Development of an Application-Based Framework for Information Security Management in SMEs

In an increasingly interconnected and sustainability-driven digital landscape, effective risk management and robust information security practices are essential not only for protecting organizational assets but also for ensuring long-term operational resilience and regulatory compliance, especially for small and medium-sized enterprises (SMEs), which aim to grow but have limited resources. This paper presents the development of a practical framework and a supporting application—GestionAVR—for implementing an Information Security Management System (ISMS) that integrates structured risk management processes. The research presents some theoretical insights and practitioners’ input, with a focus on the needs of SMEs. The framework includes a predefined set of categorized risks across four key areas: organizational, personnel, physical, and technological. Designed for usability and adaptability, the GestionAVR application facilitates risk identification, prioritization, monitoring, and continuous improvement. Validated through a case study in the engineering sector, the solution proved to be effective in enhancing decision-making, reducing time spent on planning, and minimizing overlooked vulnerabilities. Future developments include integration of sustainability indicators aligning with recent updates to ISO 27001 standards, AI-based data analysis and automated reporting. This research offers a customizable and cost-effective tool that supports information security and sustainable organizational development.