Assessing data cybersecurity using ISO/IEC 25012

Abstract

Data is of ever-growing importance and is widely considered to be a company’s most valuable asset. Since data is becoming the main driver of business value, data quality and, specifically, data security are of paramount importance to companies. Various regulations related to data cybersecurity have been drawn up, such as the GDPR and the Cybersecurity Act, thus proving the importance placed on data cybersecurity by influential legislative institutions. Several standards related to security have emerged in recent years, most notably those of the ISO/IEC 27000 series. They are, however, focused on management systems and security infrastructure and ignore the security of the data itself. Other standards related to data quality, such as ISO 8000, also fail to address data security in depth. This paper, therefore, proposes a framework for the evaluation of data cybersecurity, consisting of a quality model, an evaluation process, and a tool for the visualization of the assessment results. This evaluation framework has been employed as the basis for a data cybersecurity certification scheme, which complements other certifiable standards related to data and security, such as ISO/IEC 27001 and ISO 8000. This work additionally presents the results of a pilot project in which the data cybersecurity of a commercial product was evaluated. The results of this pilot application allowed us to validate the feasibility of the evaluation framework defined.