Litcius/Paper detail

Organisational Information Security Maturity Assessment Based on ISO 27001 and ISO 27002

Veselin Monev

202017 citationsDOI

Abstract

This article proposes a practical methodology for performing information security maturity assessment for organisations which operate an Information Security Management System (ISMS) based on the ISO 27001:2013 standard. The methodology uses a COBIT 5-comparable method to evaluate the maturity level of the security controls and clauses in ISO 27001:2013 and leverages on the guidelines in ISO 27002:2013. It was successfully used in an undisclosed company. Information security professionals can benefit from applying the same methodology or a similar one in organisations of various size and nature. The final product of the assessment is metrics and recommendations for improvement of the ISMS, which can be used for tactical and strategic decision-making, as well as input for organisational information security risk management.

Topics & Concepts

COBITInformation security management systemStandard of Good PracticeITIL security managementMaturity (psychological)Information securityInformation Technology Infrastructure LibraryInformation security managementCapability Maturity ModelProcess managementCertified Information Systems Security ProfessionalComputer scienceControl (management)Knowledge managementInformation technologyBusinessComputer securitySecurity information and event managementSecurity serviceCloud computing securityCloud computingNetwork security policyOperating systemProgramming languageDevelopmental psychologyArtificial intelligenceSoftwarePsychologyInformation and Cyber Security