An information security risk management gap analysis tool based on ISO/IEC 27005:2011 compliance for SMEs in Kenya

Abstract

While being adopted by large institutions, information security risk management is still an out of range for smaller ones like SMEs, hence the need for a free and easy to use information security risk assessment and management tool. The main objective of this study was to come up with a software tool for information security risk management based on ISO/IEC 27005:2011 standard to be used by SMEs in Kenya to do a compliance gap analysis. A detailed literature review of the current works in information security risk management and a descriptive survey using questionnaires targeted to the SMEs with a focus on their understanding of information security risk management, the tools they use and their personnel capacity to conduct an information security risk assessment as per the standard of the study was done. From the survey response came the non-functional requirements while the functional requirements came from a detailed review and analysis of the ISO/IEC 27005:2011 standard. Development of the software tool followed the Rapid Application Development (RAD) methodology. We found that even though SMEs were aware of what an information security risk management was, they lacked proper in house skills and tools to do an information security risk assessment and gauge their respective institutions compliance to global risk standards. The software tool was welcomed as a potential in being an effective tool for information security risk assessment and management.