Design of an Information Security System Applied to the ICT Area of the Municipal GAD of Santa Rosa
Abstract
The protection of information has become a critical challenge for public institutions due to the increasing complexity of cyber threats and the need to safeguard essential technological assets. This research aims to design an Information Security Management System for the Information and Communication Technologies area of the municipal institution of Santa Rosa, located in the province of El Oro, Ecuador. The proposal is based on the guidelines of the ISO/IEC 27001:2022 standard and integrates the MAGERIT methodology together with the Plan–Do–Check–Act (PDCA) cycle to diagnose the current security conditions, identify risks and vulnerabilities, and determine opportunities for improvement in institutional information management. The analysis made it possible to establish controls and policies that reinforce data confidentiality, integrity, and availability while improving the efficiency of technological processes. The findings conclude that the proposed system contributes to the development of an organizational culture oriented toward cybersecurity and continuous improvement, ensuring stronger information protection and supporting the operational continuity of municipal services
Downloads
Metrics
References
A-LIGN. (2025). Everything you need to know about ISO 27001 certification. A-LIGN Technical Brief.
Alhazmi, A., Shah, A., & Alghamdi, M. (2024). Enhancing information security management in public organizations using ISO 27001 framework. IEEE Access, 12, 8871–8885.
Baral, A., & Reynolds, T. (2024). Municipal cyber risk modeling using cryptographic computing to inform cyber policymaking. arXiv Preprint.
CISA. (2015). Cybersecurity Information Sharing Act.
Domestic Preparedness. (2024). Securing cities: The fight against local-level cyberthreats. Domestic Preparedness Journal, 18(4), 45–52.
Fédération Québécoise des Municipalités. (2023). The economic impact of cyber attacks on municipalities. FQM Report.
Figueroa, P. G., & González, J. L. (2024). Diagnóstico de la madurez en la gestión de la seguridad digital en gobiernos autónomos descentralizados. Revista Científica UISRAEL, 9(1), 92–104.
Hossain, S. T. (2025). Cybersecurity in local governments: A systematic review. Government Information Quarterly, 42(1), 55–72.
ICCS-ISAC. (2023). Building a cybersecurity-aware culture in public sector organizations. ICCS-ISAC Research Report.
ISO. (2022). ISO/IEC 27001:2022 Information Security Management Systems — Requirements. International Organization for Standardization.
Kitsios, F. (2023). The ISO/IEC 27001 Information Security Management: A critical examination. Sustainability, 15(7), 5828.
Kitsios, F., Kamariotou, M., & Douligeris, C. (2023). The ISO/IEC 27001 information security management system as a framework for improving organizational performance. Sustainability, 15(7), 5828–5845.
KPMG. (2024). Cybersecurity considerations 2024: Government and public sector. KPMG Global Insights.
Lozada, M. C., & Méndez, F. C. (2023). Gestión de riesgos informáticos en gobiernos locales: Enfoque basado en ISO 27001. Revista Tecnológica ESPOL, 36(1), 23–34.
Magnusson, L. (2025). Information security governance in the public sector: Investigations, approaches, measures, and trends. International Journal of Information Security, 24.
National Institute of Standards and Technology. (2020). Special Publication 800-53 Rev. 5: Security and Privacy Controls for Federal Information Systems and Organizations.
Norris, D. F., & Mateczun, L. K. (2023). Cybersecurity in local government: A primer. University of Maryland, Public Policy Center.
Prasetyo, A. O. (2023). An evaluation of the PHVA cycle in information security systems based on ISO 27001:2022. Procedia Computer Science, 229, 260–269.
Public Sector Assurance. (2022). Public sector organizations use ISO/IEC 27001 to manage data securely. International Accreditation Forum.
Rafiq, M. S., & Asif, H. (2024). Risk management practices in information security governance: A case study on municipal ICT systems. International Journal of Information Security Science, 13(1), 55–67.
Rahman, A., Islam, A., & Haque, N. (2024). Developing a cybersecurity culture through ISO 27001 implementation in local governments. Journal of Information Security and Applications, 75.
Ruggiero, A. F. (2022). Ransomware in local government: Risk factors and effects. Issues in Information Systems, 23(3), 103–112.
Santillán, J. J., & Vera, E. M. (2023). Evaluación de la madurez de la seguridad de la información en entidades públicas ecuatorianas. Revista Ecuatoriana de Ciencia y Tecnología, 16(2), 41–49.
Stoltz, M. (2024). The road to compliance: Executive federal agencies and the NIST risk management framework. arXiv Preprint.
Suárez, M., & Torres, E. (2022). Modelo de madurez para sistemas de gestión de seguridad de la información en gobiernos locales. Revista Colombiana de Tecnologías de la Información, 13(2), 51–63.
Suorsa, M. (2024). ISO/IEC 27001:2013 controls ranked based on GDPR compliance. Journal of Cybersecurity and Privacy, 4(2), 85–101.
Toapanta, S. M. T., Almeida, A. J., & Villavicencio, V. R. (2020). An approach of national and international cybersecurity laws and standards to mitigate information risks in public organizations of Ecuador. ACM Digital Library, (6), 61-66.
U.S. Department of Homeland Security. (2023). Cyber Resilience Review (CRR): Method Description.
URM Consulting. (2025). ISO 27001:2022 – A.5 organisational controls. URM Consulting.
Vaca, C., Alulema, D., & Jiménez, J. (2021). Evaluación de la seguridad informática en GADs del Ecuador. Revista Ecuatoriana de Ciencia y Tecnología, 14(2), 67–75.
Wall Street Journal. (2024). Hack on North Miami tests ransom-payment bans.
Wang, M. J., & Chen, L. (2024). Improving public sector cyber resilience through ISO 27001: Lessons from municipal deployments. Government Information Quarterly, 41(2).
Wired. (2023). The untold story of a crippling ransomware attack: Hackney Council.
Copyright (c) 2025 Jorge Luis González Crespin
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
