ISO/IEC 27001 is the correct framework for Meridian Trust because it defines the requirements for an information security management system and it is explicitly designed to be audited and certified.

ISO/IEC 27001 specifies clauses for leadership, planning, support, operation, performance evaluation, and improvement and it requires internal audits and management reviews. The standard also provides Annex A controls that map to technical and organizational measures and it gives a clear basis for external certification audits and evaluators to assess an organization against defined management system requirements.

COBIT is focused on IT governance and management controls and it provides governance objectives and maturity guidance. It is useful for governance assessments but it does not itself define the auditable ISMS requirements or the certification process that ISO/IEC 27001 provides.

NIST SP 800-53 offers a comprehensive catalog of security controls and assessment guidance and it is widely used for U.S. federal systems. It is strong for selecting and assessing controls but it is not an international management system standard that defines ISMS requirements and a global certification scheme like ISO/IEC 27001.

ITIL is a best practices framework for IT service management and it focuses on delivering and operating services. It does not define an information security management system with auditable certification criteria for ISMS evaluation.

Full AWS Practitioner Certification Question