Business Impacts of International Standards for Information Security Management. Lessons from Case Companies

This paper describes the business impact of two international standards for information security management: ISO/IEC 27001 and ISO/IEC 27002. Six company cases show that companies had different reasons for wanting to implement these standards, but that they achieved most of their objectives. Benefits include improved service quality, higher customer satisfaction, and in some cases, new business opportunities. A number of common success factors ensure the objectives can be achieved, and financial and non-financial benefits can indeed be obtained. The lessons learnt from these cases can help other companies to also reap such benefits.

[1]  Borka Jerman-Blazic,et al.  An economic modelling approach to information security risk management , 2008, Int. J. Inf. Manag..

[2]  Hemantha S. B. Herath,et al.  Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management , 2010, Inf. Syst. Manag..

[3]  Ton van der Wiele,et al.  Business and environmental impact of ISO 14001 , 2012 .

[4]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[5]  R. Kaplan,et al.  The balanced scorecard--measures that drive performance. , 2015, Harvard business review.

[6]  David C. Yen,et al.  National information security policy and its implementation: A case study in Taiwan , 2009 .

[7]  Evangelos L. Psomas,et al.  A meta analysis of ISO 9001:2000 research – findings and future research proposals , 2009 .

[8]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[9]  Leslie P. Willcocks Information management - the evaluation of information systems investments , 1994 .

[10]  Janine L. Spears Institutionalizing information security risk management: a multi-method empirical study on the effects of regulation , 2007 .

[11]  P. Sampaio,et al.  ISO 9001 certification research: questions, answers and approaches , 2009 .

[12]  Robert van Wessel Toward Corporate It Standardization Management: Frameworks and Solutions , 2010 .

[13]  Borut Rusjan,et al.  Capitalising on ISO 9001 benefits for strategic results , 2010 .

[14]  James Backhouse,et al.  Circuits of Power in Creating de jure Standards: Shaping an International Information Systems Security Standard , 2006, MIS Q..