Diseño de una estrategia de ciberseguridad basada en las normas ISO/IEC 27001:2022 y 27032:2023. Caso: microfinanciera Prisma de Honduras, 2025
Loading...
Date
2025-04-01
Journal Title
Journal ISSN
Volume Title
Publisher
Universidad Tecnológica Centroamericana UNITEC
Abstract
La presente investigación diseñó una estrategia de ciberseguridad para la Microfinanciera
PRISMA, alineada con las normas ISO/IEC 27001:2022, ISO/IEC 27032:2023 y el marco NIST
CSF. Se utilizó una metodología de enfoque mixto, con un diseño no experimental y alcance
descriptivo. La recolección de datos se realizó mediante entrevistas semiestructuradas y la
aplicación de dos herramientas: la Matriz de Diagnóstico de Seguridad Global basada en ISO/IEC
27002:2022 y la herramienta MASS, dirigidas a una muestra de 8 colaboradores clave. Se
evaluaron 93 controles distribuidos en los dominios organizativo, de personas, físicos y
tecnológicos. Los resultados reflejaron que 31 controles (33.3%) presentaban niveles bajos de
madurez: 8 en estado Existente, 19 en Inicial y 4 no aplicaban. El dominio organizativo fue el más
crítico, con el 54% de sus controles en estados bajos, seguido del tecnológico con el 35.2%. En
contraste, los dominios tecnológico y físico alcanzaron mayores niveles de madurez, con 15
controles tecnológicos en nivel Definido y 9 entre Cuantitativo y Optimizado. Se concluyó que
PRISMA mantiene una madurez general entre los niveles Inicial y Gestionado, lo que evidencia
la necesidad de una estrategia integral. Con base en estos hallazgos, se diseñó una propuesta
estructurada en cinco fases, con definición de controles, indicadores, cronograma, presupuesto y
mecanismos de mejora continua, orientada a fortalecer las capacidades de identificación,
protección, detección, respuesta y recuperación frente a amenazas cibernéticas
This research designed a cybersecurity strategy for Microfinanciera PRISMA, aligned with ISO/IEC 27001:2022, ISO/IEC 27032:2023 standards and the NIST CSF framework. A mixed- method approach was employed, with a non-experimental design and descriptive scope. Data was collected through semi-structured interviews and the application of two tools: the Global Security Diagnostic Matrix based on ISO/IEC 27002:2022 and the MASS tool, applied to a sample of 8 key collaborators. A total of 93 controls were evaluated across four domains: organizational, people, physical, and technological. Results revealed that 31 controls (33.3%) presented low maturity levels, with 8 classified as “Existing”, 19 as “Initial,” and 4 were deemed not applicable. The organizational domain was the most critical, with 54% of its controls in low maturity states, followed by the technological domain with 35.2%. The technological and physical domains showed higher maturity, with 15 technological controls at the “Defined” level and 9 at “Quantitative” or “Optimized” levels. It was concluded that PRISMA maintains a general maturity between “Initial” and “Managed” levels, highlighting the need for a comprehensive cybersecurity strategy. Based on these findings, a five-phase proposal was developed, detailing control definitions, indicators, implementation schedule, budget, and continuous improvement mechanisms, aimed to strengthen the organization's capabilities for identification, protection, detection, response, and recovery against cyber threats.
This research designed a cybersecurity strategy for Microfinanciera PRISMA, aligned with ISO/IEC 27001:2022, ISO/IEC 27032:2023 standards and the NIST CSF framework. A mixed- method approach was employed, with a non-experimental design and descriptive scope. Data was collected through semi-structured interviews and the application of two tools: the Global Security Diagnostic Matrix based on ISO/IEC 27002:2022 and the MASS tool, applied to a sample of 8 key collaborators. A total of 93 controls were evaluated across four domains: organizational, people, physical, and technological. Results revealed that 31 controls (33.3%) presented low maturity levels, with 8 classified as “Existing”, 19 as “Initial,” and 4 were deemed not applicable. The organizational domain was the most critical, with 54% of its controls in low maturity states, followed by the technological domain with 35.2%. The technological and physical domains showed higher maturity, with 15 technological controls at the “Defined” level and 9 at “Quantitative” or “Optimized” levels. It was concluded that PRISMA maintains a general maturity between “Initial” and “Managed” levels, highlighting the need for a comprehensive cybersecurity strategy. Based on these findings, a five-phase proposal was developed, detailing control definitions, indicators, implementation schedule, budget, and continuous improvement mechanisms, aimed to strengthen the organization's capabilities for identification, protection, detection, response, and recovery against cyber threats.
Keywords
Ciberataques, Ciberseguridad, Estrategia, Normativas, Riesgos