ArticlePDF Available

Information Security Management System

International Journal of Computer Applications (0975 8887)
Volume 158 No 7, January 2017
Information Security Management System
Sahar Al-Dhahri
King Abdulaziz University
Collage of Computing and
Information Technology
Saudi Arabia
Manar Al-Sarti
King Abdulaziz University
Collage of Computing and
Information Technology
Saudi Arabia
Azrilah Abdul Aziz, PhD
King Abdulaziz University
Collage of Computing and
Information Technology
Saudi Arabia
The ISO27001 is an information security management system
(ISMS). It is helps the organizations to manage the security of
assets. However, the ISO27001 is the best-known standard
providing requirements for an information security
management system (ISMS). In 2015, based on ISO survey,
ISO/IEC 27001 saw a 20% increase to 27,536 certificates
worldwide [13]
Information Security, Information Security Management,
Total quality management, Information security, Incremental
Information Security determines as the process of protecting
information and information assets, to preserving
confidentiality, integrity, and availability of information
(ISO17799, 2004). It is a major issue for businesses, their
clients and the public. From 1997 to 2001, U.S. organizations
spent over $2.5 trillion on information technology, nearly
double the amount than the previous five years. According to
the paper the personal information has four dimensions (Sinha
and Gillies, 2011):
1. Operational value: personal information is a
sensitive asset for the organization and needs to be
preserved to ensure it is safe.
2. Individual value: using people‟s personal data leads
to important risks, so information need to be handle
with care, and respect people‟s privacy.
3. Value to others: when an organization undermined a
legitimate purpose to use the personal information
of the users, it should being handled according to
the data protection principles. On other case, it
could harm the people and embarrassment the
4. Societal value: Society legislates give the right to
privacy a legislative basis such as the EU directive
95/46/EC7, (European Parliament, 1995) enshrined
in UK law as the Data Protection Act (1998), and
alternative legislation outside the EU.
The current management systems are derived from the work
of W. Edwards Demming and the related world of Total
Quality Management (TQM). Although it initially considers
relevant only to a production environment, the concepts have
been successfully applied to many other environments include
organization's security (Carlson et al., 2008).The integration
between TQM “Deming‟s 14 points” and organizations
security directly affect the success or lack of the
organization's security
2.1 Risk Management
Risk management defined as “the process of identifying
vulnerabilities and threats within the framework of an
organization, as well as producing some measurements to
minimize their impact over the informational resources”.
According to Pavlov and Karakaneva (2011]) is the
combination of activities which aim to protect the
organization assets cost effectively based on the organization's
missions or objectives. Risk management contains two
1. Risk Analysis: is the process of identifying the influence
factors over the information security.
2. Risk Assessment has four main outcomes:
a) Determine the threats;
b) Prioritization of these threats according to the risk
c) Define controls and protection measures;
d) Development plan for these measures
2.2 Information Security Components
According to Hong et al., (2003) the components for any
information security architecture are:
1. Organization and infrastructure security
2. Policy, standards and procedures security
3. Baselines and risk assessments security
4. Awareness and training program security
5. Compliance security Fomin et al.,(2008) addressed
the low adoption for the international standard
ISO/IEC 2700 on information security management
especially in academia field. The basic barriers to
standard‟s adoption are high cost on money and
2.3 Information Security Incidents
1. Vulnerability: is a weakness of one or more assets
which may attacked by a threat.
2. Threats: is a potential unwanted incident that may
harm to a system or organization.
Information Security Management System include (Carlson et
al., 2008):
a. Risk management: based upon metrics of
confidentiality, integrity, and availability.
International Journal of Computer Applications (0975 8887)
Volume 158 No 7, January 2017
b. TQM applied: based upon metrics of efficiency and
c. A monitoring and reporting model: based upon
abstraction layers.
d. A structured approach: contains people, process,
and technology.
e. An extensible framework from which to manage
information security compliance.
Information Security Management System provide
requirements for establishing, implementing, maintaining and
improving an information security management system. This
adoption is a strategic decision for an organization which
influenced by the organization‟s needs and objectives,
security requirements and scaled based on the organization's
needs. The information security management system is
applying a risk management process to protect the
confidentiality, integrity, and availability of information.
