Business Impacts of International Standards for Information Security Management. Lessons from Case Companies
DOI:
https://doi.org/10.13052/jicts2245-800X.122Keywords:
Information security, ISO/IEC 27001, case study, standardization, business impactAbstract
This paper describes the business impact of two international standards for information security management: ISO/IEC 27001 and ISO/IEC 27002. Six company cases show that companies had different reasons for wanting to implement these standards, but that they achieved most of their objectives. Benefits include improved service quality, higher customer satisfaction, and in some cases, new business opportunities. A number of common success factors ensure the objectives can be achieved, and financial and non-financial benefits can indeed be obtained. The lessons learnt from these cases can help other companies to also reap such benefits.
Downloads
References
J. Backhouse, C.W. Hsu, L. Silva|Circuits of Power in creating de jure Standards: Shaping an International Information Systems Security Standard. MIS Quarterly. 30, 413-438, 2006.
|ISO/IEC, ISO/IEC 27001 Information technology–Security techniques– Information security management systems–Requirements. Geneva, Switzerland: International Organization for Standardization, and International Electrotechnical Commission, 2005.
|ISO/IEC, ISO/IEC 27002 Information Technology—Code of Practice for Information Security Management. Geneva, Switzerland: International Organization for Standardization, and International Electrotechnical Commission, 2005.
|ISO, “The ISO Survey of certifications 2010”, Geneva, Switzerland: International Organization for Standardization, 2011.
S. Ransbotham, S. Mita|“Choice and Chance:AConceptual Model of Paths to Information Security Compromise”, Information Systems Research, 20 (1), 121–139, 2009.
C.Y. Ku, Y.W. Chang, D.C. Yen|“National information security policy and its implementation: A case study in Taiwan”, Telecommunications Policy, 33(7): 371-384, 2009.
A.G. Kotulic, J.G. Clark|“Why There Aren’t More Information Security Research Studies”, Information & Management, 41 (5), 597-607, 2004.
J. L. Spears|“Institutionalizing Information Security Risk Management: A Multi-Method Empirical Study on the Effects of Regulation”, Ph.D. Dissertation, Pennsylvania State University, 2007.
R. Bojanc, B. Jerman-Blazic|“An economic modelling approach to information security risk management”, International Journal of Information Management, 28 (5), 413–422, 2008.
T. Herath, H. Herath, W.G. Bremser|“Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management”, Information Systems Management, 27 (1), 72-81, 2010.
R.M. van Wessel|“Toward Corporate IT Standardization Management. Frameworks and Solutions”, Hershey, PA, USA: IGI Global, 2010.
R.S. Kaplan, D.P. Norton|“The Balanced Scorecard - Measures that Drive Performance”, Harvard Business Review, January-February 1992, 70 (1), 71-79, 1992.
L. Willcocks|Information management. The evaluation of information systems investments, London: Chapman & Hall, 1995.
E.L. Psomas, C.V. Fotopoulos|“A meta analysis of ISO 9001:2000 research - findings and future research proposals”, International Journal of Quality and Service Sciences.1, 128-144, 2009.
B. Rusjan, M. Aliè|“Capitalising on ISO 9001 benefits for strategic results”, International Journal of Quality and Reliability Management, 27, 756-778, 2010.
P. Sampaio, P. Saraiva, A.G. Rodrigues, A.G.|“ISO 9001 certification research: questions, answers and approaches”, International Journal of Quality & Reliability Management. 26, 38-58, 2009.
H.J. de Vries, D.K. Bayramoglu, T. van der Wiele|(2012) “Business and environmental impact of ISO 14001”, International Journal of Quality & Reliability Management, 29 (4), 425-435, 2012.