Information security risk management framework for a governmental educational institute / Fajer Al-Mudaires ... [et al.]

As the high increase usage of technology, the higher the risks that are associated with it. Therefore, it has become a necessity for organizations to rely on an information security risk management framework as a defense mechanism against these risks. This paper discusses information security risk management approaches available with an emphasis on the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27005 method to propose an information security risk management framework that suits a governmental educational institute in Saudi Arabia. This framework will be designed and implemented for a governmental educational institute that lacks adequate information security risk management while being out of compliance with Saudi Arabia’s Essential Cybersecurity Controls (ECC). In this framework, 34 application assets have been analyzed and 37 controls have been recommended in order to meet the minimum requirements of ECC.