A flexible ISO 27701-based framework for assessing cybersecurity maturity: a proposition and a case application

This study aims to propose a framework for assessing the cybersecurity management level of organizations, based on ISO 27701. To illustrate the proposed framework, and considering the relevance of cybersecurity for Higher Education Institutions (HEIs), an analysis of the reality of Federal HEIs in Brazil is conducted. To develop the proposed framework, the standard ISO 27701 was used to structure a questionnaire. The proposed data analysis combines Hierarchical Cluster Analysis (HCA), frequency analysis, and Fuzzy TOPSIS. The case application considered experts in information security of Federal HEIs in Brazil. The proposed framework presents eight steps: definition of the application focus, analysis of variables and scale proposed, questionnaire structuring, ethics committee submission, data gathering, HCA, frequency analysis, Fuzzy TOPSIS. Regarding the case application, aspects related to internal auditing, asset management and human resources training and analysis were the most critical. This study presents a comprehensive framework for guiding information security assessment in organizations. The proposed framework presents the necessary flexibility to be adjusted according to the requirements of practitioners and researchers. It can be used by companies and the government to assess their current reality and evaluate the impact of changes performed. Researchers can integrate the proposed framework into an Artificial Intelligence mechanism for risk prediction in organizations. The findings from the case application evidence the contributions of this framework to assess the reality of any kind of institution and highlight the insights that can be obtained from its analysis.