A Customizable Web Platform to Manage Standards Compliance of Information Security and Cybersecurity Auditing

Information security and cybersecurity are key subjects in modern enterprises’ management, being ISO-27001:2013, NIST Cybersecurity Framework and ISO-27009 some of the most implemented international frameworks and standards. Their main goal is to globally reduce the risk, by leveraging enterprises’ competitiveness in global markets and enhancing business processes and collaborators’ cyber awareness. Auditing processes examine and assess a list of predefined controls. For each control, a set of corrective measures could be proposed, to increase its compliance with the standard being used. These processes are time-consuming, involve on-site intervention by specialized consulting teams on the intervened enterprises, and a set of status reports of all the interventions should be elaborated and delivered. The existing auditing information systems are not developed to meet Small and Medium-sized Enterprises (SME) requirements, as they are mostly proprietary and expensive, ground usually on off-the-shelf applications, and are not generic to be used by several standards with different checklists and auditing methodologies. In this paper, a generic and web-integrated cybersecurity auditing information system is described. Its architecture, design, and data model enable it to be used in a wide set of auditing processes, by loading a predefined controls checklist assessment and their corresponding mitigation tasks list. It was designed to meet both SMEs and large enterprises’ requirements, and stores auditing and intervention-related data in a relational database. The information system was tested on an ISO-27001:2013 information security auditing project, which has integrated fifty SMEs. The results obtained during the project are promising and reveal the appropriateness of using this information system in further similar auditing processes.