DEVELOPMENT OF A METHODOLOGY FOR ASSESSING COMPLIANCE WITH ISO 27001 STANDARD
Keywords:information security, cybersecurity, ISO 27001, information security framework, information security management system, gap assessment, gap analysis
This document proposes the methodology for assessing organizations' compliance with the new version of the ISO 27001 standard, which was introduced at the end of 2022. The high significance of information security in the modern world requires companies to adapt their practices and policies to the new requirements of the standard. The authors analyze recent research in the field of ISO 27001 implementation and the shortcomings of relevant materials for compliance assessment. The methodology includes the analysis of the new standard requirements, comparing them with the current practices of organizations, identifying gaps between them, developing a plan for implementing changes, and monitoring compliance. The provided recommendations will help organizations ensure an effective transition to the new standard, minimize risks, and maintain a high level of information security. This methodology is a relevant tool for organizations seeking to adapt their practices and policies to the new version of the ISO 27001 standard and maintain the security of their information at a high level. This development takes into account the unique needs of organizations and contributes to their successful implementation of new information security practices and requirements. The purpose of this article is to help readers understand the complexity and importance of conducting an initial gap assessment prior to implementing a standard and to highlight the effectiveness of using a detailed checklist when performing a gap analysis. To support the study, a detailed analysis of literature and articles related to the implementation of the ISO 27001 standard in organizations was conducted.
ISO/IEC 27001: Information Technology Security Techniques, Information Security Management Sys-tems Requirements. 2013. URL: https: //www.iso. org/standard/54534.html.
ISO/IEC 27002: Information Technology Security Techniques, Code of Practice for Information Secu-rity Controls. 2013. URL: https://www.iso.org/stan-dard/54533.html.
ISO Survey of Management System Standards re-veals 17% increase in certifications. 2020. URL: https:// www.quality . org /article / 2020-iso-survey-management-system-standards-reveals-17-increase-certifications.
ISO 27001 Gap Analysis. URL: https://www.itgovernance.co.uk/iso27001-gap-analysis.
Y. Kurii, I. Opirskyy, L. Bortnik ISO/IEC 27001: 2022, analysis of changes and compliance features of the new version of the standard // Materials of IXth International Scientific and Technical Conference in-formation protection and information systems securi-ty, May 25-26, 2023. Lviv, Ukraine, pp 15-17, ISBN 978-966-941-829-6.
MSECB Transition Policy on Management System Certification to ISO/IEC 27001:2022. URL: https: //msecb.com/wp-content/uploads/2023 / 01 / MS-ECB-Transition-Policy-on-MS-Certification-to-ISO-IEC-27001.pdf?utm_source=sendinblue&utm_ cam-paign=Clients%20ISOIEC%20270012022%20 Transi-tion%20Policy&utm_medium=email.
ISO 27001 2013 vs. 2022 revision. What has changed? URL: https: // advisera. com/ 27001academy/blog/ 2022/02/09/iso-27001-iso-27002/.
Pacaiova, H., Nagyova, A. Risk based thinking. New approach for modern enterprises’ management, Ad-vances in Intelligent Systems and ComputingVolume 783. 2019. pp. 524-5362019 AHFE International Con-ference on Human Factors, Business Management and Society, 2018 Orlando21, July 2018, thro¬ugh 25 July 2018, Code 215359.
Susukailo V., Opirsky I., Yaremko O. Methodology of ISMS Establishment Against Modern Cybersecuri-ty Threats. In: Klymash M., Beshley M., Luntovskyy A. (eds) Future Intent-Based Networking. Lecture Notes in Electrical Engineering, vol 831. 2022. Springer, Cham. https: // doi.org / 10.1007/ 978-3-030-92435-5_15.
What is an ISO 27001 internal audit? URL: https: / /www.vanta.com/glossary/iso-27001-internal-audit.
How to manage changes in an ISMS. URL: https: //advisera.com/27001academy/blog/2015/09 /14/ how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/.
LicenseAuthors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).