Enhancing Information Security in Technology Small and Medium-Sized Enterprises: A Metrics-Driven Model Based on ISO/IEC 27001:2022
Received: 30 December 2025 | Revised: 9 February 2026 | Accepted: 14 February 2026 | Online: 4 April 2026
Corresponding author: Juan Mansilla-Lopez
Abstract
This paper designs and evaluates an Information Security Management System (ISMS) model tailored for technology-sector Small and Medium-sized Enterprises (SMEs) in Metropolitan Lima. The model integrates the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2022 standard with operational guidance from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 and incorporates decision-support frameworks such as Factor Analysis of Information Risk (FAIR) (for economic impact assessment) and Common Vulnerability Scoring System (CVSS) v3.1 (for vulnerability severity). Structured around the Plan–Do–Check–Act (PDCA) cycle, the model introduces three custom metrics—the Global Model Compliance Metric (GMCM), the Improvement Index per Evaluation Cycle (IIEC), and the Associated Residual Risk Index (ARRI)—to monitor maturity progression and residual risk levels. A six-month pre- and post-implementation evaluation in a single SME showed a 9-percentage-point increase in GMCM and a 22-percentage-point reduction in ARRI, reflecting an improved security control posture while acknowledging the constraints of short-term assessment. The paper presents the theoretical foundation for the proposed hybridization, details the ISO–NIST control mapping, formalizes the new metrics, and explains how FAIR and CVSS jointly inform prioritization. Finally, it discusses threats to validity and outlines a practical adoption roadmap for SMEs. The generalization of results remains tentative and calls for longitudinal replication across multiple organizations.
Keywords:
cybersecurity, ISO 27001, SMEs, information security management, risk assessment, NIST, FAIR, PDCA, CVSSDownloads
References
"Cost of a data breach 2025." IBM. https://www.ibm.com/reports/data-breach.
"Rising threats: cybercriminals unleash 411,000 malicious files daily in 2023." Kaspersky. https://www.kaspersky.com/about/press-releases/rising-threats-cybercriminals-unleash-411000-malicious-files-daily-in-2023.
"CrowdStrike 2024 Global Threat Report." CrowdStrike. https://www.crowdstrike.com/en-us/resources/reports/crowdstrike-2024-global-threat-report/.
"CrowdStrike 2025 Global Threat Report." CrowdStrike. https://go.crowdstrike.com/2025-global-threat-report.html.
"Ciberdelincuencia: Reporte de información estadística y recomendaciones para la prevención." Ministerio de Justicia y Derechos Humanos del Perú. https://cdn.www.gob.pe/uploads/document/file/3562747/Reporte%20de%20Ciberdelincuencia.pdf.pdf.
"La ciberdelincuencia en el Perú: Estrategias y retos del Estado." Defensoría del Pueblo. https://cdn.www.gob.pe/uploads/document/file/3562747/Reporte%20de%20Ciberdelincuencia.pdf.pdf.
"LatAm Orgs Face 40% More Attacks Than Global Average." Dark Reading. https://www.darkreading.com/cybersecurity-analytics/latin-american-orgs-more-cyberattacks-global-average.
C. Tse, B. Lu, and B. S. Ghuman. "Real-Time Anti-Phishing: Essential Defense Against Evolving Cyber Threats." Fortinet Blog. https://www.fortinet.com/blog/threat-research/real-time-anti-phishing-essential-defense-against-evolving-cyber-threats.
