Mitigating Information Leakage in Tech-Sector SMEs: Implementing ISO 27001:2022 for Comprehensive Security

Abstract

This paper presents a model for implementing an Information Security Management System (ISMS) based on ISO 27001:2022 tailored to the needs of small and medium-sized enterprises (SMEs) in the technology sector in Lima Metropolitana. The model focuses on mitigating data leakage, a critical issue exacerbated by the increasing digitization of business operations. The proposed framework integrates controls from ISO 27001 aligned with NIST SP 800-53 to enhance information security practices. Results from applying the model to two technology SMEs indicate that one company (Company A) achieved a 94.44% Critical Control Implementation Index (IICC), a 70% Critical Vulnerability Resolution Rate (TRVC), and an 85% Policy Compliance Rate (TCPS), while the second company (Company B) achieved significantly lower rates of 50%, 40%, and 60%, respectively. These findings highlight both strengths in technological controls and weaknesses in organizational security management. This research contributes to the field by providing a practical, scalable approach for SMEs to enhance their information security posture, addressing both human and technological factors.