Tehnički vjesnik, Vol. 29 No. 6, 2022.
Prethodno priopćenje
https://doi.org/10.17559/TV-20220307162849
Compliance with Saudi NCA-ECC based on ISO/IEC 27001
Tahani Alsahafi
; Department of Administration and Educational, Arab East College for Graduate Studies, Riyadh, Saudi Arabia Al Qirawan, Riyadh 13544
Waleed Halboob
; Center of Excellence in Information Assurance, King Saud University, Riyadh, Saudi Arabia P.O Box 92144 Riyadh, 11653, Saudi Arabia
Jalal Almuhtadi
; Center of Excellence in Information Assurance, King Saud University, Riyadh, Saudi Arabia &College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia PJF9+5XV, King Saud University, Riyadh 12372
Sažetak
Organizations are required to implement an information security management system (ISMS) for making a central cybersecurity framework, reducing costs, treating risks, and so on. Several ISMS standards have been issued and implemented locally and internationally. In Saudi Arabia, the most widely implemented international ISMS is ISO/IEC 27001. Currently, the Saudi National Cybersecurity Authority (NCA) issued a local framework called Essential Cybersecurity Controls (NCA-ECC). Therefore, many ISO/IEC 27001 certified organizations in Saudi Arabia are trying to convert from ISO/IEC 27001 to NCA-ECC or comply with both frameworks. Nevertheless, cybersecurity experts need to know which cybersecurity controls are already implemented, based on the ISO/IEC 27001, and which are not. This paper first measures the extent to which certified ISO/IEC 27001 Saudi organizations comply with the NCA-ECC. Second, it presents a framework for complying with the required unimplemented or partially implemented NCA-ECC controls. The framework can also help organization to be in compliance with both frameworks, if required. Three ISO/IEC 27001-certified Saudi public universities are selected as samples. The data is collected by interviewing the cybersecurity officers in the selected universities. This research shows that certified ISO/IEC 27001 organizations are approximately 64% in compliance with the NCA-ECC. The presented framework can help any ISO/IEC 27001 certified Saudi organization convert from ISO/IEC 27001 to NCA-ECC in a quick and cost-effective manner by considering only NCA-ECC nonconformities.
Ključne riječi
compliance; digital forensics; essential cybersecurity controls (ECC); governance; incident response; information security management system (ISMS); ISO/IEC 27001; risk management
Hrčak ID:
284928
URI
Datum izdavanja:
29.10.2022.
Posjeta: 4.263 *