A. F. Al-Qahtani and S. Cresci, "The COVID-19 scamdemic: A survey of phishing attacks and their countermeasures during COVID-19," IET Information Security, vol. 16, no. 5, pp. 324–345, July 2022. DOI: https://doi.org/10.1049/ise2.12073
Y. Hong, M.-J. Kim, and T. Roh, "Mitigating the Impact of Work Overload on Cybersecurity Behavior: The Moderating Influence of Corporate Ethics—A Mediated Moderation Analysis," Sustainability, vol. 15, no. 19, Sept. 2023, Art. no. 14327. DOI: https://doi.org/10.3390/su151914327
T. Li, C. Song, and Q. Pang, "Defending against social engineering attacks: A security pattern-based analysis framework," IET Information Security, vol. 17, no. 4, pp. 703–726, July 2023. DOI: https://doi.org/10.1049/ise2.12125
M. Iaiani, A. Tugnoli, S. Bonvicini, and V. Cozzani, "Analysis of Cybersecurity-related Incidents in the Process Industry," Reliability Engineering & System Safety, vol. 209, May 2021, Art. no. 107485. DOI: https://doi.org/10.1016/j.ress.2021.107485
J. García-Rodríguez, S. Krenn, and D. Slamanig, "To pass or not to pass: Privacy-preserving physical access control," Computers & Security, vol. 136, Jan. 2024, Art. no. 103566. DOI: https://doi.org/10.1016/j.cose.2023.103566
H. S. Lallie et al., "Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic," Computers & Security, vol. 105, June 2021, Art. no. 102248. DOI: https://doi.org/10.1016/j.cose.2021.102248
F. Kitsios, E. Chatzidimitriou, and M. Kamariotou, "The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector," Sustainability, vol. 15, no. 7, Mar. 2023, Art. no. 5828. DOI: https://doi.org/10.3390/su15075828
G. Culot, G. Nassimbeni, M. Podrecca, and M. Sartor, "The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda," The TQM Journal, vol. 33, no. 7, pp. 76–105, Mar. 2021. DOI: https://doi.org/10.1108/TQM-09-2020-0202
F. Djebbar and K. Nordström, "A Comparative Analysis of Industrial Cybersecurity Standards," IEEE Access, vol. 11, pp. 85315–85332, 2023. DOI: https://doi.org/10.1109/ACCESS.2023.3303205
J. Zhang et al., "ATT&CK-based Advanced Persistent Threat attacks risk propagation assessment model for zero trust networks," Computer Networks, vol. 245, May 2024, Art. no. 110376. DOI: https://doi.org/10.1016/j.comnet.2024.110376
S.-H. Choi, J. Youn, K. Kim, S. Lee, O.-J. Kwon, and D. Shin, "Cyber-Resilience Evaluation Methods Focusing on Response Time to Cyber Infringement," Sustainability, vol. 15, no. 18, Sept. 2023, Art. no. 13404. DOI: https://doi.org/10.3390/su151813404
B. Valkenburg and I. Bongiovanni, "Unravelling the three lines model in cybersecurity: a systematic literature review," Computers & Security, vol. 139, Apr. 2024, Art. no. 103708. DOI: https://doi.org/10.1016/j.cose.2024.103708
I. Lee, "Cybersecurity: Risk management framework and investment cost analysis," Business Horizons, vol. 64, no. 5, pp. 659–671, Sept. 2021. DOI: https://doi.org/10.1016/j.bushor.2021.02.022
A. Abdiraman, N. Goranin, S. Balevicius, A. Nurusheva, and I. Tumasonienė, "Application of Multicriteria Methods for Improvement of Information Security Metrics," Sustainability, vol. 15, no. 10, May 2023, Art. no. 8114. DOI: https://doi.org/10.3390/su15108114
M. Shokry, A. I. Awad, M. K. Abd-Ellah, and A. A. M. Khalaf, "When Security Risk Assessment Meets Advanced Metering Infrastructure: Identifying the Appropriate Method," Sustainability, vol. 15, no. 12, June 2023, Art. no. 9812. DOI: https://doi.org/10.3390/su15129812
A. Mishra, Y. I. Alzoubi, M. J. Anwar, and A. Q. Gill, "Attributes impacting cybersecurity policy development: An evidence from seven nations," Computers & Security, vol. 120, Sept. 2022, Art. no. 102820. DOI: https://doi.org/10.1016/j.cose.2022.102820
M. Weiss and F. Biermann, "Cyberspace and the protection of critical national infrastructure," Journal of Economic Policy Reform, vol. 26, no. 3, pp. 250–267, July 2023. DOI: https://doi.org/10.1080/17487870.2021.1905530
W. Yeoh, S. Wang, A. Popovič, and N. H. Chowdhury, "A systematic synthesis of critical success factors for cybersecurity," Computers & Security, vol. 118, July 2022, Art. no. 102724. DOI: https://doi.org/10.1016/j.cose.2022.102724
