Improving the quality of information security management systems with ISO27000

TQM Journal - 2011
AlanGillies1
1Hope Street Centre, Liverpool, UK

Tóm tắt

PurposeThe ISO27001 standard provides a model for “establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS)”. This paper seeks to consider the global adoption of the ISO27000 series of standards, and to compare them with the adoption rates for ISO9000 and ISO14000. The paper aims to compare the barriers to adoption for the different standards.Design/methodology/approachPrevious studies suggest that ISO27001 adoption is slower than for the other standards. The uptake of ISO27001 has been slower than the related management system standards ISO9001 and ISO14001, with approximately half the certifications compared with ISO14001. In response to the issues raised in this analysis, the paper considers how an approach based on a maturity model can be used to help overcome these barriers, especially in smaller companies.FindingsThe 2008 survey of ISO27001‐certificated companies found that 50 per cent of the certificated organisations which responded had fewer than 200 employees, and were therefore in the SME category. Perhaps more surprisingly, around half of these had fewer than 50 employees The framework has used the ISO27002 code of practice to define the elements, which should be considered within the ISMS. Each element is then developed through a maturity model lifecycle to develop processes to the point where an ISO27001‐compliant ISMS can be implemented.Originality/valueThe principal contribution of the paper is a step‐by‐step framework designed to simplify the process for organisations working towards ISO27001 and offer significant benefits at milestones before systems are mature enough to achieve certification.

Từ khóa


Tài liệu tham khảo

Backhouse, J., Hsu, C.W. and Silva, L. (2006), “Circuits of power in creating de jure standards: shaping an international information systems security standard”, MIS Quarterly, Vol. 30, (special issue: Standard making: a critical research frontier for information systems research), pp. 413‐38.

BS ISO (2005a), “BS ISO 27001 Information technology – security techniques – information security management systems – requirements”, British Standards Institute, London, ISBN 0 580 46781 3.

BS ISO (2005b), “BS ISO 27002 Information technology – security techniques – code of practice for information security management”, British Standards Institute, London, ISBN 978 0 580 59729 9 (Identifier of standard renumbered from (BS) ISO/IEC 17799 to (BS) ISO/IEC 27002, July 2007).

Certification Europe (2008), ISO 27001 Global Survey: The Facts and the Figures Underlying the Growth of ISO 27001 World‐wide, Certification Europe, Dublin.

Data Protection Act (1998), Chapter 29, The Stationery Office, London.

Davis, C., Gillies, A.C., Smith, P. and Thompson, J.B. (1993), “Current quality assurance practice amongst software developers in the UK”, Software Quality Journal, Vol. 2 No. 3, pp. 145‐61.

European Parliament (1995), “On the protection of individuals with regard to the processing of personal data and on the free movement of such data”, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, Official Journal L 281, 23 November, pp. 0031‐50.

Fomin, V.V., Kaunas, L., de Vries, H.J.Y. and Barlette, Y. (2008), “ISO/IEC 27001 information systems security management standard: exploring the reasons for low adoption”, paper presented at the 3rd European Conference on Management of Technology, Industry‐University Collaborations in Techno Parks, Nice, France, September 2008.

Howard, J. (2010), “Competent to innovate: an approach to personal development to improve innovation competency in SMEs”, Proceedings of the 5th European Conference on Entrepreneurship & Innovation, Athens, Greece, in press.

Howard, J. and Gillies, A.C. (2009), “Knowledge to innovate: developing a tool to assess and assist the development of the capacity to innovate in small and medium‐sized enterprises”, Proceedings of the 4th European Conference on Entrepreneurship & Innovation, Antwerp, Belgium, pp. 206‐14.

Humphrey, W.S. (1989), Managing the Software Process, Addison‐Wesley, Reading, MA.

Paulk, M.C. (1995), “How ISO 9001 compares with the CMM”, IEEE Software, Vol. 12 No. 1, pp. 74‐83.

Rodríguez‐Escobar, J.A., Gonzalez‐Benito, J. and Martínez‐Lorente, A.R. (2006), “An analysis of the degree of small companies' dissatisfaction with ISO 9000 certification”, Total Quality Management & Business Excellence, Vol. 17 No. 4, pp. 507‐21.

Saint‐Germain, R. (2005), “Information security management best practice based on ISO/IEC 17799”, Information Management Journal, Vol. 39 No. 4, pp. 60‐6.

Shewhart, W.A. (1939), Statistical Method from the Viewpoint of Quality Control (out of print: most recent edition: 1987, Dover Publications).

von Solms, B. and von Solms, R. (2005), “From information security to … business security”, Computers & Security, Vol. 24 No. 4, pp. 271‐3.

Gillies, A.C. (2008), “The legal and ethical changes in the NHS landscape accompanying the policy shift from paper‐based health records to electronic health records”, Studies in Ethics, Law and Technology, Vol. 2 No. 1, p. 4.

Humphrey, W.S. (1987), “Characterising the software process: a maturity framework”, Software Engineering Institute, CMU/SEI‐87‐TR‐11, DTIC Number ADA182895.

Thông tin
Thông tin xuất bản

TQM Journal

Thông tin tác giả