BLOCKCHAIN-ORIENTED APPROACH TO ENSURING TRACEABILITY AND VERIFIABILITY OF ISMS POLICY ENFORCEMENT

Authors

DOI:

https://doi.org/10.28925/2663-4023.2026.32.1136

Keywords:

Integrated information security system (IISS), information security policies, audit, traceability, verifiability, blockchain, permissioned blockchain, smart contract, hash anchor, event logging, SIEM, ISO/IEC 27001

Abstract

This paper proposes a blockchain-oriented approach to ensuring the traceability and verifiability of information security policy enforcement within integrated information security management systems (ISMS). The relevance of the study is driven by the fact that, in practical ISMS deployments, compliance with security policies is commonly confirmed through event logs and reports that may be altered or deleted, thereby reducing the evidentiary value of audits and complicating independent verification. The proposed approach is based on recording only cryptographic “anchors” (hash values) of policy enforcement events in a permissioned blockchain, rather than storing complete logs in a distributed ledger. This design minimizes system overhead and mitigates the risk of sensitive data disclosure. An architecture is introduced that comprises an event collection and normalization module, a hash aggregator with batch packaging, a smart contract for anchor registration, and an audit verification module. A practical prototype was implemented as an application-level service integrated with an existing logging system and interacting with the smart contract via an API. Experimental evaluation was conducted using modeled scenarios, including access control enforcement, role changes, unauthorized action attempts, and incident handling, followed by simulated log tampering through deletion, substitution, and reordering of events in local logs. The evaluation considered anchor registration latency, batching throughput, successful transaction ratio, and auditor verification time for varying log volumes. The results demonstrate that the proposed mechanism reliably detects log manipulation through inconsistencies between locally computed hashes and on-chain records, supports a reproducible chain of evidence for critical ISMS policies, and enhances audit transparency without relying on a trusted third party. The paper also discusses limitations of the approach, including the selection of critical events, key management, and data retention policies, and provides recommendations for integration with SIEM platforms and alignment with ISO/IEC 27001 requirements. The obtained results can be applied in the design and modernization of ISMS for government information systems and critical infrastructure facilities. The proposed approach may serve as a foundation for automated generation of audit reports and immutable evidence of compliance with organizational ISMS regulations.

Downloads

Download data is not yet available.

References

International Organization for Standardization. (2022). ISO/IEC 27001: Information security, cybersecurity and privacy protection—Information security management systems—Requirements. ISO.

International Organization for Standardization. (2022). ISO/IEC 27002: Information security, cybersecurity and privacy protection—Information security controls. ISO.

Scarfone, K. A., & Souppaya, M. P. (2023). Cybersecurity log management planning guide (NIST Special Publication 800-92 Rev. 1, IPD). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-92r1.ipd

Koisser, D., & Sadeghi, A.-R. (2023). Accountability of things: Large-scale tamper-evident logging for smart devices. arXiv. https://doi.org/10.48550/arXiv.2308.05557

Joint Task Force. (2020). Security and privacy controls for information systems and organizations (NIST Special Publication 800-53 Rev. 5). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-53r5

Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture (NIST Special Publication 800-207). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-207

Putz, B., Menges, F., & Pernul, G. (2019). A secure and auditable logging infrastructure based on a permissioned blockchain. Computers & Security, 101602. https://doi.org/10.1016/j.cose.2019.101602

Ali, A., Khan, A., Ahmed, M., & Jeon, G. (2022). BCALS: Blockchain-based secure log management system for cloud computing. Transactions on Emerging Telecommunications Technologies. https://doi.org/10.1002/ett.4272

Rakib, M. H., Hossain, S., Jahan, M., & Kabir, U. (2022). A blockchain-enabled scalable network log management system. Journal of Computer Science, 18(6), 496–508. https://doi.org/10.3844/jcssp.2022.496.508

Faccia, A., & Petratos, P. (2022). Is permissioned blockchain the key to support external audit? Journal of Open Innovation: Technology, Market, and Complexity, 8(3), 156.

Balatska, V. S., Tkachuk, R., & Maslova, N. (2025). Evolution of complex information security systems and integration of blockchain technologies in cybersecurity of government information systems of Ukraine. Cybersecurity: Education, Science, Technique, 2(30), 316–332. https://doi.org/10.28925/2663-4023.2025.30.975

Balatska, V. S., Ivanusa, A. I., & Panovyk, U. M. (2025). Method of integration of information security policies, standards, and protocols in building information security systems in organizations. Cybersecurity: Education, Science, Technique, 3(31), 283–297. https://doi.org/10.28925/2663-4023.2025.31.1021

Balatska, V. S., & Dmytriv, N. (2025). Inter-organizational exchange of confidential personal data based on permissioned blockchain. Cybersecurity: Education, Science, Technique, 2(29), 178–193. https://doi.org/10.28925/2663-4023.2025.29.875

European Union Agency for Cybersecurity. (2025). Technical implementation guidance on cybersecurity risk management measures (Version 1.0). https://doi.org/10.2824/2702548

Liu, Z., et al. (2023). Dynamic data integrity auditing based on hierarchical Merkle hash tree in cloud storage. Electronics, 12(3), 717. https://doi.org/10.3390/electronics12030717

Du, R., et al. (2025). Certificateless data integrity auditing with sparse Merkle trees for the cloud-edge environment. Scientific Reports, 15, 14041. https://doi.org/10.1038/s41598-025-14041-9

Zhou, H., et al. (2025). Certificate-based multi-copy cloud storage auditing scheme supporting data dynamics. Computers & Security, 104096. https://doi.org/10.1016/j.cose.2024.104096

Balatska, V. S., Poberezhnyk, V. V., & Opirskyi, I. R. (2024). Use of non-fungible tokens and blockchain for access control to government registries. Cybersecurity: Education, Science, Technique, 4(24), 99–114. https://doi.org/10.28925/2663-4023.2024.24.99114

Balatska, V., & Opirskyy, I. (2024). Blockchain as a tool for transparency and protection of government registries. Ukrainian Scientific Journal of Information Security, 30(2), 221–230. https://doi.org/10.18372/2225-5036.30.19211

Punia, A., et al. (2024). A systematic review on blockchain-based access control systems in cloud environment. EURASIP Journal on Information Security, 18. https://doi.org/10.1186/s13677-024-00697-7

Yaqub, N., et al. (2025). Blockchain-enabled policy-based access control mechanism. PeerJ Computer Science, e2647. https://doi.org/10.7717/peerj-cs.2647

Downloads


Abstract views: 7

Published

2026-03-26

How to Cite

Balatska, V. (2026). BLOCKCHAIN-ORIENTED APPROACH TO ENSURING TRACEABILITY AND VERIFIABILITY OF ISMS POLICY ENFORCEMENT. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 4(32), 674–685. https://doi.org/10.28925/2663-4023.2026.32.1136

Issue

Vol. 4 No. 32 (2026): Cybersecurity: Education, Science, Technique

Section

Articles

License

Copyright (c) 2026 Валерія Балацька

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Most read articles by the same author(s)