Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security

Gabriel O. Quispe; Cesar K. Zuloaga; Pedro S. Castañeda

doi:10.1007/978-3-031-99353-4_24

Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security

Gabriel O. Quispe
, Cesar K. Zuloaga
, Pedro S. Castañeda

Research output: Chapter in Book/Report › Conference contribution › peer-review

Abstract

This paper presents a model for implementing an Information Security Management System (ISMS) based on ISO 27001:2022 tailored to the needs of small and medium-sized enterprises (SMEs) in the technology sector in Lima Metropolitana. The model focuses on mitigating data leakage, a critical issue exacerbated by the increasing digitization of business operations. The proposed framework integrates controls from ISO 27001 aligned with NIST SP 800-53 to enhance information security practices. Results from applying the model to two technology SMEs indicate that one company (Company A) achieved a 94.44% Critical Control Implementation Index (IICC), a 70% Critical Vulnerability Resolution Rate (TRVC), and an 85% Policy Compliance Rate (TCPS), while the second company (Company B) achieved significantly lower rates of 50%, 40%, and 60%, respectively. These findings highlight both strengths in technological controls and weaknesses in organizational security management. This research contributes to the field by providing a practical, scalable approach for SMEs to enhance their information security posture, addressing both human and technological factors.

Original language	American English
Title of host publication	Information Management - 11th International Conference, ICIM 2025, Revised Selected Papers
Editors	Shuliang Li
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	273-285
Number of pages	13
ISBN (Print)	9783031993527
DOIs	https://doi.org/10.1007/978-3-031-99353-4_24
State	Indexed - 2026
Externally published	Yes
Event	11th International Conference on Information Management, ICIM 2025 - London, United Kingdom Duration: 28 Mar 2025 → 30 Mar 2025

Publication series

Name	Communications in Computer and Information Science
Volume	2540 CCIS
ISSN (Print)	1865-0929
ISSN (Electronic)	1865-0937

Conference

Conference	11th International Conference on Information Management, ICIM 2025
Country/Territory	United Kingdom
City	London
Period	28/03/25 → 30/03/25

Bibliographical note

Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.

Keywords

Data Leakage
ISO 27001:2022
Information Security
Information Security Management System (ISMS)
NIST SP 800-53
SMEs

Access to Document

10.1007/978-3-031-99353-4_24

Cite this

Quispe, G. O., Zuloaga, C. K., & Castañeda, P. S. (2026). Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security. In S. Li (Ed.), Information Management - 11th International Conference, ICIM 2025, Revised Selected Papers (pp. 273-285). (Communications in Computer and Information Science; Vol. 2540 CCIS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-99353-4_24

Quispe, Gabriel O. ; Zuloaga, Cesar K. ; Castañeda, Pedro S. / Mitigating Information Leakage in Tech-Sector SMEs : Implementing ISO 27001:2022 for Comprehensive Security. Information Management - 11th International Conference, ICIM 2025, Revised Selected Papers. editor / Shuliang Li. Springer Science and Business Media Deutschland GmbH, 2026. pp. 273-285 (Communications in Computer and Information Science).

@inproceedings{cd14f4e91ae44e1dbbad56644da75c1e,

title = "Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security",

abstract = "This paper presents a model for implementing an Information Security Management System (ISMS) based on ISO 27001:2022 tailored to the needs of small and medium-sized enterprises (SMEs) in the technology sector in Lima Metropolitana. The model focuses on mitigating data leakage, a critical issue exacerbated by the increasing digitization of business operations. The proposed framework integrates controls from ISO 27001 aligned with NIST SP 800-53 to enhance information security practices. Results from applying the model to two technology SMEs indicate that one company (Company A) achieved a 94.44\% Critical Control Implementation Index (IICC), a 70\% Critical Vulnerability Resolution Rate (TRVC), and an 85\% Policy Compliance Rate (TCPS), while the second company (Company B) achieved significantly lower rates of 50\%, 40\%, and 60\%, respectively. These findings highlight both strengths in technological controls and weaknesses in organizational security management. This research contributes to the field by providing a practical, scalable approach for SMEs to enhance their information security posture, addressing both human and technological factors.",

keywords = "Data Leakage, ISO 27001:2022, Information Security, Information Security Management System (ISMS), NIST SP 800-53, SMEs",

author = "Quispe, \{Gabriel O.\} and Zuloaga, \{Cesar K.\} and Casta{\~n}eda, \{Pedro S.\}",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.; 11th International Conference on Information Management, ICIM 2025 ; Conference date: 28-03-2025 Through 30-03-2025",

