“Development of an Integrated Information Security Governance Maturity Assessment Framework for Higher Education Institutions Using COBIT 2019 and ISO/IEC 27001: A Design Science Research Approach”

Article Sidebar

Main Article Content

Francis R. Abraham
Eduardo R. Yu II

The adoption of digital technologies, online learning platforms, and electronic services has significantly changed the functioning of higher education institutions. Universities and colleges now rely extensively on digital platforms for teaching, learning, research, and administrative functions. As a result, these institutions manage large quantities of sensitive data, including student records, financial information, research findings, and other vital assets.


In parallel, the rise in cybersecurity threats has underscored the necessity for enhanced information security governance to protect these resources and ensure secure and efficient technology use across campuses. Although established frameworks such as COBIT 2019 and ISO/IEC 27001 offer valuable guidance on governance and information security management, they are often implemented independently. This separation can cause gaps, overlaps, and inconsistencies in governance practices. To address this issue, this study developed an Integrated Information Security Governance Maturity Assessment Framework specifically for Higher Education Institutions by merging the governance principles of COBIT 2019 with the information security management demands of ISO/IEC 27001.


The research employed a Design Science Research (DSR) methodology to develop a framework that is robust in theory and applicable to the higher education sector. This framework was built through a comprehensive analysis of COBIT 2019, ISO/IEC 27001:2022, relevant academic sources, and existing governance maturity models. The resulting framework encompasses five assessment dimensions: Governance and Leadership, Risk and Compliance Management, Security Operations and Control Management, Monitoring and Performance Evaluation, and Continuous Improvement and Governance Optimization.


Additionally, a five-level maturity model was crafted to enable institutions to evaluate their current governance capability and identify areas needing further development. Findings indicate that integrating COBIT 2019 and ISO/IEC 27001 results in a more systematic and thorough approach to information security governance. The framework provides higher education institutions with a practical tool for assessing governance maturity, planning improvement efforts, and enhancing cybersecurity governance. It also lays the groundwork for further implementation, testing, and empirical validation in real university settings.

“Development of an Integrated Information Security Governance Maturity Assessment Framework for Higher Education Institutions Using COBIT 2019 and ISO/IEC 27001: A Design Science Research Approach”. (2026). International Journal of Latest Technology in Engineering Management & Applied Science, 15(6), 202-224. https://doi.org/10.51583/IJLTEMAS.2026.150600019

Downloads

References

AlGhamdi, S., & Win, K. T. (2020). Information security governance challenges and critical success factors: A systematic review. Computers & Security, 99, 102030.

Aliyu, A., Maglaras, L., He, Y., Yevseyeva, I., Boiten, E., Cook, A., & Janicke, H. (2020). A holistic cybersecurity maturity assessment framework for higher education institutions. Applied Sciences, 10(10), 366.

Alkhaldi, F. M., Hammami, S. M., & Uddin, M. A. (2017). Understanding value characteristics toward a robust IT governance application in private organizations using the COBIT framework. International Journal of Engineering Business Management, 9, 1–12. https://doi.org/10.1177/1847979017703779.

Alsalem, H., Yahya, Y., & Elias, N. F. (2026). Authentic digital interaction with e-government: A systematic review of key determinants. Information (Switzerland), 17(5). https://doi.org/10.339/info17050427.

Bianchi, I. S., Sousa, R. D., & Pereira, R. (2021). Information technology governance for higher education institutions: A multi-country study. In Informatics, Multidisciplinary Digital Publishing Institute, 8(2), 26.

Budimir, S., Fontaine, J. R., Huijts, N. M., Haans, A., Loukas, G., & Roesch, E. B. (2021). Emotional reactions to cybersecurity breach situations: A scenario-based survey study. J Med Internet Res, 23(8), e24879. https://doi.org/10.2196/24879.

Cheng, E. C. K., & Wang, T. (2022). Institutional strategies for cybersecurity in higher education institutions. Information, 13(4), 192.

