An Empirical Study of Knowledge Graph-Enhanced RAG for Information Security Compliance

Regulatory standard interpretation challenges: ISO/IEC 27000 standards are difficult to interpret because of formal language, abstract structure, and extensive cross-referencing.

Chunk-based RAG loses regulatory context: Traditional chunk-based RAG is inadequate for highly interconnected regulatory materials because it fragments contextual relationships and reduces accuracy.

Regulatory standard interpretation challenges: ISO/IEC 27000 standards are difficult to interpret because of formal language, abstract structure, and extensive cross-referencing.

Chunk-based RAG loses regulatory context: Traditional chunk-based RAG is inadequate for highly interconnected regulatory materials because it fragments contextual relationships and reduces accuracy.

Privacy-preserving KG-enhanced RAG: The study proposes a privacy-preserving RAG framework integrating LightRAG knowledge graph retrieval with locally hosted open-source language models.

Semantic regulatory knowledge graph: The system constructs a semantic knowledge graph representing clause relationships using typed edges for cross-references, semantic similarity, and hierarchical dependencies.

ISO compliance QA benchmark: The study develops a curated benchmark of 222 multiple-choice questions with authoritative ground-truth answers for evaluating ISO compliance question answering.

Privacy-preserving KG-enhanced RAG: The study proposes a privacy-preserving RAG framework integrating LightRAG knowledge graph retrieval with locally hosted open-source language models.

Semantic regulatory knowledge graph: The system constructs a semantic knowledge graph representing clause relationships using typed edges for cross-references, semantic similarity, and hierarchical dependencies.

KG retrieval outperforms baselines:

Embedding quality affects performance:

Hybrid graph retrieval improves accuracy: