COMPARATIVE ANALYSIS OF AUDIT METHODS FOR INFORMATION SECURITY MANAGEMENT SYSTEMS IN KAZAKHSTAN AND OTHER COUNTRIES

This article presents a comparative analysis of approaches to auditing Information Security Management Systems (ISMS) used in the Republic of Kazakhstan and other countries. The study examines key audit methodologies, including international regulatory frameworks such as ISO/IEC 27001 (International Organization for Standardization / International Electrotechnical Commission), NIST (National Institute of Standards and Technology), and the GDPR (General Data Protection Regulation), with a particular focus on their adaptation across different legal jurisdictions. Special attention is given to the strengths and limitations of various auditing practices, as well as the maturity levels of ISMS executions across different nations. The paper analyzes the current state of information security in Kazakhstan, taking into account the national regulatory landscape and the practical application of audit mechanisms in both public and private sectors. It also identifies critical challenges faced by organizations, such as the shortage of qualified personnel, difficulties in implementing contemporary standards and technologies, and weak interdepartmental coordination. Prospective directions for enhancing ISMS audit methods are outlined based on an evaluation of global best practices. Additionally, the paper discusses potential directions for enhancing ISMS auditing practices by drawing on global experience and offers practical recommendations for improving audit effectiveness and strengthening national cybersecurity frameworks.
The findings of this study are of practical relevance to information security professionals, auditors, researchers, and organizations involved in risk management and data protection within the context of ongoing digital transformation.

1. ISO/IEC 27001. Information technology – Security techniques – Information security management systems – Requirements (TechNormative Ed.), 2006.

2. Averchenkov B.I. Audit informacionnoj bezopasnosti: metodologija i praktika. – Moskva: Nauka, 2021. (In Russian).

3. Important changes to ISO 27001:2022: https://www.controlcase.com/important-changes-to-iso-27001/?utm_source=chatgpt.com (accessed: 14.03.2025).

4. The ISO/IEC 27001 information security management standard: literature review and theorybased research agenda / G. Culot et al // The TQM Journal, 2021.

5. ST RK ISO/IEC 27001-2015 «Informacionnaja tehnologija. Metody i sredstva obespechenija bezopasnosti. Sistemy menedzhmenta informacionnoj bezopasnost'ju. Trebovanija». – 2015. (In Russian).

6. De la Rosa Martín T. Automation of an information security management system based on the ISO/IEC 27001 Standard // Revista Universidad y Sociedad. – 2021. – Vol. 13, № 5. – P. 495-506.

7. Al-Karaki J.N. GoSafe: On the practical characterization of the overall security posture of an organization information system using smart auditing and ranking / J.N. Al-Karaki, A. Gawanmeh, S. El-Yassami // Journal of King Saud University – Computer and Information Sciences. – 2022. – Vol. 34, № 6. – P. 3079-3095.

8. Bakpokpaev A.A. Klassifikacija i analiz metodov i sredstv audita informacionnoj bezopasnosti / A.A. Bakpokpaev, E.Zh. Ajthozhaeva. – Almaty: Universitet im. Satpaeva, 2022. (In Russian).

9. Zakon Respubliki Kazahstan «O personal'nyh dannyh i ih zashhite». – 2013. (In Russian).

10. Zakon Respubliki Kazahstan «O bezopasnosti». – 2005. (In Russian).

11. Isabaeva S.B. Obespechenie kiberbezopasnosti Kazahstana v uslovijah global'noj cifrovizacii: Doktorskaja dissertacija. – Kazahstan, 2020. (In Russian).

12. Berezjuk V.I. Perspektivy razvitija cifrovogo audita v Respublike Kazahstan v uslovijah perehoda k cifrovoj jekonomike // Uchet. Analiz. Audit. – 2024. – T. 11(1). – S. 27-38. (In Russian).

13. National Institute of Standards and Technology (NIST). Security and privacy controls for federal information systems and organizations. – 2018.

14. European Union. General Data Protection Regulation (GDPR). – 2016.

15. International Telecommunication Union, ABI Research. Global cybersecurity index & cyberwellness profiles. – Geneva: ITU, 2015. – Available at: http://www.itu.int/dms_pub/itud/opb/str/D-STR-SECU-2015-PDF-E.pdf (accessed: 14.03.2025).

16. International Telecommunication Union. The Global Cybersecurity Index. – 2020. – Available at: https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx (accessed: 14.03.2025).

17. E-Governance Academy. The National Cyber Security Index. – 2020. – Available at: https://ncsi.ega.ee/methodology/ (accessed: 14.03.2025).

18. Kompanijalardyң aқparattyқ bejіmdeu monitoringі / V.A. Lahno et al // ҚazKKA Habarshysy. – 2023. – T. 6(129). – S. 173-185. (In Kazakh).

19. Automation of information security risk assessment / В. Akhmetov et al // International Journal of Electronics and Telecommunications. – 2022. – Vol. 68, № 3. – P. 549-555. https://doi.org/10.24425/ijet.2022.141273.