subjectivity into assessments. In resource-constrained public institutions, where technical expertise and funding are limited, adoption risks becoming partial or symbolic rather than operationally embedded (Parmar and Miles, 2024). Scholars have therefore developed maturity assessment models to strengthen NIST CSF’s contextual fit, ensuring that implementation moves beyond formal compliance towards measurable resilience outcomes (Bernardo et al., 2025).

ISO/IEC 27001:2022 is a certifiable and internationally recognised standard for establishing and maintaining an ISMS. It is built around the continuous improvement cycle of Plan–Do–Check–Act. The 2022 revision streamlined the control set from 114 to 93, placing greater emphasis on risk-based prioritisation and alignment with emerging threats (ISO/IEC, 2022a). This evolution reflects a broader shift in information security practice towards tailoring controls to organisational context and evolving risk landscapes (Culot et al., 2021).

In e-government settings, ISO/IEC 27001’s structured methodology supports comprehensive risk assessment, structured control governance and regulatory compliance. In South Africa, ISO/IEC 27001 provides a structured means of aligning statutory obligations under the POPIA with international best practices, reinforcing legal compliance while enabling interoperability with global security standards (Cane, 2025; Watney, 2024).

Despite these benefits, adoption in smaller or less digitally mature public institutions is often hindered by high resource demands, technical complexity and extensive documentation requirements. A recent review found that 68% of ISO/IEC 27001 implementation studies reported barriers, including the need for sustained senior management commitment, cross-functional collaboration, reliance on external consultants and significant financial investment (Magnusson et al., 2025). For resource-constrained public entities, these barriers frequently delay implementation, reduce the scope of adoption or lead to compliance that is formal on paper but limited in practice.

COBIT 2019, developed by ISACA, is an integrated governance framework that connects IT operations, cybersecurity and enterprise objectives within a single governance model. It supports performance measurement, strengthens stakeholder alignment and embeds cybersecurity into broader organisational governance structures (ISACA, 2019). Its guiding principles – value creation, holistic governance and scalability – make it adaptable to diverse institutional contexts, including the public sector.

In South Africa, COBIT 2019 is particularly relevant to digital transformation programmes, where it provides a structured governance logic for aligning ICT strategy with public service delivery goals (Pieterse, 2021). By integrating decision accountability, risk governance and performance oversight, it has the potential to unify fragmented ICT operations across government tiers and promote coherence in digital policy execution.

However, the framework’s governance-oriented approach depends on mature leadership structures, skilled personnel and sustained strategic alignment. These conditions are unevenly distributed across South Africa’s national, provincial and municipal spheres of government (Phahlamohlaka et al., 2022; Antariksa et al., 2025). Where such prerequisites are absent, adoption risks becoming procedural rather than transformative, especially in departments where digital leadership is siloed or under-resourced.

Although NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019 each address important dimensions of cyber resilience, their contextual alignment in developing-country e-government environments is shaped by institutional capacity, governance maturity and resource availability.

NIST CSF 2.0 offers modularity and adaptability, which make it accessible to organisations operating at different levels of maturity. While this flexibility is advantageous, the framework’s intentionally non-prescriptive design can also introduce challenges. In the absence of supplementary guidance or localisation mechanisms, engagement may remain uneven or limited to symbolic compliance (Parmar and Miles, 2024; Pascoe et al., 2024).

ISO/IEC 27001 provides strong procedural discipline and formalised governance, and it is widely recognised for establishing rigorous ISMSs. However, its technical complexity, extensive documentation requirements and financial cost present substantial barriers for resource-constrained public institutions. Consequently, adoption is often concentrated in larger, better-resourced organisations, while smaller entities encounter difficulties in meeting certification and maintenance requirements (Magnusson et al., 2025; Culot et al., 2021).

COBIT 2019 integrates IT governance with cybersecurity strategy, supporting long-term alignment between digital policy and organisational objectives. Its strengths lie in embedding accountability, performance oversight and enterprise-level risk governance. However, these benefits are contingent on mature leadership structures and sustained cross-departmental coordination, conditions that are frequently absent in fragmented or under-resourced public-sector environments (Antariksa et al., 2025; Phahlamohlaka et al., 2022).

