A meta-analytical evaluation of ISO 27001’s control domains and their measurable impact on reducing breach incidents

Abstract

In this thesis, a meta-analytical review of ISO/IEC 27001 and its ability to decrease the frequency of security breaches in cyberspace are this thesis provides, and the direct consideration of the results of the implementation of the control at the domain level. It compares certified and non-certified organization via statistical analysis of the 40 major data breaches in two important time intervals (2014-2015 and 2019-2024), and reveals three ISO control areas Access Control, Operations Security, and Supplier Relations as the main areas pertinent to prevention of data breaches. It then analyses the applicability of the 2022 ISO/IEC 27001 revising and looks into implementation maturity of the big four professional service firms branches in Finland. The paper suggests the concept of domain-weighted implementation model to transform ISO 27001 into a multi-layered defense against cyber threats process.