On the Track of ISO/IEC 27001:2013 Implementation Difficulties in Portuguese Organizations

The security standard ISO/IEC 27001 provides orientations to support organizations to set adequate best practices in information security management, specifying requirements that enable the appropriate selection and implementation of security controls. This standard assists organizations to protect their information assets, achieve their adequate levels of security and thus help them to succeed their business goals. Currently, an increasing number of Portuguese organizations seek to comply ISO/IEC 27001:2013 standard and obtain the respective certification. This paper presents the result of a research conducted in order to detail the main difficulties and limitations evidenced by Portuguese organizations while meeting the ISO/IEC 27001:2013 standard. Moreover, this paper provides discussion on the results obtained, to better understand the progress and status quo of this standard implementation. From the research conducted it can be seen that organizations are becoming heavily concerned with information security issues, mainly due it to the recent cybersecurity incidents occurred. Additionally, certification is recognized as an important instrument to give confidence and demonstrate to all organizational’ customers, suppliers and stakeholders that information security components are verified and organized within the organization.