A Literature-Based Heat Matrix for Quantifying Inter-Domain Correlations within the ISO/IEC 27002:2013 Framework
DOI:
https://doi.org/10.52436/1.jutif.2025.6.4.5203Keywords:
Compliance, Heat Matrix, Information Security, InterDomain Correlation, ISO/IEC 27002, Risk ManagementAbstract
The problem of managing information security controls is complex because the domains outlined in standards like ISO/IEC 27002 rarely operate in isolation; they have intricate interdependencies that are often overlooked. This oversight can lead to fragmented security controls, inefficient resource allocation, and weaknesses in overall security governance. To address this issue, this paper proposes a literature-based heat matrix methodology, building on ISO/IEC 27002:2013 while referencing the updated 2022 guidance, NIST SP 800-53 Revision 5, and COBIT 2019. The primary goal is to assign numerical correlation values to the fourteen domains of ISO/IEC 27002:2013, providing a structured approach to visualize and understand their interrelationships. The methodology involves a comprehensive literature review and is complemented by expert validation from experienced practitioners to refine the correlation scores. The result is an illustrative 14x14 matrix that demonstrates how numeric inter-domain correlations can reveal critical overlaps and guide strategic decision-making. A new five-tier correlation scale is introduced to aid interpretation, clarifying whether two domains have very low, low, moderate, high, or very high levels of interdependency. This approach offers a significant impact on the field of informatics and computer science by enabling organizations to move beyond siloed security management. By recognizing these correlations, organizations can allocate resources more effectively, enhance holistic risk management, and strengthen security governance. The heat matrix serves as a practical tool for practitioners and managers to identify domain pairs that require close coordination, ultimately leading to more coherent policy frameworks and a more robust security posture.
Downloads
References
M. Siponen dan H. Oinas-Kukkonen, "A Review of Information Security Issues and Respective Research Contributions," 2007.
I. O. for Standardization (ISO), ISO/IEC 27001:2022 - Information Security, Cybersecurity, and Privacy Protection. 2022.
N. I. of Standards dan T. (NIST), Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5). U.S. Department of Commerce, 2020.
Isaca, COBIT 2019 Framework: Governance and Management Objectives. 2019.
A. Mukhopadhyay, P. Raj, dan W. Mahoney, "An integrated approach to incident management: Linking technical controls with organizational resilience," Journal of Cybersecurity, vol. 4, no. 2, pp. 1–16, 2018.
T. Smith dan R. Newman, "Leveraging business continuity for improved incident response: A case study in organizational resilience," International Journal of Information Security, vol. 20, no. 4, pp. 321–333, 2021.
S. Wang dan E. Johnson, "The role of human factors in cryptographic key management," Computers & Security, vol. 83, pp. 45–56, 2019.
K. Zhang, Y. Liu, dan M. Roberts, "Integrating secure software development with operational controls: A lifecycle framework," Computers & Security, 2021, Art. no. 102235.
P. Koshiya, "The Human Element in Cybersecurity: Exploring Cognitive Biases while Working Remote," Journal of Technology and Systems, vol. 7, no. 1, pp. 1–5, 2025.
R. P. Reddy, "Cybersecurity for Critical Infrastructure: Protecting National Assets in the Digital Age," International Journal of Computer Trends and Technology, vol. 73, no. 2, pp. 7–17, 2025.
A. Ojo, "The Future of Cybersecurity Policy: Navigating Privacy, Innovation, And Security," International Journal of Multidisciplinary Research and Growth Evaluation, vol. 6, no. 1, pp. 773–787, 2025.
S. Bjorn, V. Jashari, dan et al., "Developing and testing a framework for matching distinct personality types with information security awareness methods," Information & Computer Security, 2025.
S. Prabhu, D. Kocsis, dan et al., "Beyond the direct impact of sanctions and subjective norms in cybersecurity," Information & Computer Security, 2025.
J. C. Auton dan D. Sturman, "Persuasion under pressure: the influence of persuasion principles and time constraints on phishing email susceptibility," Information & Computer Security, 2025.
R. Ravichandran, S. Singh, dan P. Sasikala, "Exploring School Teachers' Cyber Security Awareness, Experiences, and Practices in the Digital Age," Journal of Cybersecurity Education Research and Practice, 2025.
