Developing an Information Security Management System for Libraries Based on an Improved Risk Analysis Methodology Compatible with ISO/IEC 27001

This paper describes a new risk analysis methodology for libraries based on steps filtered from existing methodologies that are compatible with the ISO/IEC 27000: 2013 standard. After analyzing MAGERIT, OCTAVE and NIST 800-30 risk analysis methodologies, the most important steps were identified and those that do not fit in library type of organization were discarded. Once the methodology was created, it was tested through a real implementation in the Library system of a university to verify its benefits.