Taken together, these comparative insights indicate that no single framework provides a comprehensive response to the governance and capacity challenges characteristic of resource-constrained e-government settings. Rather than advocating direct adoption, the analysis supports the conceptual synthesis of complementary elements from NIST CSF, ISO/IEC 27001 and COBIT 2019 into a hybrid cyber resilience framework. Such a synthesis offers an analytical bridge between global standards and the institutional constraints documented in developing-country public sectors, while remaining open to future empirical validation.

The three frameworks, NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019, offer complementary pathways for conceptualising and supporting cyber resilience in e-government. NIST CSF 2.0 is valued for its modularity and risk-based design, which makes it scalable across institutions at different maturity levels (Parmar and Miles, 2024; Pascoe et al., 2024). ISO/IEC 27001 provides a certifiable model of structured security governance, offering rigorous risk assessment and compliance mechanisms (Culot et al., 2021; Magnusson et al., 2025). COBIT 2019 extends beyond technical controls to integrate cybersecurity with enterprise IT governance, ensuring accountability, performance oversight and strategic alignment (Antariksa et al., 2025).

These strengths, however, reflect assumptions about institutional maturity, financial capacity and governance cohesion that are not consistently present in developing-country contexts. NIST CSF’s non-prescriptive nature requires complementary tools or in-house expertise, which may be lacking in resource-constrained departments. ISO/IEC 27001 demands substantial financial investment, technical knowledge and senior management commitment, making adoption uneven across government tiers (Magnusson et al., 2025). COBIT 2019 relies on stable leadership structures and cross-departmental collaboration, conditions that remain fragmented in South Africa’s decentralised governance system (Phahlamohlaka et al., 2022).

Table 1 provides a comparative summary of the three frameworks, outlining their core orientations, major strengths and key limitations.

Global cyber resilience frameworks often presuppose institutional conditions that are unevenly distributed in developing-country environments. Limited budgets, outdated infrastructure and persistent skills shortages constrain effective institutional uptake of global standards (Raza, 2024; Veerasamy et al., 2024; Magnusson et al., 2025). For instance, NIST CSF 2.0 presumes the availability of reliable digital asset inventories and real-time monitoring capabilities, which many South African departments lack (Parmar and Miles, 2024). ISO/IEC 27001’s certification process requires extensive documentation and sustained leadership commitment, barriers that smaller agencies frequently struggle to overcome. COBIT 2019 assumes cross-sectoral coordination and mature governance capacity, yet fragmented oversight arrangements and overlapping mandates inhibit such alignment in decentralised public-sector systems (Phahlamohlaka et al., 2022).

These constraints frequently give rise to compliance-oriented engagement rather than resilience-oriented governance, in which institutions pursue surface-level alignment with global standards without embedding them within routine organisational practices. While legislative instruments such as POPIA and the Cybercrimes Act provide a formal regulatory foundation, uneven enforcement and coordination continue to undermine coherent institutional alignment across government spheres (Watney, 2024).

Comparative experiences from Estonia, Singapore and the UK are frequently cited in the cybersecurity governance literature to illustrate how different institutional arrangements are associated with approaches to cyber resilience in high-capacity public-sector environments:

• Estonia is commonly referenced for its emphasis on resilience-by-design. Initiatives such as the X-Road interoperability platform and blockchain-backed data embassies are discussed in the literature as examples of how architectural integration and system redundancy can support service continuity under systemic disruption (Peets, 2017; Munabari, 2023).

• Singapore is often highlighted for its whole-of-government coordination model. Through the Cyber Security Agency, regulatory authority is combined with capacity development, public–private collaboration and targeted investment in cybersecurity skills. Programmes such as the Cybersecurity Development Programme and the Co-Innovation and Development Fund are cited as illustrations of sustained institutional coordination and capability development (CSA, 2024; CSA, 2025a; CSA, 2025b).

• The UK is frequently discussed in relation to regulatory embedding. Collaboration between the National Cyber Security Centre and the Information Commissioner’s Office is presented in the literature as an example of how legal requirements under General Data Protection Regulation (GDPR) Article 32 can be translated into outcome-oriented security expectations within public-sector organisations (NCSC and ICO, 2018; Montasari, 2023).

