LibraryDocumentsResearch Design
DOCUMENT 00 · MODULE

Research Design

Exploratory qualitative gap analysis. Isolates control maturity from governance maturity by adapting C2M2 v2.1 to evaluate individual ISO 27002:2022 controls under four LLM deployment archetypes.

The research design moduleMethodologyC2M2ISO 37004

1. Research question and stance

This study adopts an exploratory qualitative research design centred on a comparative maturity gap analysis. The motivating question is highly specific and structural: assuming an organization possesses mature corporate governance — aligned with ISO 37004 — are its existing organizational and technical information security controls (aligned with ISO 27002:2022) objectively mature enough to govern the introduction of LLM-enabled systems?

Recent literature characterizes LLM risk as multidimensional, spanning privacy leakage, adversarial manipulation, training- and inference-phase vulnerabilities, and malicious misuse. Because generative AI has entered organizations faster than even matured internal governance arrangements have adapted, inherited controls must be compared against a fast-moving and structurally different exposure interface rather than a static technical specification.

2. Isolating control maturity from governance maturity

To measure control maturity, the study adapts the Cybersecurity Capability Maturity Model (C2M2, Version 2.1). However, because the study assumes a baseline of mature corporate governance, it methodologically isolates control maturity from governance maturity.

The C2M2 framework is herein adapted to evaluate the operational, architectural, and technical resilience of specific ISO 27002 controls against LLM risks, deliberately disregarding high-level corporate governance attributes (such as executive sponsorship or enterprise policy formulation, which are assumed to be present and matured).

Why this matters

By isolating the unit of analysis to the control's maturity rather than the organization's governance, the study bypasses the trap of assuming that a well-governed organization automatically possesses well-functioning AI controls. The two are routinely conflated in industry maturity assessments.

3. Analytical scope and unit of analysis

The unit of analysis is the adapted C2M2 Maturity Indicator Level (MIL) of individual ISO 27002 controls when tested against four LLM deployment archetypes. Each control is evaluated independently for each archetype, because the same control behaves differently under direct external use than it does under fine-tuned internal deployment.

4. The 1009 LTD baseline

To provide a concrete, operational baseline for evaluating control sufficiency across these archetypes, the study utilizes a simulated corporate environment: 1009 LTD. Modelled as a mature small and medium-sized enterprise specializing in IT services and digital infrastructure management, 1009 LTD operates with 40 employees structured across Technology, Operations, Security, and Marketing divisions.

Crucially for the premise of this study, 1009 LTD possesses a fully documented corporate governance foundation encompassing twelve comprehensive internal policies (spanning Information Security, Risk Management, Business Continuity, Identity Management, and Physical Security). Utilizing this specific hypothetical profile allows the gap analysis to test ISO 27002 control maturity against LLM risk scenarios in a realistic, governed setting without violating confidentiality constraints or relying on abstract generalizations.

The 1009 LTD profile is published as a public document library at 1009.lt, enabling independent replication of the framework by other researchers or organizations.

5. Methodological transparency

In alignment with emerging academic standards for computational transparency (such as the European Commission's Living Guidelines on the Responsible Use of Generative AI in Research), the study explicitly acknowledges the methodological use of generative AI as an analytical co-pilot — for structuring the gap analysis matrix, cross-referencing ISO 27002 and C2M2 criteria, and drafting illustrative risk scenarios. The AI was instructed to adopt the persona of an independent IT security auditor, mandated to observe the “punctilio of an independency” as required by the IIA Three Lines Model.

All AI-generated outputs, structural connections, and scored metrics are subjected to rigorous human validation. The full prompt library is published as an open-source research artifact to support replication.

PreviousLibrary