Assessing Data Cybersecurity Using ISO/IEC 25012

The importance of data is ever-growing, and it is widely considered to be the most valuable asset of a company. Since data is becoming the main driver of business value, data security is a paramount concern for companies. In recent years, several standards related to security have emerged, most notably those of the ISO/IEC 27000 series. However, they are focused on management systems and security infrastructure, neglecting the security of the data itself. Other standards related to data quality, such as ISO 8000, also fail to address data security in depth. To this end, we propose in this paper a framework for the evaluation of data cybersecurity, consisting of a quality model (based on ISO/IEC 25012), an evaluation process (based on ISO/IEC 25040), and a tool for the visualization of the assessment results. This evaluation framework has been taken as the basis for a data cybersecurity certification scheme, which complements other certifiable standards related to data and security such as ISO/IEC 27001 and ISO 8000.