<p>In today's digitally connected world, safeguarding information is paramount for organizations. With the increasing complexity of digital systems and the rising number of cyber threats, information security and cybersecurity risk management has become a necessary function for today’s business. Auditing is in place to assess and mitigate risks of information security. However, the audit process can be intimidating and complex. It involves a broad spectrum of methods that analyze existing controls in a variety of information security and cybersecurity areas. To reduce risks and enhance compliance with standards, the plan has corrective actions for all controls in the checklist. Although most ISMSs can co-exist, most organizations have a single ISMS with their respective tools and processes. This setup may limit flexibility and diversity, making the overall result of audit assessments less effective. Moreover, using outdated tools and processes makes it difficult to provide answers to questions about cybersecurity management and may cause gaps in fulfilling requirements. This gap makes organizations susceptible to threats and possible non-compliance with regulations. In general, SMEs have different auditing requirements from large-scale businesses, and existing ISMSs do not support them comprehensively at the controlling level. In short, existing ISMSs are not suitable for auditing SMEs. To overcome these issues, we have developed an end-to-end system that encompasses all aspects of cybersecurity auditing within one platform: the ISO27K1 Toolkit, designed to meet user preferences. Its advanced web interface has improved automated information security auditing. The system is flexible and dynamic, supporting multiple auditing methods and the integration of predefined control checklists and corresponding mitigation actions. This paper describes the development of the ISO27K1 Toolkit, designed based on ISO 27001:2022 controls and future-proofed for compatibility with the NIST-CSF and PCI DSS standards. The ISO27K1 Toolkit automates critical security assessment tasks, improving user experience and supporting audit processes while promoting compliance, efficiency, and proactive risk management. Large-scale business organizations and SMEs can take advantage of the relational database of the ISO 27K1 Toolkit, which maintains the latest auditing and intervention data. The project was implemented among 35 SMEs and focused on information security audits and system assessments according to ISO 27001:2022. This document presents the system architecture and design, as well as the results of global testing.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Automating cybersecurity audits: analyzing the impact of the ISO27K1 Toolkit on SME compliance and risk management

  • Shahana Islam,
  • Ali Haider,
  • Fahad Burhan Ahmad,
  • Azaz Ahmed Kiani,
  • Yaser Hafeez,
  • Muhammad Habib,
  • Eid Rehman,
  • Tehseen Mazhar

摘要

In today's digitally connected world, safeguarding information is paramount for organizations. With the increasing complexity of digital systems and the rising number of cyber threats, information security and cybersecurity risk management has become a necessary function for today’s business. Auditing is in place to assess and mitigate risks of information security. However, the audit process can be intimidating and complex. It involves a broad spectrum of methods that analyze existing controls in a variety of information security and cybersecurity areas. To reduce risks and enhance compliance with standards, the plan has corrective actions for all controls in the checklist. Although most ISMSs can co-exist, most organizations have a single ISMS with their respective tools and processes. This setup may limit flexibility and diversity, making the overall result of audit assessments less effective. Moreover, using outdated tools and processes makes it difficult to provide answers to questions about cybersecurity management and may cause gaps in fulfilling requirements. This gap makes organizations susceptible to threats and possible non-compliance with regulations. In general, SMEs have different auditing requirements from large-scale businesses, and existing ISMSs do not support them comprehensively at the controlling level. In short, existing ISMSs are not suitable for auditing SMEs. To overcome these issues, we have developed an end-to-end system that encompasses all aspects of cybersecurity auditing within one platform: the ISO27K1 Toolkit, designed to meet user preferences. Its advanced web interface has improved automated information security auditing. The system is flexible and dynamic, supporting multiple auditing methods and the integration of predefined control checklists and corresponding mitigation actions. This paper describes the development of the ISO27K1 Toolkit, designed based on ISO 27001:2022 controls and future-proofed for compatibility with the NIST-CSF and PCI DSS standards. The ISO27K1 Toolkit automates critical security assessment tasks, improving user experience and supporting audit processes while promoting compliance, efficiency, and proactive risk management. Large-scale business organizations and SMEs can take advantage of the relational database of the ISO 27K1 Toolkit, which maintains the latest auditing and intervention data. The project was implemented among 35 SMEs and focused on information security audits and system assessments according to ISO 27001:2022. This document presents the system architecture and design, as well as the results of global testing.