Business Impacts of International Standards for Information Security Management. Lessons from Case Companies

Authors

  • Robert M. van Wessel Rotterdam School of Management, Erasmus University Department of Management of Technology and Innovation P.O. Box 1738, Room T10-42 3000 DR Rotterdam The Netherlands
  • Henk J. de Vries Rotterdam School of Management, Erasmus University Department of Management of Technology and Innovation P.O. Box 1738, Room T10-42 3000 DR Rotterdam The Netherlands

DOI:

https://doi.org/10.13052/jicts2245-800X.122

Keywords:

Information security, ISO/IEC 27001, case study, standardization, business impact

Abstract

This paper describes the business impact of two international standards for information security management: ISO/IEC 27001 and ISO/IEC 27002. Six company cases show that companies had different reasons for wanting to implement these standards, but that they achieved most of their objectives. Benefits include improved service quality, higher customer satisfaction, and in some cases, new business opportunities. A number of common success factors ensure the objectives can be achieved, and financial and non-financial benefits can indeed be obtained. The lessons learnt from these cases can help other companies to also reap such benefits.

Downloads

Download data is not yet available.

Author Biographies

Robert M. van Wessel, Rotterdam School of Management, Erasmus University Department of Management of Technology and Innovation P.O. Box 1738, Room T10-42 3000 DR Rotterdam The Netherlands

Robert M. van Wessel holds a Master in Electrical Engineering from Twente University and a PhD in Business Administration from Tilburg University (Department of Information Systems and Management). He works as a Business Architect in the financial services industry and is associated with Rotterdam School of Management, Erasmus University. Robert’s research interests relate to the interaction of Business and Information Technology, in particular Business Performance and the Value of IT, Enterprise Architecture, IT Governance, Portfolio Management, Information Security Management and IT Standardisation and Standards.

Henk J. de Vries, Rotterdam School of Management, Erasmus University Department of Management of Technology and Innovation P.O. Box 1738, Room T10-42 3000 DR Rotterdam The Netherlands

Henk J. de Vries is Associate Professor of Stan-dardisation at the Rotterdam School of Management, Erasmus University, Department of Management of Technology and Innovation. His research and teaching focus on standardisation from a business point of view. Henk is President of the European Academy for Standardisation EURAS, Chair of the International Cooperation for Education about Standardization ICES, and Special Advisor to the International Federation of Standards Users IFAN. He is (co-)author of more than 300 publications in the field of standardisation. See http://www.rsm.nl/hdevries and http://www,rsm.nl/is.

References

J. Backhouse, C.W. Hsu, L. Silva|Circuits of Power in creating de jure Standards: Shaping an International Information Systems Security Standard. MIS Quarterly. 30, 413-438, 2006.

|ISO/IEC, ISO/IEC 27001 Information technology–Security techniques– Information security management systems–Requirements. Geneva, Switzerland: International Organization for Standardization, and International Electrotechnical Commission, 2005.

|ISO/IEC, ISO/IEC 27002 Information Technology—Code of Practice for Information Security Management. Geneva, Switzerland: International Organization for Standardization, and International Electrotechnical Commission, 2005.

|ISO, “The ISO Survey of certifications 2010”, Geneva, Switzerland: International Organization for Standardization, 2011.

S. Ransbotham, S. Mita|“Choice and Chance:AConceptual Model of Paths to Information Security Compromise”, Information Systems Research, 20 (1), 121–139, 2009.

C.Y. Ku, Y.W. Chang, D.C. Yen|“National information security policy and its implementation: A case study in Taiwan”, Telecommunications Policy, 33(7): 371-384, 2009.

A.G. Kotulic, J.G. Clark|“Why There Aren’t More Information Security Research Studies”, Information & Management, 41 (5), 597-607, 2004.

J. L. Spears|“Institutionalizing Information Security Risk Management: A Multi-Method Empirical Study on the Effects of Regulation”, Ph.D. Dissertation, Pennsylvania State University, 2007.

R. Bojanc, B. Jerman-Blazic|“An economic modelling approach to information security risk management”, International Journal of Information Management, 28 (5), 413–422, 2008.

T. Herath, H. Herath, W.G. Bremser|“Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management”, Information Systems Management, 27 (1), 72-81, 2010.

R.M. van Wessel|“Toward Corporate IT Standardization Management. Frameworks and Solutions”, Hershey, PA, USA: IGI Global, 2010.

R.S. Kaplan, D.P. Norton|“The Balanced Scorecard - Measures that Drive Performance”, Harvard Business Review, January-February 1992, 70 (1), 71-79, 1992.

L. Willcocks|Information management. The evaluation of information systems investments, London: Chapman & Hall, 1995.

E.L. Psomas, C.V. Fotopoulos|“A meta analysis of ISO 9001:2000 research - findings and future research proposals”, International Journal of Quality and Service Sciences.1, 128-144, 2009.

B. Rusjan, M. Aliè|“Capitalising on ISO 9001 benefits for strategic results”, International Journal of Quality and Reliability Management, 27, 756-778, 2010.

P. Sampaio, P. Saraiva, A.G. Rodrigues, A.G.|“ISO 9001 certification research: questions, answers and approaches”, International Journal of Quality & Reliability Management. 26, 38-58, 2009.

H.J. de Vries, D.K. Bayramoglu, T. van der Wiele|(2012) “Business and environmental impact of ISO 14001”, International Journal of Quality & Reliability Management, 29 (4), 425-435, 2012.

Downloads

Published

2013-07-26

How to Cite

M. van Wessel, R. ., & de Vries, H. J. . (2013). Business Impacts of International Standards for Information Security Management. Lessons from Case Companies. Journal of ICT Standardization, 1(1), 25–40. https://doi.org/10.13052/jicts2245-800X.122

Issue

Section

Articles