Compliance with Saudi NCA-ECC based on ISO/IEC 27001

doi:10.17559/tv-20220307162849

Cited by 2 publications

(1 citation statement)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nevertheless, the adoption of these models can help SMEs in Saudi Arabia improve their cybersecurity implementation processes. Alsahafi et al [40] stated that there is a need for institutions to implement ISMS such as ISO/IEC 27001 to minimize the risks of cyberattacks on their information assets. The ISO/IEC 27001 acts as a baseline cybersecurity framework.…”

Section: Saudi Arabia Security Framework Maturity and Standardsmentioning

confidence: 99%

Risk-Based Cybersecurity Compliance Assessment System (RC2AS)

2023

View full text Add to dashboard Cite

Cybersecurity attacks are still causing significant threats to individuals and organizations, affecting almost all aspects of life. Therefore, many countries worldwide try to overcome this by introducing and applying cybersecurity regularity frameworks to maintain organizations’ information and digital resources. Saudi Arabia has taken practical steps in this direction by developing the essential cybersecurity control (ECC) as a national cybersecurity regulation reference. Generally, the compliance assessment processes of different international cybersecurity standards and controls (ISO2700x, PCI, and NIST) are generic for all organizations with different scopes, business functionality, and criticality level, where the overall compliance score is absent with no consideration of the security control risk. Therefore, to address all of these shortcomings, this research takes the ECC as a baseline to build a comprehensive and customized risk-based cybersecurity compliance assessment system (RC2AS). ECC has been chosen because it is well-defined and inspired by many international standards. Another motive for this choice is the limited related works that have deeply studied ECC. RC2AS is developed to be compatible with the current ECC tool. It offers an offline self-assessment tool that helps the organization expedite the assessment process, identify current weaknesses, and provide better planning to enhance its level based on its priorities. Additionally, RC2AS proposes four methods to calculate the overall compliance score with ECC. Several scenarios are conducted to assess these methods and compare their performance. The goal is to reflect the accurate compliance score of an organization while considering its domain, needs, resources, and risk level of its security controls. Finally, the outputs of the assessment process are displayed through rich dashboards that comprehensively present the organization’s cybersecurity maturity and suggest an improvement plan for its level of compliance.

show abstract

Section: Saudi Arabia Security Framework Maturity and Standardsmentioning

confidence: 99%

Risk-Based Cybersecurity Compliance Assessment System (RC2AS)

2023

View full text Add to dashboard Cite

show abstract

Exploring the critical success factors of information security management: a mixed-method approach

Chen,

Hai

2024

ICS

View full text Add to dashboard Cite

Purpose Effective information security management (ISM) contributes to building a healthy organizational digital ecology. However, few studies have built an analysis framework for critical influencing factors to discuss the combined influence mechanism of multiple factors on ISM performance (ISMP). This study aims to explore the critical success factors and understand how these factors contribute to ISMP. Design/methodology/approach This study used a mixed-method approach to achieve this study’s research goals. In Study 1, the authors conducted a qualitative analysis to take a series of International Organization for Standardization/International Electrotechnical Commission standard documents as the basis to refine the critical factors that may influence organizations’ ISMP. In Study 2, the authors built a research model based on the organizational control perspective and used the survey-based partial least squares-based structural equation modeling (PLS-SEM) approach to understand the relationships between these factors in promoting ISMP. In Study 3, the authors used the fuzzy set qualitative comparative analysis (fsQCA) method to empirically analyze the complex mechanisms of how the combinations of the factors affect ISMP. Findings The following three research findings are obtained. First, based on the text-based qualitative analysis, the authors refined the critical success factors that may increase ISMP, including information security policies (ISP), top management support (TMS), alignment (ALI), information security risk assessment (IRA), information security awareness (ISA) and information security culture (ISC). Second, the PLS-SEM testing results confirmed TMS is the antecedent variable motivating organization’s formation (ISP) and information control (ISC) approaches; these two types of organization control approaches increase IRA, ISA and ALI and then promote ISMP directly and indirectly. Third, the fsQCA testing results found two configurations that can achieve high ISMP and one driving path that leads to non-high ISMP. Originality/value This study extends knowledge by exploring configuration factors to improve or impede the performances of organizations’ ISM. To the best of the authors’ knowledge, this study is one of the first to explore the use of the fsQCA approach in information security studies, and the results not only revealed causal associations between single factors but also highlighted the critical role of configuration factors in developing organizational ISMP. This study calls attention to information security managers of an organization should highlight the combined effect between the factors and reasonably allocate organizational resources to achieve high ISMP.

show abstract

Compliance with Saudi NCA-ECC based on ISO/IEC 27001

Cited by 2 publications

References 5 publications

Risk-Based Cybersecurity Compliance Assessment System (RC2AS)

Risk-Based Cybersecurity Compliance Assessment System (RC2AS)

Exploring the critical success factors of information security management: a mixed-method approach

Contact Info

Product

Resources

About