ISMS can be used by internal and external parties and
describes by ISO/IEC 27000. It provides a catalog of controls
that can be implemented for ISMS.
3.1 Information Security Management
System Components
ISMS involves the following essential components (see
Figure 1):
a. Management principles
b. Resources
c. Personnel
d. Information security process
Fig 1: Information Security Management System
Components (Source: http: //www.
3.2 Information Security Management
System Domains
The Information Security Management System standard
comprises of 11 security areas, 39 controls objectives, and
133 controls. Following Table is a list of the Domains and
Control Objectives [15]:
Table 1: Information Security Management System
Security policy
Provide management direction and
support for information security
Organizational Security
Manage information security
within the organization.
Asset Management
Achieve and maintain appropriate
protection of organizational assets.
Human Resources
Details any personnel issues like
training, responsibilities, and how
employees responded to security
Physical and
Environmental Security
prevent unauthorized physical
Communications and
Ensure the correct and secure
operation of information
processing facilities.
Access Control
To control access to information.
Information System
Development &
Ensure that security is an integral
part of information systems.
Information Security
Incident Management
Ensure information security events
and weaknesses associated with
information systems are
communicated in a manner
allowing timely corrective action to
be taken.
Business Continuity
Maintenance of essential business
activities during adverse
conditions, from coping with major
disasters to minor, local issues
Avoid breaches of any security
3.3 ISO/IEC 27001
In 1987, the ISO 9000 standards were first published, then
revised in 1994 and 2000 (ISO, 2000). Therewith, ISO
introduced the management system standards (MSS), for
example, the ISO 14001 Environmental Management System
(EMS), and the ISO/IEC 27001 Information Security
Management (ISMS) standards. The three management
system standards similar to each other (Fomin et al., 2008).
ISO/IEC 27001 developed to protect the organizations‟
information assets, “the „life-blood‟ of all businesses”
(Humphreys, 2005). ISO/IEC 27001 introduces the “Plan-Do-
Check-Act” (PDCA) model which aims to establish,
implement, monitor and improve the effectiveness of an
organization‟s ISMS. The PDCA has four phases as shown in
International Journal of Computer Applications (0975 8887)
Volume 158 No 7, January 2017
Fig 2: The ISMS Plan-Do-Check-Act cycle (Al-Ahmad
Mohammad, 2013)
1. Plan: establish security policy, objectives, processes
and procedures to managing risk and improving
information security
2. Do: implement and operate the security policy,
controls, processes and procedures.
3. Check: monitor and measure process performance
against security policy, objectives and practical
4. Act: maintaining and improving based on the results
of the management review, to achieve continual
improvement of the ISMS
Fig 2: The ISMS Plan-Do-Check-Act cycle (Source: http:
3.4 The ISO27001 STANDARD
The International Organization for Standardization (ISO) has
declared standards for information security management
systems (ISMS) including the standard ISO/IEC 27001
“Information Technology - Security Techniques - Information
Security Management Systems - Requirements” (ISO,
2005a).There is no one way that can guarantee 100% of
information security, but the ISO 27000 has many of
standards to decide which an information security
management system (ISMS) can be certificated (Sinha and
Gillies, 2011). These standards are (see Table 2):
Table 2: The ISO27001 STANDARD
UK DTI publish a users‟ code of practice for
information security
BS PD 003: A code of practice for information
security management
BS7799-1 A code of practice evolved from BS
BS7799-2 A certification standard for an
information security management system.
BS7799-1 and BS7799-2 aligned: the subsequent
ISO17799 and ISO27002 standards are based on
this version of BS7799-1.
BS7799-2 is modified to incorporate the Plan-
Do-Check-Act cycle, in order to align it with
ISO9001. This version formed the basis for the
subsequent ISO27001 release in 2005
ISO code of practice published for information
security management as ISO17799 (June).
ISO certification standard for an information
security management system published as
ISO27001 (October).
ISO17799 renumbered to ISO27002: note that
the 1 and 2 numbering is now reversed when
compared with BS7799.
The total number of certified organizations worldwide for
ISO/IEC 27001 is now 27, 536 increasing of 20% over 2014
(Fig 3: ISO/IEC 27001 Certification Worldwide). While the
information technology sector dominates the certification list,
with 40% of certified organizations being in that business
Fig 3: ISO/IEC 27001 Certification Worldwide (Source:
http: //www.