year = "2026",

doi = "10.1007/978-3-031-99353-4\_24",

language = "American English",

isbn = "9783031993527",

series = "Communications in Computer and Information Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "273--285",

editor = "Shuliang Li",

booktitle = "Information Management - 11th International Conference, ICIM 2025, Revised Selected Papers",

address = "Germany",

}

Quispe, GO, Zuloaga, CK & Castañeda, PS 2026, Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security. in S Li (ed.), Information Management - 11th International Conference, ICIM 2025, Revised Selected Papers. Communications in Computer and Information Science, vol. 2540 CCIS, Springer Science and Business Media Deutschland GmbH, pp. 273-285, 11th International Conference on Information Management, ICIM 2025, London, United Kingdom, 28/03/25. https://doi.org/10.1007/978-3-031-99353-4_24

Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security. / Quispe, Gabriel O.; Zuloaga, Cesar K.; Castañeda, Pedro S.
Information Management - 11th International Conference, ICIM 2025, Revised Selected Papers. ed. / Shuliang Li. Springer Science and Business Media Deutschland GmbH, 2026. p. 273-285 (Communications in Computer and Information Science; Vol. 2540 CCIS).

Research output: Chapter in Book/Report › Conference contribution › peer-review

TY - GEN

T1 - Mitigating Information Leakage in Tech-Sector SMEs

T2 - 11th International Conference on Information Management, ICIM 2025

AU - Quispe, Gabriel O.

AU - Zuloaga, Cesar K.

AU - Castañeda, Pedro S.

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.

PY - 2026

Y1 - 2026

N2 - This paper presents a model for implementing an Information Security Management System (ISMS) based on ISO 27001:2022 tailored to the needs of small and medium-sized enterprises (SMEs) in the technology sector in Lima Metropolitana. The model focuses on mitigating data leakage, a critical issue exacerbated by the increasing digitization of business operations. The proposed framework integrates controls from ISO 27001 aligned with NIST SP 800-53 to enhance information security practices. Results from applying the model to two technology SMEs indicate that one company (Company A) achieved a 94.44% Critical Control Implementation Index (IICC), a 70% Critical Vulnerability Resolution Rate (TRVC), and an 85% Policy Compliance Rate (TCPS), while the second company (Company B) achieved significantly lower rates of 50%, 40%, and 60%, respectively. These findings highlight both strengths in technological controls and weaknesses in organizational security management. This research contributes to the field by providing a practical, scalable approach for SMEs to enhance their information security posture, addressing both human and technological factors.

AB - This paper presents a model for implementing an Information Security Management System (ISMS) based on ISO 27001:2022 tailored to the needs of small and medium-sized enterprises (SMEs) in the technology sector in Lima Metropolitana. The model focuses on mitigating data leakage, a critical issue exacerbated by the increasing digitization of business operations. The proposed framework integrates controls from ISO 27001 aligned with NIST SP 800-53 to enhance information security practices. Results from applying the model to two technology SMEs indicate that one company (Company A) achieved a 94.44% Critical Control Implementation Index (IICC), a 70% Critical Vulnerability Resolution Rate (TRVC), and an 85% Policy Compliance Rate (TCPS), while the second company (Company B) achieved significantly lower rates of 50%, 40%, and 60%, respectively. These findings highlight both strengths in technological controls and weaknesses in organizational security management. This research contributes to the field by providing a practical, scalable approach for SMEs to enhance their information security posture, addressing both human and technological factors.

KW - Data Leakage

KW - ISO 27001:2022

KW - Information Security

KW - Information Security Management System (ISMS)

KW - NIST SP 800-53

KW - SMEs

UR - https://www.scopus.com/pages/publications/105015804194

U2 - 10.1007/978-3-031-99353-4_24

DO - 10.1007/978-3-031-99353-4_24

M3 - Conference contribution

AN - SCOPUS:105015804194

SN - 9783031993527

T3 - Communications in Computer and Information Science

SP - 273

EP - 285

BT - Information Management - 11th International Conference, ICIM 2025, Revised Selected Papers

A2 - Li, Shuliang

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 28 March 2025 through 30 March 2025

ER -

Quispe GO, Zuloaga CK, Castañeda PS. Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security. In Li S, editor, Information Management - 11th International Conference, ICIM 2025, Revised Selected Papers. Springer Science and Business Media Deutschland GmbH. 2026. p. 273-285. (Communications in Computer and Information Science). doi: 10.1007/978-3-031-99353-4_24

Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Fingerprint

Cite this