Taken together, these international cases serve as illustrative reference points rather than transferable models for developing-country contexts. They underscore how governance design, institutional coordination and sustained investment are recurrent themes in cyber resilience scholarship, while also highlighting the gap between high-capacity environments and the structural constraints faced by resource-limited public sectors. As such, these cases inform comparative reflection and conceptual synthesis, rather than prescriptive guidance, in the development of context-sensitive cyber resilience frameworks.

South Africa’s decentralised governance arrangements and documented resource disparities highlight the limitations of applying global cyber resilience frameworks in isolation within developing-country public-sector environments (Phahlamohlaka et al., 2022; Veerasamy et al., 2024). While internationally recognised frameworks offer valuable conceptual structures, they also embody assumptions regarding institutional maturity, coordination capacity and resource availability that may not hold uniformly across fragmented governance systems (Sutherland, 2017; Bernardo et al., 2025).

From a conceptual perspective, the comparative evaluation indicates that NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019 contribute complementary design logics to cyber resilience thinking. NIST CSF 2.0 provides modularity and risk-based structuring that supports engagement across varying levels of institutional maturity (Pascoe et al., 2024). ISO/IEC 27001 contributes procedural discipline and formalised governance mechanisms that align cybersecurity practices with statutory obligations under POPIA and the Cybercrimes Act (Cane, 2025; Magnusson et al., 2025). COBIT 2019 emphasises governance integration, accountability and performance oversight within enterprise-level ICT decision-making (Antariksa et al., 2025).

Rather than advancing implementation prescriptions, these insights inform the conceptual development of a hybrid cyber resilience framework that integrates governance alignment, operational flexibility and procedural coherence. Such a framework functions as an analytical reference model for examining cyber resilience in resource-constrained e-government contexts, while recognising that questions of institutional feasibility, coordination mechanisms and capacity development require empirical investigation beyond the scope of this study (Linkov and Kott, 2018).

This study adopts a qualitative, literature-based comparative evaluation design to examine the conceptual alignment and contextual suitability of NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019 within South Africa’s e-government systems, drawing on principles of qualitative comparative reasoning (Ragin, 1999). The analysis does not seek to benchmark national cybersecurity performance or assess implementation outcomes. Rather, it evaluates the conceptual alignment and contextual suitability of the selected frameworks relative to the institutional, operational and capacity constraints characteristic of resource-constrained public-sector environments. Consistent with critiques of the policy and practice gap in cybersecurity governance, the analysis recognises that documented capabilities in policy and framework literature may overstate operational realities and therefore treats formal compliance claims cautiously.

The evaluation framework is informed by three interrelated strands of scholarship: cyber resilience theory (Linkov and Kott, 2018), research on ICT governance in organisational and public-sector contexts (von Solms and von Solms, 2018) and studies examining cybersecurity maturity and capability constraints in developing countries (Phahlamohlaka et al., 2022). The evaluative constructs applied in this study were inductively derived through thematic synthesis of recurring analytical dimensions emphasised across these bodies of literature, rather than proposed as a new maturity or assessment model. Synthesising insights from these strands provides an analytically grounded basis for identifying structural complementarities, contextual limitations and implications for contextual configuration across the selected frameworks.

This approach moves beyond descriptive comparison by applying theoretically informed evaluative constructs to examine global CSFs in developing-country settings. The resulting analysis establishes a conceptual foundation for future empirical validation and informs the development of a hybrid cyber resilience framework that reflects South Africa’s governance arrangements, institutional diversity and documented capacity constraints.

A structured desktop analytical review was conducted, drawing on peer-reviewed academic literature, official framework documentation, policy instruments and publicly available reports. A comparative matrix was used to examine each framework against a common set of evaluation dimensions, enabling systematic and transparent cross-framework analysis at a conceptual level.

The purpose of the evaluation was not to generate a ranked hierarchy or prescriptive recommendations, but to identify relative strengths, limitations and areas of contextual misalignment. This framing ensures that the analysis remains theoretically robust while avoiding claims regarding practical feasibility or implementation effectiveness, which would require empirical investigation.

To guide the comparative analysis, six interrelated evaluation dimensions were derived through thematic synthesis of recurring evaluative concerns in the cyber resilience, ICT governance and developing-country cybersecurity literature, as illustrated in Figure 1. These dimensions were not arbitrarily constructed but reflect consistently emphasised analytical themes across established scholarly and policy-oriented studies.