Fig 4: ISO/IEC 27001 Certification Sectors (Source: http:
The ISO27001 helps the organizations to manage the security
of assets. However, the ISO27001 is the best-known standard
providing requirements for an information security
management system (ISMS)
1. Increased business efficiency
2. Reduced operational risk
3. Ensure that information security is rationally
4. Assurance to business partners & clients via
certification which used as a marketing initiative
5. Security awareness amongst employees and
International Journal of Computer Applications (0975 8887)
Volume 158 No 7, January 2017
Figure 5: BENEFITS OF ISO27001 (Source: http://www.
The information security management system (ISO 27001,
2005) is an integral part of the organization‟s management
system and business culture. This system contains the
organization structures, planning, politics, processes, and
resources. In ISMS development include six steps (see Fig 6:
Information Security Management System Developing
Process (Source:
1. Define the Security Policy
2. Define the ISMS Scope
3. Risk Assessment
4. Risk Management
5. Select the Appropriate Controls
6. Statement of Applicability
In steps 3 and 4, the Risk Assessment and Management
process, frame the core of the ISMS. The two processes
transform the guidelines of security policy and the objectives
of ISMS into particular plans to decrease the threats and
vulnerabilities. However, steps 5 and 6 related to the operative
actions for technical implementation, maintenance, and
control of security measurements. Appropriate controls are
derived from existing sets of controls or mechanisms for
information security standards
5.1 Risk Management Processes
This process of the risk management includes five processes:
1. Risk Assessment: covering of three steps: risk
identification, risk analysis, and risk evaluation to
understand the impact of the risk and decide the best
measures to face them.
2. Risk Treatment is the selecting and implementing of
measures to modify risk. Risk treatment measures
include avoiding, optimizing, transferring or
retaining risk.
3. Monitor and Review are measuring the efficiency
and effectiveness of the risk management of the
organization processes.
4. Risks Communication a process to exchange
information about risk between the decision-maker
and other stakeholders inside and outside an
5. Risk acceptance is the decision to accept a risk by
the responsible management of the organization. the
options are:
a. reduce: lower the risk
b. transfer: offload the risk by placing it on
other entity
c. accept: the risk is acceptable based on the
d. ignore: choose not to reduce, transfer or
accept the risk - this is equivalent to
accepting the risk
Fig 6: Information Security Management System
Developing Process (Source:
5.2 Risk Assessments Challenges
According to Al-Ahmad Mohammad (2013) the challenges to
Information Security Risk Assessments:
1. Absence of senior management commitment &
2. Absence of appropriate policies for information
security risk management
3. Disintegrated GRC efforts
4. Improper assessments management
5. Assets ownership is either undefined or unpracticed
6. Limitations of existing automated solutions
7. Existence of several IT risk assessment frameworks
International Journal of Computer Applications (0975 8887)
Volume 158 No 7, January 2017
Fig 7: Risk Management Process (Source:
We have already examined the primary risk assessment
challenges in an organization. Here we will explore the
challenges related to nature of the Information Security
Management (Ashenden, 2008):
1. Structural, process and boundary challenges
The 21st century forces the Information Security
management to face the runny business
environment. There are hard boundaries that are
breaking down the Information Security such as
(geographical, physical and logical)
2. The human challenge
Hackers spend time to discover vulnerabilities more
than Information Security practitioners, and humans
are difficult to manage in the context of Information
3. Changing Organizational Culture
We need to have a better understanding of the social
aspects of the organization's security; especially the
human element. Unluckily, humans are not
machines. We do not get the same information is
input and processed in the same way then the result
that is output will be the same time after time.
We would like to express our sincere thanks and gratitude to
our supervisor Dr. Azrilah AbdulAziz who has helped us on
this work.
[1] ENISA (European Network and Information Security
Agency), “Risk Management /Risk Assessment
(available on-line at
[2] Walid Al-Ahmad and Bassil Mohammad. Addressing
information security risks by adopting standards.
International Journal of Information Security Science,
2(2):28_43, 2013.
[3] Tom Carlson, HF Tipton, and M Krause. Understanding
Information Security Management Systems. Auerbach
Publications Boca Raton, FL, 2008.
