A methodology for mapping cybersecurity standards into governance guidelines for SME in Portugal

Abstract

The digitalization of companies and the implantation of Industry 4.0 concepts are emerging and challenging for micro and Small and Medium Enterprises (SME). The benefits are evident for the companies, as their business processes become simplified, and the internationalization and global market penetration turn out to be improved.However, information security and cybersecurity concerns have been raised on SME, as best practices and regulations compliance should be applied. The wide set of these regulations and their broad scope has put constraints on their overall direct mapping and adoption into SME.This paper describes an original methodology to map the Roadmap for Minimum Cybersecurity Capabilities (RMCSC) delivered by the Portuguese Cybersecurity Centre, into the well-adopted international information security ISO 27001:2013 standard. The proposed mapping is oriented toward the characteristics of SME and allows these companies to assess their cybersecurity risk to further mitigate potential identified flaws.The main deliverable of this paper is the developed methodology, which correlates the actions of the cybersecurity capabilities roadmap and the security controls enclosed in the ISO 27001:2013 standard. A questionnaire was developed to support the cybersecurity risk self-diagnosis, and the actions were justified and detailed in this paper. Further developments include the submission of the questionnaire to a case study of SME in the centre region of Portugal.