The first dimension, governance alignment, examines the compatibility of each framework with public-sector governance structures and statutory instruments such as POPIA and the NCPF (Sutherland, 2017; Phahlamohlaka et al., 2022). Operational usability assesses the clarity, modularity and conceptual accessibility of frameworks, particularly in institutional contexts characterised by limited specialist cybersecurity capacity (Veerasamy et al., 2024). Resource and capacity sensitivity considers the financial, human and technical resource assumptions embedded within each framework, acknowledging constraints commonly observed in under-resourced government entities (Veerasamy et al., 2024; Dawood et al., 2024).

The fourth dimension, adaptability and flexibility, evaluates the extent to which frameworks can accommodate variation in institutional maturity, infrastructure quality and risk exposure across different tiers of government (Phahlamohlaka et al., 2022; Antariksa et al., 2025). Resilience orientation examines whether frameworks extend beyond preventive controls to encompass threat awareness, incident preparedness, recovery capability and continuity planning (Araujo et al., 2024; Linkov and Kott, 2018). Finally, performance monitoring and improvement considers whether frameworks incorporate maturity assessment mechanisms and feedback processes that conceptually support iterative strengthening over time.

Collectively, these dimensions provide an analytically coherent basis for evaluating both the technical scope of global CSFs and their institutional and governance compatibility in resource-constrained e-government environments.

The evaluation drew on a range of authoritative and triangulated documentary sources to support analytical credibility and contextual relevance within a qualitative, literature-based design. Primary materials included official framework documentation for NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019, which articulate intended governance structures, control domains and maturity concepts. Peer-reviewed literature on cyber resilience and ICT governance was reviewed, with emphasis on public-sector and developing-country contexts. In addition, national policy documents and reports produced by the South African government and the Council for Scientific and Industrial Research were examined to identify documented cybersecurity challenges and capacity constraints (Veerasamy et al., 2024; Dawood et al., 2024; Ngejane, 2024).

It is acknowledged that policy documents and official reports may reflect aspirational capability statements rather than operational realities, a limitation commonly noted in public-sector cybersecurity research. Accordingly, findings derived from documentary analysis are interpreted as indicative of intended governance and capability positioning, rather than as evidence of effective operational implementation.

Framework selection was guided by three criteria. Firstly, frameworks were required to demonstrate international recognition and maturity. Secondly, they needed to exhibit relevance to public-sector governance, including multi-tier institutional environments and statutory compliance considerations. Thirdly, the frameworks had to feature in South African policy or academic discourse, indicating contextual salience. These criteria ensured that the selected frameworks were appropriate for addressing the study’s research questions through a literature-based comparative evaluation.

Complementary instruments, including the CIS Critical Security Controls and the GDPR, were consulted for contextual reference but excluded from the core comparative analysis due to their narrower scope and limited applicability to holistic e-government cyber resilience.

The comparative evaluation of NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019 across six dimensions highlights differentiated strengths and constraints in the South African e-government context. While each framework contributes to advancing cyber resilience, their contextual alignment is shaped by fragmented governance, uneven institutional maturity and persistent resource constraints (Phahlamohlaka et al., 2022; Veerasamy et al., 2024). This overview establishes the basis for a more detailed, framework-specific evaluation.

NIST CSF 2.0 demonstrates strong adaptability and resilience orientation. Its modular core functions – Govern, Identify, Protect, Detect, Respond and Recover – support modular engagement across differing levels of institutional maturity, making the framework accessible to departments with moderate technical capacity. Compared with certification-based models, its resource requirements are less onerous. However, the framework presumes a baseline level of maturity, including digital asset inventories and monitoring capabilities, which are often lacking in South African agencies. The addition of the Govern function in Version 2.0 enhances alignment with statutory instruments such as POPIA and the NCPF, yet the non-prescriptive design means that meaningful operationalisation would require supplementary tools, interpretive guidance and technical expertise (Parmar and Miles, 2024; Pascoe et al., 2024).