Cole-Walker, E. (2026). Reevaluating the mission of higher education: Meeting our cybersecurity challenges together. Educause Review.

Culot, G., Nassimbeni, G., Orzes, G., & Sartor, M. (2023). The ISO/IEC 27001 information security management standard: Literature review.

De Haes, S., Van Grembergen, W., Joshi, A., & Huygh, T. (2020). COBIT as a framework for enterprise governance of IT. In Management for Professionals: Part F574 (pp. 125–162). Springer Nature. https://doi.org/10.1007/978-3-030-25918-1_5.

Fouad, N. S. (2021). Securing higher education against cyberthreats. Journal of Cyber Policy, 6(2), 137–154.

Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75–105.

ISACA. (2019). COBIT 2019 framework: Governance and management objectives. ISACA.

ISO/IEC 27001:2022. Information security, cybersecurity, and privacy protection — Information security management systems — Requirements. International Organization for Standardization. (2022). ISO/IEC 27001:2022 information security, cybersecurity, and privacy protection — Information security management systems — Requirements.

Martin, K. (2016). Understanding privacy online: Development of a social contract approach to privacy. J Bus Ethics, 137(3), 551–69. https://doi.org/10.1007/s10551-015-2565-9.

Merchan-Lima, J., Astudillo, D., Tello Oquendo, L., Sanchez, F., Lopez-Fonseca, G., & Quiroz, D. (2020). Information security management frameworks and strategies in higher education institutions: A systematic review. Annals of Telecommunications, 76. 10.1007/s12243-020-00783-2.

Mora, M., Gómez, J. M., Wang, F., & Díaz, E. O. (2021). A review of the IT service design process in agile ITSM frameworks. In Balancing Agile and Disciplined Engineering and Management Approaches for IT Services and Software Products (pp. 45–68). IGI Global.

Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of Management Information Systems, 24(3), 45–77.

Sears, C. R., & Cunningham, D. R. (2024). Individual differences in psychological stress associated with data breach experiences. J Cybersecur. Priv, 4(3), 594–614. https://doi.org/10.339/jcp4030031.

Sengik, A. R., Lunardi, G. L., Bianchi, I. S., & Wiedenhöft, G. C. (2022). Using design science research to propose an IT governance model for higher education institutions. Education and Information Technologies, 27(8), 11285–11305. https://doi.org/10.1007/s10639-022-11088-3.

Shipman, A., & Watkins, S. (2020). ISO/IEC 27701:2019: An introduction to privacy information management. IT Governance Publishing.

Shivashankarappa, S., Rajendran, J., & Bhaskaran, V. (2012). Adoption of ITIL framework in higher education institutions: Challenges and benefits. International Journal of Information Systems in the Service Sector, 4(3), 35–52.

Tocto-Cano, E., et al. (2020). Maturity models in universities: A systematic review. Information, 11(10), 466.

Ulven, J. B., & Wangen, G. (2021). Cybersecurity risks in higher education. Future Internet, 13(2), 39.

Vaishnavi, V., & Kuechler, W. (2015). Design science research methods and patterns. CRC Press.

Winniford, M., Conger, S., & Erickson-Harris, L. (2009). Confusion in the ranks: IT service management practice and terminology. Information Systems Management, 26(2), 153–163.

Zúñiga, D. R., Lira, P. L., Navarro, A. C., Peña, M. D., Caselli Benavente, N., Moraga, D. L., Rogget, M. R., & González, J. P. M. (2025). Agile audit proposal for ISO IEC 27001 standard implementation in higher education faculties. Communications in Computer and Information Science, 2347 CCIS, 421–437. https://doi.org/10.1007/978-3-031-84078-4_29.

Article Details

How to Cite

“Development of an Integrated Information Security Governance Maturity Assessment Framework for Higher Education Institutions Using COBIT 2019 and ISO/IEC 27001: A Design Science Research Approach”. (2026). International Journal of Latest Technology in Engineering Management & Applied Science, 15(6), 202-224. https://doi.org/10.51583/IJLTEMAS.2026.150600019