Skip to Main Content
Article navigation
Volume 34, Issue 3
28 May 2026
Information and Computer Security Cover Image for Volume 34, Issue 3
Research Article| October 07 2025

Information security management: a fuzzy DEMATEL analysis of the new ISO/IEC 27001:2022 controls Available to Purchase

Reginaldo da Silva Leme;
Reginaldo da Silva Leme
School of Mechanical Engineering,
State University of Campinas
, Campinas,
Brazil
Search for other works by this author on:
This Site
PubMed
Google Scholar
Jefferson de Souza Pinto;
Jefferson de Souza Pinto
Federal Institute of Education Science and Technology of São Paulo
, Bragança Paulista,
Brazil
, and School of Mechanical Engineering, State University of Campinas, Campinas, Brazil
Search for other works by this author on:
This Site
PubMed
Google Scholar
Lucas Gabriel Zanon;
Lucas Gabriel Zanon
School of Engineering of São Carlos,
University of São Paulo
, São Carlos,
Brazil
Search for other works by this author on:
This Site
PubMed
Google Scholar
Tiago F.A.C. Sigahi;
Tiago F.A.C. Sigahi
Department of Production Engineering,
Polytechnic School, University of São Paulo
, São Paulo,
Brazil
Corresponding author Tiago F.A.C. Sigahi tiagosigahi@gmail.com
Search for other works by this author on:
This Site
PubMed
Google Scholar
Gustavo Hermínio Salati Marcondes de Moraes;
Gustavo Hermínio Salati Marcondes de Moraes
School of Applied Sciences,
State University of Campinas
, Campinas,
Brazil
, and School of Management Sciences, North-West University, Vanderbijlpark, South Africa
Search for other works by this author on:
This Site
PubMed
Google Scholar
Suzana Regina Moro;
Suzana Regina Moro
School of Mechanical Engineering,
State University of Campinas
, Campinas,
Brazil
Search for other works by this author on:
This Site
PubMed
Google Scholar
Rosley Anholon
Rosley Anholon
School of Mechanical Engineering,
State University of Campinas
, Campinas,
Brazil
Search for other works by this author on:
This Site
PubMed
Google Scholar
Author & Article Information
Corresponding author Tiago F.A.C. Sigahi tiagosigahi@gmail.com
Publisher: Emerald Publishing
Received: October 23 2024
Revision Received: April 23 2025
Revision Received: July 16 2025
Accepted: August 24 2025
Online ISSN: 2056-497X
Print ISSN: 2056-4961
Funding
Funding Group:
  • Award Group:
    • Funder(s):
       National Council for Scientific
    • Award Id(s):
      303412/2024-0
  • Award Group:
    • Funder(s):
       Technological Development (CNPq/Brazil)
    • Award Id(s):
      303787/2024-4
  • Funding Statement(s):
     The authors are grateful for the support of the National Council for Scientific and Technological Development (CNPq/Brazil) under the grants number 303412/2024-0 and 303787/2024-4.
© 2025 Emerald Publishing Limited
2025
Emerald Publishing Limited
Licensed re-use rights only
Information and Computer Security (2026) 34 (3): 413–434.
https://doi.org/10.1108/ICS-10-2024-0269
Article history
Received:
October 23 2024
Revision Received:
April 23 2025
Revision Received:
July 16 2025
Accepted:
August 24 2025
Purpose

This paper aims to analyze the cause-and-effect relationship and the level of influence between the 11 new information security controls proposed by ISO/IEC 27001:2022.

Design/methodology/approach

A survey with 22 experts, all chief technology officers, was conducted, to assess the influences between each of these controls by means of a pairwise comparison. Then, the fuzzy Decision-making Trial and Evaluation Laboratory (DEMATEL) method was applied to evaluate the relationships and the influence degree between controls.

Findings

The most influential and impacted controls were identified through the Causal Diagram and the Influence Relationship Map. “Threat Intelligence” and “Secure Development” emerged as the main influencing factors, serving as core components in the evaluation system. This finding aligns with the growing emphasis on protecting data stored in cloud services and addressing emerging threats, highlighting their importance in Information Security Management Systems. Furthermore, the central, driving, independent and impactful controls were identified, as well as their priority in allocating resources for their integration and management. This allows for a strategic and efficient distribution of resources, directing them according to the priority and impact of each control on the security system.

Originality/value

This study presents an original approach, applying the fuzzy DEMATEL method to analyze the cause-and-effect relationships between the 11 new controls in ISO/IEC 27001:2022. Unlike previous studies, this research reveals the causal structure and prioritization of these updates. By identifying central and influential controls, such as “Threat Intelligence” and “Secure Development,” this study offers strategic insights for managing these new controls, highlighting those that provide strategic leverage in the practical integration of security measures, as well as which should be targets for resource allocation. This new analytical perspective contributes to a deeper understanding of the evolution of the standard in addressing contemporary cybersecurity challenges, offering practical insights to information security managers, enabling proactive risk management, optimized resource allocation and alignment with regulatory compliance frameworks.

Keywords:
ISO/IEC 27001:2022, Information security, Risk management, Fuzzy DEMATEL
© 2025 Emerald Publishing Limited
2025
Emerald Publishing Limited
Licensed re-use rights only
You do not currently have access to this content.
Don't already have an account? Register

Purchased this content as a guest? Enter your email address to restore access.

Please enter valid email address.
Email address must be 94 characters or fewer.
Pay-Per-View Access
$41.00
Rental
This article is also available for rental through DeepDyve. Read this now at DeepDyve
764 Views
View Metrics
Socio-technical challenges in improving cybersecurity in operational technology organizations
Identifying organizations’ security compliance on data breach announcements: a text mining approach
Methodological rigour in cybersecurity culture research: a systematic review
Measuring dimensions of information security culture across industries with situational judgment tests

Suggested Reading

Current challenges in information security risk management
Information Management & Computer Security (November,2014)
Information Security Risk Management: Handbook for ISO/IEC 27001
Records Management Journal (November,2011)
Using response action with intelligent intrusion detection and prevention system against web application malware
Information Management & Computer Security (November,2014)
The impact of information security management practices on organisational agility
Information and Computer Security (June,2020)
Revisiting information security risk management challenges: a practice perspective
Information and Computer Security (June,2019)

Related Chapters

Digital Behaviors and People Risk: Challenges for Risk Management
Social Media in Strategic Management
A Framework for Dealing With Cybersecurity Risks as Part of Information Security
Digitalization, Sustainable Development, and Industry 5.0: An Organizational Model for Twin Transitions
Impacts of Trade War Upon Social Indicators
Global Tariff War: Economic, Political and Social Implications

Recommended for you

These recommendations are informed by your reading behaviors and indicated interests.

Cited By

Google Scholar
This Feature Is Available To Subscribers Only

or Create an Account

Close Modal
Close Modal