ISO/IEC 27001 offers strong governance alignment by linking South Africa’s statutory obligations under POPIA with internationally recognised best practices. Its structured methodology, grounded in the Plan–Do–Check–Act cycle, enhances compliance assurance and operational discipline. Nevertheless, the extensive documentation, reliance on external consultants and high certification costs present significant challenges for smaller or less digitally mature entities. Although theoretically scalable, its linear control structure reduces flexibility in resource-constrained contexts. The framework embeds robust mechanisms for internal audits and continuous improvement, but its resilience orientation is more static, emphasising continuity planning over dynamic threat response (Magnusson et al., 2025; Cane, 2025).

COBIT 2019 provides a governance-centric model that integrates IT strategy with public service delivery objectives, making it particularly relevant for national-level transformation initiatives. Its emphasis on accountability, performance oversight and risk governance positions it as a valuable tool for aligning cybersecurity with broader policy goals. However, the framework is conceptually dense, requires significant training and assumes the existence of skilled personnel and cohesive leadership structures. These requirements are difficult to sustain in South Africa’s unevenly resourced provincial and municipal governments. While adaptable in principle, COBIT’s governance-heavy design often needs simplification for lower-tier agencies. Its maturity models and performance-tracking tools are strengths, but its limited operational specificity in incident detection and response remains a weakness (Antariksa et al., 2025).

Taken together, the findings indicate that the three frameworks exhibit complementary strengths rather than serving as standalone solutions. NIST CSF contributes adaptability and a resilience focus, but lacks embedded enforcement mechanisms. ISO/IEC 27001 offers procedural discipline and certifiable controls, though its resource demands constrain uptake outside larger institutions. COBIT 2019 strengthens strategic governance and performance monitoring but presumes mature institutional leadership that is not consistently available in South Africa’s decentralised public sector.

From a conceptual perspective, the comparative synthesis highlights how different frameworks emphasise distinct design logics within cyber resilience scholarship. NIST CSF foregrounds modular risk structuring and adaptive capability, ISO/IEC 27001 formalises procedural governance and assurance mechanisms and COBIT 2019 embeds cybersecurity within enterprise-level governance and performance oversight. Prior resilience research similarly argues that hybridisation of governance, technical and adaptive dimensions offers greater analytical coherence than reliance on singular frameworks, particularly in resource-constrained public-sector environments (Linkov and Kott, 2018; Bernardo et al., 2025).

The findings reinforce the argument that cyber resilience in developing-country e-government contexts cannot be adequately addressed through the direct application of single, globally defined frameworks. Instead, resilience must be understood as an emergent property shaped by governance structures, institutional capacity and resource availability. The differentiated strengths observed across NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019 underscore the analytical value of examining cybersecurity through multiple governance and operational lenses rather than through prescriptive implementation models.

By synthesising governance alignment, procedural discipline and adaptive flexibility, the hybrid framework proposed in this study provides a conceptual reference for analysing cyber resilience challenges in fragmented public-sector environments. Importantly, the findings highlight the need to distinguish between analytical framework design and practical implementation, with the latter requiring empirical investigation into institutional readiness, coordination mechanisms and capacity development beyond the scope of this study.

The comparative analysis in Section 5 demonstrated that NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019 each contribute valuable but partial responses to the cyber resilience requirements of South Africa’s e-government sector. NIST CSF 2.0 offers modularity and a resilience-oriented structure, enabling engagement by institutions at different maturity levels, but provides limited prescriptive depth in relation to governance and accountability within fragmented public-sector environments (Parmar and Miles, 2024; Pascoe et al., 2024). ISO/IEC 27001 provides structured compliance mechanisms and control precision; however, its technical, financial and managerial demands can constrain feasibility for under-resourced public institutions (Magnusson et al., 2025). COBIT 2019 emphasises governance integration and strategic alignment, yet its effectiveness is contingent on organisational maturity and cohesive leadership structures that are not uniformly present within South Africa’s decentralised administrative system (Antariksa et al., 2025).

Taken together, these limitations indicate the need for an integrated approach that selectively combines the complementary strengths of the three frameworks while mitigating their individual constraints. A hybrid configuration that integrates governance alignment, operational adaptability and regulatory compliance within a scalable conceptual model offers a context-sensitive basis for analysing cyber resilience in e-government. Such an approach is analytically consistent with South Africa’s statutory and policy environment, including POPIA, the NCPF and the Cybercrimes Act, while also accounting for uneven institutional maturity across different tiers of government.