[4] Vladislav V Fomin, H Vries, and Y Barlette. Iso/iec
27001 information systems security management
standard: exploring the reasons for low adoption. In
Proceedings of The third European Conference on
Management of Technology (EUROMOT), 2008.
[5] Kwo-Shing Hong, Yen-Ping Chi, Louis R Chao, and Jih-
Hsing Tang. An integrated system theory of information
security management. Information Management &
Computer Security, 11(5):243_248, 2003.
[6] Ted Humphreys. State-of-the-art information security
management systems with iso/iec 27001: 2005. ISO
Management Systems, 6(1), 2006.
[7] G Pavlov and J Karakaneva. Information security
management system in organization. Trakia Journal of
Sciences, 9(4):20_25, 2011.
[8] Madhav Sinha and Alan Gillies. Improving the quality of
information security management systems with
iso27000. The TQM Journal, 23(4):367_376, 2011.
[9] The ISO Survey of Management System Standard
Certi_cations 2015
system_standard_certi_cations_2015.pdf (Accessed: 11
December 2016).
[10] ISO/IEC 17799 (2005) _Information technology -
Security techniques - Code of practice for information
security management_.
[11] ISO/IEC 27001(2005) _Information technology -
Security techniques - Information security management
systems _ Requirements_.
[12] Debi Ashenden. Information security management: A
human challenge? Information security technical report,
13(4):195_201, 2008.
[13] I. (n.d.). The ISO Survey of Management System
Standard Certifications 2015. Retrieved December 2,
2016, from
[14] S. (n.d.). Security Incident Management. Retrieved
December 10, 2016,
[15] Information Security Management System ISO
27001:2005. (2015). Retrieved December 2, 2016, from, http://www.tuv-
... The ISO27001 is a widely used standard for information security [18]. In terms of usability of standards in global, indicated that ISO (27001) is leading than other standards, especially on ISMS, therefore it indicated that the standard is more easily implemented and well recognized by stakeholders (top management, staff, suppliers, customers/clients, regulators), the standard introduces a cyclic model known as the "Plan-Do-Check-Act" (PDCA) model, aims to establish, implement, monitor and improve the effectiveness of an organization's ISMS [19], thus compliance with information security standard, ISO 27001, is highly recommended with a variety of reason. ...
... Table 1 presents the results of an assessment on the information security management system of the higher education institution included in the study. Based on the data presented, seven (7) out of nineteen (19) 60 ISO27001 were all address in the higher education institutions included in the study. On the other hand, there were five (5) out of nineteen (19) indicators of ISO27001 standards were not clearly address by the higher education institutions. ...
... Based on the data presented, seven (7) out of nineteen (19) 60 ISO27001 were all address in the higher education institutions included in the study. On the other hand, there were five (5) out of nineteen (19) indicators of ISO27001 standards were not clearly address by the higher education institutions. It is evident that that the higher education institutions must consider the following indicators of ISO27001 standards in crafting policies and guidelines such as information security policy, information security risk assessment, information security risk treatment, ISMS resources and competence, awareness and communication, documented information, operational planning and control, monitoring, measurement and evaluation, internal audit, management review, corrective action and continual improvement, and Security controls since it showed non-compliance based on the survey conducted. ...
... Telecom operators have established many network infrastructures on land to provide Internet access for mobile user equipment (UE). Due to different deployment schemes of different telecom operators, multiple Radio Access Networks (RAN) around users have significantly different network states [7]. From the perspective of service performance, when RANs with different network states provide network access for services, significant performance differences will occur. ...
Full-text available
With the development of communication technology, train control operation system develops gradually, which significantly improves the reliability and efficiency of train operation. The current mobile Internet has gradually highlighted the many limitations of the mobile Internet in the high-speed mobile environment, which seriously deteriorate the service quality and user experience, and cause a waste of resources. In order to meet the real-time requirements of network communication resource scheduling in the mobile environment, aiming at the multidimensional dynamic adaptation framework constructed in a mobile environment, a service and network adaptation mechanism based on link failure state prediction is proposed in the paper. First, cross-layer theoretical analysis and actual data analysis are combined to construct a wireless link failure probability model. Then, reliable transmission requirements and transmission overhead are applied to optimize goals. Finally, simulation experiments are carried out according to the railway network data to evaluate the E-GCF adaptation algorithm. The experiment results show that compared with the current mainstream algorithms, the prediction accuracy of this adaptation algorithm is improved by 25%. The execution time of the algorithm is reduced by 9.6 seconds and the successful submission rate is as high as 99.99%. The advantages of the algorithm are significantly superior other algorithms. It proves that the research method of this paper can effectively improve the satisfaction rate and utility value of reliable transmission, as well as enhance the throughput performance. It solves the adaptation problems of frequent switching and low utilization of heterogeneous networks in a mobile environment, which contributes to the high-quality communication service of mobile network.
