Gap Analysis of Information Security Management Systems in Sri Lankan Higher Education Institutes

Abstract: This work presents an overview of preliminary stages taken towards proper establishment ofan Information Security Management System (ISMS) for Sri Lankan Higher EducationInstitutes (HEIs) based on ISO/IEC 27001:2013 standard. This study consists with a gapanalysis conducted on selected HEIs within Sri Lanka to evaluate their compliance withISO/IEC 27001:2013 standards. This analysis aimed at identifying gaps in existing informationsecurity practices and assess associated risks to Sri Lankan HEIs. To provide a more tailoredapproach, Management, Technical, and Operational (MTO) model was introduced, aligningwith institute’s structure and responsibilities. This research also emphasizes on criticality ofprotecting information assets and the need for comprehensive controls to ensureconfidentiality, integrity, and availability. Additionally, the study investigates the level ofinformation security compliance with ISO/IEC 27001:2013 among the selected HEIs. Theresults reveal a maturity level of 2, indicating numerous control weaknesses and highlightingthe need for developing security policies, procedures, and implementing a securitymanagement system and security culture. The research concludes with detailed benchmarkingresults, maturity level measurements for each security control domain, and recommendationsfor improvement.