The proposed hybrid framework is structured around the six evaluation dimensions introduced in Section 4.2. Each dimension is conceptually anchored in one or more international CSFs, with adaptations reflecting South Africa’s governance arrangements and institutional constraints.

Table 2 summarises the alignment between the evaluation dimensions, their primary source frameworks, and the associated conceptual focus

This mapping illustrates how each framework contributes selectively to distinct aspects of cyber resilience. COBIT 2019 provides a governance and accountability foundation, NIST CSF 2.0 contributes modularity and adaptability and ISO/IEC 27001 introduces procedural discipline and auditability. Combined, these elements form a multidimensional conceptual design that balances governance, operational considerations and regulatory assurance. In doing so, the framework advances existing scholarship by demonstrating how established global standards may be recombined into a hybrid configuration tailored to developing-country e-government contexts.

Figure 2 presents a visual representation of the hybrid cyber resilience framework for e-government. The framework is depicted as a layered system of interdependent dimensions. Governance alignment is positioned at the upper level, reflecting its role in shaping leadership accountability, policy coherence and statutory integration. These governance mechanisms inform operational usability and adaptability, which support scalability across different tiers of government and responsiveness to institutional capacity variations. At the core of the framework, resilience orientation encompasses threat detection, incident response and continuity planning. Performance monitoring completes the structure by linking maturity assessment, review mechanisms and iterative feedback to governance oversight.

This layered interaction reflects the conceptualisation of cyber resilience as an evolving process rather than a static state. By integrating governance, operational and resilience dimensions within a unified structure, the framework contributes a theoretically grounded reference model intended to support future empirical investigation and policy-oriented analysis.

Rather than prescribing a definitive implementation pathway, this study proposes an illustrative and conceptually derived phasing logic through which the hybrid cyber resilience framework may be analytically interpreted in the South African e-government context. The phases outlined below are derived from comparative framework literature, public-sector cybersecurity governance studies and documented structural constraints in developing-country environments, and are presented as analytical considerations rather than implementation directives.

Phase 1 – Exploratory engagement and baseline consideration

Existing literature on public-sector cybersecurity maturity emphasises the importance of baseline assessments as a precursor to structured resilience initiatives, particularly in environments characterised by uneven institutional capacity and legacy systems (NIST, 2024; ENISA, 2025). Conceptually, an exploratory adoption phase allows organisations to assess current governance arrangements, risk exposure and resource constraints before deeper framework integration is considered.

Phase 2 – Capacity and capability considerations

Cybersecurity skills shortages and limited institutional capability are consistently identified as structural barriers to effective cyber resilience within South Africa’s public sector (Veerasamy et al., 2024; SANS Institute, 2021). Within the proposed framework, capacity development is therefore conceptualised not as an outcome of implementation, but as an enabling condition for any subsequent governance or operational integration. This aligns with broader scholarship that positions human and organisational capacity as foundational to sustainable cybersecurity practice in developing contexts.

Phase 3 – Contextual and regulatory alignment considerations

The localisation of international CSFs to national regulatory and institutional contexts is widely recognised as necessary to avoid superficial compliance and misalignment with domestic governance structures (Phahlamohlaka et al., 2022; Government of the Republic of South Africa, 2020). In the South African context, this phase conceptually foregrounds alignment with statutory instruments such as POPIA and the Cybercrimes Act, as well as adaptation to diverse organisational maturity levels across national, provincial and municipal government spheres.

Phase 4 – Governance integration considerations

Cyber resilience literature increasingly emphasises that sustainable resilience depends on integration into existing governance, accountability and oversight mechanisms rather than stand-alone technical initiatives (ISACA, 2019; Magnusson et al., 2025). From a conceptual perspective, embedding cyber resilience principles within institutional governance structures enhances coherence, accountability and long-term viability, particularly in decentralised public-sector environments.

Phase 5 – Iterative learning and conceptual refinement

Resilience is widely conceptualised as a dynamic and adaptive process requiring continuous learning, feedback and adjustment in response to evolving threats and institutional change (NIST, 2024; Pascoe et al., 2024). Accordingly, the final phase highlights iterative refinement as a conceptual requirement for framework maturation. Empirical investigation would be required to determine how such learning mechanisms operate in practice within South Africa’s intergovernmental cybersecurity landscape.

