A Systematic Literature Review of Cybersecurity Audit Frameworks and Access Control Mechanisms in Information Systems: Trends and Challenges

by Agus Widarsono, Annisa Nur Hanifah, Chika Almalia Agisti, Luthfiyyah Khaira Zahra

Published: May 30, 2026 • DOI: 10.47772/IJRISS.2026.100500328

Abstract

The rapid advancement of digital transformation has significantly increased cybersecurity risks faced by organizations, making cybersecurity governance and auditing essential components of organizational resilience. This study aims to analyze the development of cybersecurity audit frameworks and access control mechanisms in information systems through a Systematic Literature Review (SLR). The study follows the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines and reviews 30 Scopus-indexed journal articles and conference proceedings published between 2020 and 2025. The review focuses on comparing cybersecurity audit frameworks, identifying recent trends, examining implementation challenges, and analyzing the evolution of access control mechanisms. The findings indicate that widely used frameworks such as ISO/IEC 27001, NIST Cybersecurity Framework (NIST-CSF), COBIT, CIS Controls, SOX, and COSO possess different orientations, strengths, and limitations regarding governance, compliance, flexibility, and technical protection. The study also reveals a shift from traditional compliance-based auditing toward risk-based, continuous, and technology-driven auditing supported by Artificial Intelligence (AI), Machine Learning (ML), blockchain, and continuous monitoring systems. In terms of access control, the findings demonstrate an evolution from traditional models such as DAC, MAC, and RBAC toward more adaptive approaches including ABAC, blockchain-based access control, and Zero Trust Architecture (ZTA). However, the implementation of modern frameworks and technologies still faces challenges related to scalability, interoperability, implementation complexity, operational costs, and the shortage of skilled cybersecurity professionals. This study concludes that no single framework or access control mechanism is universally effective for all organizations, and therefore organizations should adopt adaptive and hybrid approaches based on their risk profiles, governance maturity, and operational requirements. The study contributes theoretically by integrating discussions on cybersecurity audit frameworks and access control mechanisms while providing practical insights for auditors, cybersecurity practitioners, regulators, and organizations in designing more resilient cybersecurity governance strategies.