... They adopted the differences between attacks and the work procedure of them. The authors of [14] proposed information system security that tackled numerous types of threats that can attack these systems. While in [15], an information security system was proposed for a bank. ...
Full-text available
Nowadays, the E-payment systems have been considered to be the safe way of money transfer in most of modern institutes and companies. Moreover, the security is important side of these systems to ensure that the money transfer is done safely. Software engineering techniques are used for guaranteeing the applying of security and privacy of such systems. In this paper, a secure E-payment system is proposed based on software engineering model and neural network technology. This system uses different proposed algorithms for applying authentication to the devices of users as mobile application. They are used to control the key management in the system. It uses the neural network back-propagation method for ensuring the security of generated keys that have sufficient random levels. The proposed system is tested over numerous cases and the obtained results show an efficient performance in terms of security and money transfer. Moreover, the generated keys are tested according to NIST standards.
... According to Al-Dhahri et al (2017), information security is the science that researches the theories and strategies to provide protection for information from the risks that threaten it, and from a technical point of view it is the means, tools and procedures that must be provided to ensure the protection of information from internal and external dangers; from a legal perspective, information security is the subject of studies and measures to protect the confidentiality and integrity of the content and availability of information and combating the activities of threatening them and the exploitation of their systems in the commission of crime (computer and internet crimes). Weishäupl et al (2018) defined information security as maintaining the availability, integrity, confidentiality, ownership and utilization of information, while AlGhamdi et al (2020) defined it as the set of approved methods and means to control all types and sources of information and protect them from theft, compromise, extortion, damage, loss, forgery, and illegal, unauthorized use. ...
Current study aimed at examining the role of TQM pillars (Product, Process, Organization, Leadership and Commitment) in increasing information security within Jordanian e-libraries. Quantitative approach was adopted through distributing an online questionnaire on (113) individuals working within libraries in Jordan that has an uploaded website online and present some of it services online for clients. Results of study indicated that all TQM pillars have an influence on information security in libraries, the most influential variables appeared to be commitment and process which could be highlighted in the libraries efforts to commit to security standards and secure log ins of members, in addition to the processes adopted by IT department in the library to follow any gaps in the website and secure it from hackers and misuse, among the influential variables there appeared that leadership is very impactful especially in the level of empowerment that is granted to leaders and their awareness of the important of connecting between TQM and information security in libraries. Study recommended that university libraries in particular derive its security from the university itself because it is an integral part of the university. Therefore, the study recommends the necessity of following up the total quality standards in the university itself because it reflects the total quality in all its facilities, the most important of which is the libraries.
... Risk management is defined as the process of identifying vulnerability and threats in a framework of an organization. In addition, it will produce several measurements to minimize the impact on information resources [5]. ...
Full-text available
IT security management is essential for organizations to notice the occurring risks and opportunities because they will profoundly affect the ongoing business processes within the organization. The Satya Wacana Academic Information System, more often called SIASAT, is an IT component playing an essential role in running core business processes at Satya Wacana Christian University under the control of the Information Systems and Technology Bureau. At this time, the implementation of SIASAT has been going well, but there are still some obstacles. Lack of human resources is one of the findings and one it becomes of the most significant risks as it affects the use of infrastructure and information security. This research was conducted using the international standard ISO/IEC 27001:2013, prioritizing information security by taking a planning clause focusing on risk assessment. From the results of this study, there were nine recommendations given. Some of which were the most important, i.e., creating separated standard operating procedure documents for SIASAT, which previously were still affiliated with the Academic Administration Bureau; distributing job descriptions; and providing clear and documented access rights for everyone. It is expected that this research can reduce the occurring risks and can be considered for establishing improvements to enhance academic services in the future.