Collectively, these phases illustrate how the proposed hybrid framework may be incrementally examined as an analytical construct under conditions of resource constraint, governance fragmentation and uneven institutional maturity. Importantly, they are presented as theoretically grounded propositions intended to inform future empirical research, such as expert consultation, Delphi studies or practitioner-based validation, rather than as prescriptive guidance for immediate implementation.

The proposed hybrid cyber resilience framework integrates the modular flexibility of NIST CSF 2.0, the procedural discipline of ISO/IEC 27001 and the governance orientation of COBIT 2019 into a unified conceptual configuration. Rather than advancing an implementation blueprint, this section interprets the analytical implications of the framework for understanding cyber resilience governance in South Africa’s e-government context, focusing on contextual relevance, governance alignment, capacity conditions and sustainability in resource-constrained public-sector environments.

The hybrid framework is analytically positioned to account for uneven digital maturity across South Africa’s national, provincial and municipal e-government institutions. By foregrounding scalability, modularity and flexibility as design principles, it reflects structural conditions widely identified in developing-country public-sector literature, including fragmented governance, differentiated institutional capacity and resource asymmetries across government tiers.

In contrast to certification-oriented models that implicitly assume stable resources and organisational maturity, the framework emphasises conceptual adaptability rather than uniform adoption. This orientation aligns with scholarly critiques cautioning against the direct transplantation of global cybersecurity standards into heterogeneous public-sector environments without due consideration of contextual constraints (Sutherland, 2017). Within this framing, the tiered and modular characteristics associated with NIST CSF 2.0 are interpreted as mechanisms for accommodating institutional diversity, rather than guarantees of practical feasibility.

Importantly, the framework does not presume specialised cybersecurity expertise as a baseline condition. Instead, it highlights outcome-oriented structuring as a conceptual means through which resilience thinking may be articulated in settings characterised by uneven technical capacity. This supports the broader argument that cyber resilience in e-government is best understood as a context-sensitive governance construct shaped by institutional realities rather than idealised implementation assumptions.

Institutional fragmentation is consistently identified as a structural constraint on effective cybersecurity governance in South Africa’s public sector, with overlapping mandates and weak coordination undermining coherence across government tiers (Jansen van Vuuren and Leenen, 2018; Phahlamohlaka et al., 2022). Within this context, cyber resilience challenges are closely tied to deficiencies in governance alignment, accountability and strategic oversight rather than purely technical shortcomings.

The hybrid framework foregrounds governance integration as a core dimension of resilience by drawing on principles embedded in COBIT 2019. From an analytical perspective, this emphasis highlights the importance of role clarity, performance oversight and alignment between cybersecurity objectives and broader organisational goals. Rather than treating cybersecurity as an isolated technical function, the framework positions it as an integral component of institutional governance structures.

Comparative international experience further reinforces the significance of coordinated governance arrangements in shaping resilience outcomes. Studies of countries such as Singapore illustrate how regulatory coherence and sustained institutional oversight support more consistent cybersecurity practices across the public sector. In this study, such cases are interpreted as illustrative of governance conditions associated with resilience coherence, rather than as models for direct replication.

Accordingly, the contribution of the hybrid framework lies in its conceptual articulation of governance coordination as a prerequisite for resilience, underscoring the need for empirical investigation before specific institutional or policy reforms can be advanced.

South Africa’s cyber legislative landscape, including POPIA, the Cybercrimes Act, ECTA, RICA and the NCPF, establishes a formal legal basis for cybersecurity governance but has been widely characterised as unevenly implemented and predominantly reactive (Jansen van Vuuren and Leenen, 2018). Although POPIA provides for administrative penalties of up to R10 million under Section 109 (Republic of South Africa, 2013), enforcement capacity and institutional consistency remain variable across government entities.

From an analytical perspective, the governance alignment dimension of the hybrid framework highlights persistent tensions between statutory intent and operational coherence. Prior studies attribute these tensions to fragmented mandates, limited interoperability between domestic regulation and international standards and infrequent policy updating in response to rapidly evolving threat environments. Emerging risks, including AI-enabled cyber deception, large-scale data exfiltration and geopolitically motivated cyber activity, further amplify the consequences of regulatory lag.

Rather than proposing specific reforms, this analysis positions regulatory alignment as a conceptual condition for cyber resilience in e-government, providing an interpretive lens for future empirical and policy-oriented research.