J. Fenech, D. Richards, and P. Formosa, "Ethical principles shaping values-based cybersecurity decision-making," Computers & Security, vol. 140, May 2024, Art. no. 103795. DOI: https://doi.org/10.1016/j.cose.2024.103795
A. Mishra, Y. I. Alzoubi, A. Q. Gill, and M. J. Anwar, "Cybersecurity Enterprises Policies: A Comparative Study," Sensors, vol. 22, no. 2, Jan. 2022, Art. no. 538. DOI: https://doi.org/10.3390/s22020538
M. Podrecca, G. Culot, G. Nassimbeni, and M. Sartor, "Information security and value creation: The performance implications of ISO/IEC 27001," Computers in Industry, vol. 142, Nov. 2022, Art. no. 103744. DOI: https://doi.org/10.1016/j.compind.2022.103744
R. Shandler and M. A. Gomez, "The hidden threat of cyber-attacks – undermining public confidence in government," Journal of Information Technology & Politics, vol. 20, no. 4, pp. 359–374, Oct. 2023. DOI: https://doi.org/10.1080/19331681.2022.2112796
A. Alharbi et al., "Analyzing the Impact of Cyber Security Related Attributes for Intrusion Detection Systems," Sustainability, vol. 13, no. 22, Nov. 2021, Art. no. 12337. DOI: https://doi.org/10.3390/su132212337
D. Baltuttis, T. Teubner, and M. T. P. Adam, "A typology of cybersecurity behavior among knowledge workers," Computers & Security, vol. 140, May 2024, Art. no. 103741. DOI: https://doi.org/10.1016/j.cose.2024.103741
E. Thron, S. Faily, H. Dogan, and M. Freer, "Human factors and cyber-security risks on the railway – the critical role played by signalling operations," Information and Computer Security, vol. 32, no. 2, pp. 236–263, Jan. 2024. DOI: https://doi.org/10.1108/ICS-05-2023-0078
F. Kitsios, E. Chatzidimitriou, and M. Kamariotou, "Developing a Risk Analysis Strategy Framework for Impact Assessment in Information Security Management Systems: A Case Study in IT Consulting Industry," Sustainability, vol. 14, no. 3, Jan. 2022, Art. no. 1269. DOI: https://doi.org/10.3390/su14031269
M. Alanazi, M. Freeman, and H. Tootell, "Exploring the factors that influence the cybersecurity behaviors of young adults," Computers in Human Behavior, vol. 136, Nov. 2022, Art. no. 107376. DOI: https://doi.org/10.1016/j.chb.2022.107376
A. Palassis, C. P. Speelman, and J. A. Pooley, "An Exploration of the Psychological Impact of Hacking Victimization," Sage Open, vol. 11, no. 4, Oct. 2021, Art. no. 21582440211061556. DOI: https://doi.org/10.1177/21582440211061556
J. Kävrestad, S. Furnell, and M. Nohlberg, "User perception of Context-Based Micro-Training – a method for cybersecurity training," Information Security Journal: A Global Perspective, vol. 33, no. 2, pp. 121–137, Mar. 2024. DOI: https://doi.org/10.1080/19393555.2023.2222713
M. Alshaikh, S. B. Maynard, and A. Ahmad, "Applying social marketing to evaluate current security education training and awareness programs in organisations," Computers & Security, vol. 100, Jan. 2021, Art. no. 102090. DOI: https://doi.org/10.1016/j.cose.2020.102090
S. Saeed, "Digital Workplaces and Information Security Behavior of Business Employees: An Empirical Study of Saudi Arabia," Sustainability, vol. 15, no. 7, Mar. 2023, Art. no. 6019. DOI: https://doi.org/10.3390/su15076019
G. O. Quispe, C. K. Zuloaga, and P. S. Castañeda, "Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security," in 11th International Conference on Information Management, London, UK, 2025, pp. 273–285. DOI: https://doi.org/10.1007/978-3-031-99353-4_24
L. Biggi, J. Rioja, P. Castaneda, J. Mansilla-Lopez, and A. D. Garcia-Nunez, "Development and Validation of a Cybersecurity Model for Ransomware Mitigation Based on NIST CSF 2.0: The Case Study of a Peruvian Micro-Small Enterprise," Engineering, Technology & Applied Science Research, vol. 15, no. 6, pp. 30015–30025, Dec. 2025. DOI: https://doi.org/10.48084/etasr.12948
Downloads
How to Cite
License
Copyright (c) 2026 Gabriel Quispe-Kobashikawa, Cesar Zuloaga-Estrada, Pedro Castaneda, Juan Mansilla-Lopez, Alberto Daniel Garcia-Nunez
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.