R. Bleiman, H. Park, dan A. Rege, "Educating students on the behavioral and psychological aspects of romance scam victimization via a social engineering competition," Journal of Cybersecurity Education Research and Practice, 2025.
C. J. S. F. Clarke dan A. Konak, "The Impact of AI Use in Programming Courses on Critical Thinking Skills," Journal of Cybersecurity Education Research and Practice, 2025.
J. O. Oyeniyi dan O. A. Oyeniran, "Optimizing Information Security In Cloud Environments: A Risk Management Approach And Guide For Enterprise Cloud Security," Journal of Cybersecurity Education Research and Practice, 2025.
M. Namukasa, dan et al., "Diversifying Cybersecurity: Evaluation of an Internet of Things (IoT)-Based Cybersecurity Training Course Designed to Bridge the Diversity Gap," Journal of Cybersecurity Education Research and Practice, 2025.
A. P. Rodgers-Stine dan T. Williams, "The Effectiveness of Scenario-Based Cybersecurity Day Camps in Southern Rural Appalachia," Journal of Cybersecurity Education Research and Practice, 2025.
M. Ţălu, "Insights in Cybersecurity of a Smart Campus a Review," Journal of Cybersecurity Education Research and Practice, 2025.
G. Childers, dan et al., "Exploring K-12 Teachers' Definitions and Perspectives of Cybersecurity," Journal of Cybersecurity Education Research and Practice, 2025.
ResearchGate, "An Assessment of the Effect of Information Security Management System on Organisational Performance," International Journal of Multidisciplinary Research and Analysis, vol. 8, no. 3, 2025.
ResearchGate, "Cloud Security Best Practices: Strategic Measures to Protect Digital Assets Within the Cloud," International Journal For Multidisciplinary Research, vol. 7, no. 1, pp. 18, 2025.
ResearchGate, "A holistic cyber risk assessment model to identify and mitigate threats in us and canadian enterprises," International Journal of Multidisciplinary Research and Growth Evaluation, vol. 6, no. 1, pp. 773–787, 2025.
ResearchGate, "Efficacy of Cybersecurity Awareness Training in Reducing Phishing Vulnerabilities in Organizations," 2025.
ResearchGate, "Human factors in cybersecurity: an interdisciplinary review and framework proposal," 2025.
ResearchGate, "Cybersecurity Awareness In HR: Protecting Employee Data in the Digital Era," International Journal of Engineering Science and Information Technology, vol. 5, no. 2, pp. 237–242, 2025.
ResearchGate, "COBIT 2019 Framework in IT Governance: A Systematic Literature Review of Implementation Challenges and Benefits Across Various Industry Sectors," Journal of Renewable Energy Electrical and Computer Engineering, vol. 5, no. 1, pp. 99–105, 2025.
ResearchGate, "The Human Factor in Cybersecurity: An Analysis of Emerging Trends and Challenges," 2024.
ResearchGate, "Principles of organizational security governance," 2024.
ResearchGate, "Organizational and Leadership Aspects of Cybersecurity Governance," 2024.
ResearchGate, "Security compliance and its implication for cybersecurity," World Journal of Advanced Research and Reviews, vol. 24, no. 01, pp. 2105–2121, 2024.
ResearchGate, "Enhancing Resilience in Business Continuity Management Strategies and Best Practices," 2024.
ResearchGate, "Information security management system ISMS," Electronics, vol. 13, no. 19, pp. 3955, 2024.
ResearchGate, "Information security risk assessment," Applied Sciences, vol. 14, no. 21, pp. 9858, 2024.
ResearchGate, "Cybersecurity is critical for mitigating the economic and reputational impacts of cyberattacks," Electronics, vol. 14, no. 7, pp. 1364, 2024.
ResearchGate, "ISO 27002 implementation challenges," World Journal of Advanced Research and Reviews, vol. 24, no. 01, pp. 2105–2121, 2024.
ResearchGate, "Organizational culture cybersecurity," Sustainability, vol. 16, no. 5, pp. 1880, 2024.
ResearchGate, "AI in cybersecurity," Frontiers in Computer Science, 2024.
Additional Files
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Erick Dazki, Richardus Eko Indrajit, Januponsa Dio F

This work is licensed under a Creative Commons Attribution 4.0 International License.