The literature consistently identifies human capital, organisational culture and institutional awareness as foundational conditions for cyber resilience in public-sector environments. In developing-country contexts, persistent skills shortages and uneven cybersecurity capability constrain the effectiveness of even well-designed governance and technical frameworks (Veerasamy et al., 2024).

Within this framing, the hybrid framework conceptualises capacity as a structural precondition shaping resilience potential rather than an implementation outcome. It highlights how governance alignment, modular structuring and performance orientation are influenced by underlying human and organisational capability, aligning with national policy discourse that recognises cybersecurity competence and digital literacy as systemic enablers of sustainable digital governance (Government of South Africa 2020).

Cyber resilience is widely conceptualised as a dynamic and adaptive process rather than a one-time compliance outcome. From an analytical perspective, the hybrid framework foregrounds sustainability as a function of continuous learning and institutional adaptation in response to evolving threat environments, with maturity assessment and iterative refinement interpreted as conceptual mechanisms rather than operational prescriptions.

Emerging technological and geopolitical developments, including AI-enabled cyber deception, large-scale data exploitation and prospective quantum-related risks, further underscore the importance of adaptive governance in public-sector cybersecurity. Within this context, the hybrid framework provides a reference point for examining how intelligence awareness, regulatory responsiveness and institutional learning shape long-term resilience trajectories in e-government systems.

At a broader level, the framework aligns cyber resilience with sustainable development considerations by linking secure and reliable digital public services to inclusive governance outcomes. By framing resilience as a governance and institutional capability rather than a purely technical achievement, the model contributes analytically to discussions related to SDG 10 and SDG 11, while reinforcing the need for empirical research to assess how such linkages materialise in practice.

Cybersecurity resilience has emerged as a central governance concern as governments increasingly rely on digital platforms for public service delivery. In South Africa, persistent financial constraints, capacity shortages and fragmented institutional arrangements complicate the direct adoption of international CSFs in their entirety. Under such conditions, public-sector organisations often demonstrate formal alignment with global standards without corresponding improvements in operational resilience.

This study examined the applicability of three internationally recognised frameworks, namely, NIST CSF 2.0, ISO/IEC 27001:2022 and COBIT 2019, within the context of South Africa’s e-government systems. Through a qualitative, literature-based comparative evaluation across six analytically derived dimensions, the analysis demonstrated that each framework contributes distinct strengths while also exhibiting context-specific limitations. NIST CSF offers modularity and adaptability across varying levels of institutional maturity, ISO/IEC 27001 provides procedural structure and continuous improvement mechanisms and COBIT 2019 emphasises governance integration and performance oversight. However, none of the frameworks, when applied in isolation, adequately addresses the combined governance, operational and capacity constraints characteristic of resource-constrained e-government environments.

These insights informed the development of a conceptual hybrid cyber resilience framework that selectively synthesises complementary elements from the three standards. Rather than pursuing paradigmatic unification, the framework operates at the level of governance and design logic, illustrating how global cybersecurity standards may be analytically recombined to account for institutional fragmentation, uneven maturity and constrained resources. The primary contribution of this study therefore lies in advancing scholarship on cyber resilience by providing a theoretically grounded reference model for analysing and comparing framework configurations in developing-country public-sector settings.

The proposed hybrid framework is not advanced as an implementation blueprint. Instead, it functions as an analytical construct intended to support structured reasoning and inform future empirical inquiry. Practitioner engagement, expert consultation and case-based investigation remain necessary to examine how conceptual alignment translates into operational practice and to assess feasibility under real-world political, organisational and resource conditions.

More broadly, this study reinforces the need to move beyond compliance-oriented approaches towards governance-informed and adaptive conceptions of cybersecurity resilience. In doing so, it contributes to policy and academic debates on secure digital government by highlighting how cybersecurity governance may support inclusive, resilient and trustworthy public services, with relevance to broader development objectives such as reducing digital inequality and strengthening sustainable digital infrastructures.

This research was supported by the CSIR–DSTI Inter-Programme Bursary Scheme (IBS), awarded for doctoral studies at the University of Venda. The Article Processing Charges (APC) for this article were covered by the University of Venda. The funders had no role in the design, analysis, or writing of this study.