An organization wants to demonstrate its commitment to protecting sensitive customer information and comply with legal and regulatory requirements. Which standard provides a framework for establishing, implementing, maintaining, and continually improving an ISMS?

To demonstrate its commitment to protecting sensitive customer information and complying with legal and regulatory requirements, the organization should consider ISO 27001.

**ISO 27001** provides a comprehensive framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It includes risk management processes, security controls, and guidelines for ongoing improvement in information security.

Here's a brief overview of the other mentioned standards for context:

- **NIST Cybersecurity Framework**: This framework helps organizations manage and reduce cybersecurity risk. It is widely used in the United States and provides a policy framework of computer security guidance, but it is not specifically focused on the establishment and maintenance of an ISMS.

- **CIS Controls**: The Center for Internet Security (CIS) Controls are a set of best practices for securing IT systems and data against cyber attacks. They are highly actionable and can be used to enhance security, but they don’t provide a complete framework for an ISMS.

- **COBIT**: Control Objectives for Information and related Technology (COBIT) is a framework for developing, implementing, monitoring, and improving IT governance and management practices. It’s more focused on IT governance than on the specifics of an ISMS.

Therefore, for a comprehensive and globally recognized framework specifically focused on an Information Security Management System, **ISO 27001** is the most appropriate choice.