... Management information systems (MIS) are sometimes called management alert systems (management alerting systems) because these systems provide warnings to users (general management) of problems or opportunities. Another term for a MIS is a management reporting system [12]. ...
Full-text available
The development of android smartphones also plays a role in the world of education, such as the presence of android-based learning media, android-based educational information systems, and much more. If a few years ago, the academic information system was limited in the form of a website, now the academic information system has also begun to be developed on Android-based mobile devices. This is quite reasonable considering there is a myriad of advantages possessed by Android-based applications. By using an Android-based academic information system, application users can dig up information anywhere and anytime such as: Independent Lecture Schedule, Online SPP Payment (no need to queue) to fill KRS (Study Plan Card), see KHS (Study Result Card), Trusteeship, Discussions, value announcements and much more, all that can be done via a smartphone. It’s effortless, like “University Information and Communication Center in the Grip. The main advantage of developing the University Mobile Application is in terms of mobility. The application on an Android smartphone can be used anywhere and anytime. Thanks to these characteristics, Mobile Application University is the right answer to overcome obstacles in web-based or desktop-based academic information systems. With the Android-based educational information system application, information system users can access information directly from an Android smartphone. Aside from the mobility side, the development of an Android-based academic information system is also becoming increasingly optimal thanks to the smartphone’s distinctive features such as the notification feature. With the notification feature, the information will be more quickly distributed to application users. Of course, the use of an Android-based academic information system application is more effective when compared to using a web-based educational information system that must wait for users to access the web.
... Protecting the security is very important and becoming a top priority for many organizations. 74 Understanding that the vulnerabilities and security failings of the platforms are beyond the control of the mobile device application developers, there are other aspects, such as the security of the very apps which they are developing, where the responsibility must lie with them. ...
... Although organizations establish and operate regulations for preventing data leakages, current security policies have limitations in implementing effective security activities. Previous studies [4,5] that analyzed the limitations of existing security policies showed a strong impetus to protect the boundaries of organizations but an inability to prevent security attacks that occur and are fused. Further, given the rise of security incidents caused by humans, the shortcomings of human management illustrate the ineffectiveness of existing security policies. ...
Full-text available
With the continuously increasing number of data leakage security incidents caused by organization insiders, current security activities cannot predict a data leakage. Because such security incidents are extremely harmful and difficult to detect, predicting security incidents would be the most effective preventative method. However, current insider security controls and systems detect and identify unusual behaviors to prevent security incidents but produce many false-positives. To solve these problems, the present study collects and analyzes data leaks by insiders in advance, analyzes information leaks that can predict security incidents, and evaluates risk based on behavior. To this end, data leakage behaviors by insiders are analyzed through an analysis of previous studies and the implementation of an in-depth interview method. Statistical verification of the analyzed data leakage behavior is performed to determine the validity and derive the levels of leakage risk for each behavior. In addition, by applying the N-gram analysis method to derive a data leakage scenario, the levels of risk are clarified to reduce false-positives and over detection (i.e., the limitations of existing data leakage prevention systems) and make preemptive security activities possible.
Effective information asset management is the basis of information security as well as many other issues. IT risk assessments work well with the proper handling of asset values, and also it is for effectively securing information assets. There is also a wide variety of risk assessment methodologies. This chapter presents information about the overall IT risk management process and methodologies. Best practices are mentioned and occasionally compared based on the requirements of the information technology (IT) sector in practice. This chapter will provide deep knowledge about the IT risk management approach and construction to implementers, risk owners, IT auditors, executive managers, and other IT staff.
Full-text available
The paper presents the review of policy and procedure concerning the development of Information Security Management System in organization. The attention is focused to the main aspects of security processes: at the conceptual level – standards for the System development and at the application level – assets identification, classification and control. There are the directions to the examination of organizational assets and the alternative controls and recommendations about the main criteria in security management. The information is one of most valuable assets of the organization. Therefore, the relevant system namely Information Security Management System (ISMS) is very important part of business management system of every organization. The main objectives of ISMS are to ensure the confidentiality, integrity and availability of the information in the organization. The access to the information asset is managed through the special rules, according to the roles and privileges. The importance of the unified process of information security management determines the creation of standard mechanisms and procedures and special organizational structures for its implementation. The basic activities include also the means and tools for the deployment, monitoring, analysis, maintenance and modification of the ISMS.
Conference Paper
Full-text available
In this paper we attempt to find the reasons for low adoption of the international standard ISO/IEC 27001 on information security management. We benchmark ISO/IEC 27001 against the two other widely applied management system standards – ISO 9001 for quality management and ISO 14001 for environmental management We show that besides low adoption rates, ISO/IEC 27001 standard has received significantly less interest from academia, as measured by the number of scholarly publications on the topic. We compare the reasons for the ISO/IEC 27001 standard's application with those for ISO 9001 and conclude with listing possible drivers and barriers for the standards diffusion and suggesting a roadmap for future research on the topic.
Full-text available
With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper attempts to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This paper suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This theory may lay a solid theoretical foundation for further empirical research and application.
The recently published ISO/ IEC 27001:2005, Information technology – Security tech-niques – Information security management systems – Require-ments, provides a foundation for designing and deploying a management system for infor-mation security to prevent a variety of business-threatening risks such as the following : • financial losses and damages ; • loss of the organization's intellectual capital and intellectual property rights ; • loss of market share ; • poor productivity and performance ratings ; • ineffective operations ; • inability to comply with laws and regulations ; and even • loss of image and reputa-tion./IEC 27001:2005 spec-ifies the requirements and processes for enabling a busi-ness to establish, implement, review and monitor, manage and maintain effective infor-mation security. Like ISO 9001:2000, it is built on the Plan-Do-Check-Act (PDCA) process cycle model (see Fig-ure 1 for the ISMS version of Here is advice on implement-ing ISO/IEC 27001 gleaned from a question-and-answer session with John Snare (Fujit-su, Australia) one of the co-editors of the standard.
This paper considers to what extent the management of Information Security is a human challenge. It suggests that the human challenge lies in accepting that individuals in the organisation have not only an identity conferred by their role but also a personal and social identity that they bring with them to work. The challenge that faces organisations is to manage this while trying to achieve the optimum configuration of resources in order to meet business objectives. The paper considers the challenges for Information Security from an organisational perspective and develops an argument that builds on research from the fields of management and organisational behaviour. It concludes that the human challenge of Information Security management has largely been neglected and suggests that to address the issue we need to look at the skills needed to change organisational culture, the identity of the Information Security Manager and effective communication between Information Security Managers, end users and Senior Managers.
Purpose – The ISO27001 standard provides a model for “establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS)”. This paper seeks to consider the global adoption of the ISO27000 series of standards, and to compare them with the adoption rates for ISO9000 and ISO14000. The paper aims to compare the barriers to adoption for the different standards. Design/methodology/approach – Previous studies suggest that ISO27001 adoption is slower than for the other standards. The uptake of ISO27001 has been slower than the related management system standards ISO9001 and ISO14001, with approximately half the certifications compared with ISO14001. In response to the issues raised in this analysis, the paper considers how an approach based on a maturity model can be used to help overcome these barriers, especially in smaller companies. Findings – The 2008 survey of ISO27001‐certificated companies found that 50 per cent of the certificated organisations which responded had fewer than 200 employees, and were therefore in the SME category. Perhaps more surprisingly, around half of these had fewer than 50 employees The framework has used the ISO27002 code of practice to define the elements, which should be considered within the ISMS. Each element is then developed through a maturity model lifecycle to develop processes to the point where an ISO27001‐compliant ISMS can be implemented. Originality/value – The principal contribution of the paper is a step‐by‐step framework designed to simplify the process for organisations working towards ISO27001 and offer significant benefits at milestones before systems are mature enough to achieve certification.
Addressing information security risks by adopting standards
  • Walid Al
  • Bassil Mohammad
Walid Al-Ahmad and Bassil Mohammad. Addressing information security risks by adopting standards. International Journal of Information Security Science, 2(2):28_43, 2013.
_Information technologySecurity techniques-Code of practice for information security management
  • Iso Iec
ISO/IEC 17799 (2005) _Information technologySecurity techniques-Code of practice for information security management_.
Understanding Information Security Management Systems
  • Tom Carlson
  • M Tipton
  • Krause
Tom Carlson, HF Tipton, and M Krause. Understanding Information Security Management Systems. Auerbach Publications Boca Raton, FL, 2008.