Abstract
ISO/IEC 17799 is a standard governing Information Security Management. Formalised in the 1990s, it has not seen the take up of accreditations that could be expected from looking at accreditation figures for other standards such as the ISO 9000 series. This paper examines why this may be the case by investigating what has driven the accreditation under the standard in 18 UK companies, representing a fifth of companies accredited at the time of the research. An initial literature review suggests that adoption could be driven by external pressures, or simply an objective of improving operational performance and competitive performance. It points to the need to investigate the influence of Regulators and Legislators, Competitors, Trading Partners and Internal Stakeholders on the decision to seek accreditation.
An inductive analysis of the reasons behind adoption of accreditation and its subsequent benefits suggests that competitive advantage is the primary driver of adoption for many of the companies we interviewed. We also find that an important driver of adoption is that the standard enabled organisations to access best practice in Information Security Management thereby facilitating external relationships and communication with internal stakeholders. Contrary to the accepted orthodoxy and what could be expected from the literature, increased regulation and the need to comply with codes of practice are not seen as significant drivers for companies in our sample.
Chapter PDF
References
Anderson, S. W., Daly, J. D. & Johnson, M. F. (1999) Why firms seek ISO 9000 certification: Regulatory compliance or competitive advantage. Production and Operations Management, 8(1), 28–43.
Angell, I. O. (1990) Systems Thinking about Information Systems and Strategies. Journal of Information Technology, 5(3), 168–74.
Armstrong, J., Rhys-Jones, M. & Rathmell, A. (2002) Corporate Governance & Information Assurance-What Every Director Must Know. Information Assurance Advisory Council, Cambridge-UK.
Barnard, L. & von Solms, R. (1998) The evaluation and certification of information security against BS 7799. Information Management & Computer Security, 6(2), 72–77.
Baskerville, R. & Siponen, M. (2002) An information security meta-policy for emergent organizations. Logistics Information Management, 15(5/6), 337–46.
Brooks, W. J., Warren, M. J. & Hutchinson, W. (2002) A security evaluation criteria. Logistics Information Management, 15(5/6), 377–84.
BSI (2002) BS 7799-2:2002 Information security management systems-Specification with guidance for use. British Standards Institution.
BSI (2005) Frequently Asked Questions for BS 7799-2:2005, British Standards Institution. http://www.bsi-global.com/ICT/Security/27001faq.xalter visited on 31/08/2005
Ciborra, C. (2004) Digital Technologies and the Duality of Risk. Discussion Paper-Centre for Analysis of Risk and Regulation, London School of Economics, (27).
Clemons, E. K. & Row, M. C. (1991) Sustaining IT advantage: The role of Structural Differences. MIS Quarterly, 15(3), 275–92.
Dehning, B. & Stratopoulos, T. (2003) Determinants of a sustainable competitive advantage due to an IT-enabled strategy. The Journal of Strategic Information Systems, 12(1), 7–28.
DTI (2004) Information Security Breaches Survey. Department of Trade and Industry / PriceWaterhouseCoopers, London.
Feeny, D. F. & Ives, B. (1990) In Search of Sustainability: Reaping Long-term advantage from Investments in Information Technology. Journal of Management Information Systems, 7(1), 27–46.
Fulford, H. & Doherty, N. F. (2003) The application of information security policies in large UK-based organizations: an exploratory investigation. Information Management and Computer Security, 11(3), 106–14.
Gossels, J. (2003) Making Sensible Investments in Security. Financial Executive, 19(9), 46.
Griffiths, G. H. & Finlay, P. N. (2004) IS-enabled sustainable competitive advantage in financial services, retailing and manufacturing. Journal of Strategic Information Systems., 13,29–59.
Groves, S. (2003) The unlikely heroes of cyber security. Information Management Journal, 37(3), 34–40.
Guler, I., Guillén, M. F. & Macpherson, J. M. (2002) Global Competition, Institutions, and the Diffusion of Organizational Practices: The International Spread of ISO 9000 Quality Certificates. Administrative Science Quarterly, 47, 207–32.
ISO (2000) ISO/IEC 17799:2000 Code of practice for information security management. ISO, Geneva.
ISO (2003) The ISO Survey of ISO 9001:2000 and ISO 14001 Certificates. International Standards Organisation.
Ives, B. & Learmonth, G. P. (1984) The Information System as a competitive weapon. Communications of the ACM, 27(12), 1193–201.
Kearvell-White, B. (1996) National (UK) Computer Security Survey 1996. Information Management & Computer Security, 4(3), 3–17.
Kenning, M. J. (2001) Security Management Standard-ISO 17799/BS 7799. BT Technology Journal; London, 19(3), 132.
Kotulic, A. G. & Clark, J. G. (2004) Why there aren’t more information security research studies. Information & Management, 41(5), 597–607.
Lee, A. S. (1999) Researching MIS. IN CURRIE, W. & GALLIERS, R. (Eds.) Rethinking management information systems: an interdisciplinary perspective. Oxford, Oxford University Press.
Li, H., King, G., Ross, M. & Staples, G. (2000) BS7799: A Suitable Model for Information Security Management. Americas Conference on Information Systems.
Mata, F. J., Fuerst, W. L. & Barney, J. B. (1995) Information technology and sustained competitive advantage: A resource-based analysis. MIS Quarterly, 19(4), 487–505.
McAdams, A. C. (2004) Security And Risk Management: A Fundamental Business Issue. Information Management Journal, 38(4), 36–44.
Miles, M. B. & Huberman, A. M. (1994) Qualitative data analysis: an expanded sourcebook, Thousand Oaks, Calif; London, Sage.
Pattinson, M. R. (2003) Compliance with an Information Security Management Standard: A New Approach. Ninth Americas Conference on Information Systems, Tampa.
Renn, O. (1998) Three decades of risk research: accomplishments and new challenges. Journal of Risk Research, 1(1), 49–71.
Turnbull, N. (1999) Internal Control: Guidance for Directors on the Combined Code: The Turnbull Report. The Institute of Chartered Accountants in England & Wales, London.
Velayudham, C, Shoemaker, D. & Drommi, A. (2004) A Standard Methodology for Embedding Security Functionality Within Formal Specifications of Requirements. Americas Conference on Information Systems, New York, August 2004.
Venkatesh, V., Morris, M. G., Davis, G. B. & Davis, F. D. (2003) User acceptance of information technology: Toward a unified view. MIS Quarterly, 27(3), 425–78.
von Solms, B. (2005) Information Security governance: COBIT or ISO 17799 or both? Computers & Security, 24, 99–104.
von Solms, B. & von Solms, R. (2001) Incremental Information Security Certification. Computers & Security, 20(4), 308–10.
von Solms, R. (1998) Information security management (3): the Code of Practice for Information Security Management (BS 7799). Information Management & Computer Security, 6(5), 224.
Waloff, I. (2002) Speech by at “7799 Goes Global” conference. (text available at http://www.bsi-global.com/News/Releases/2002/September/n3f029de8c689a.xalter), September 5
Walsham, G. (1993) Interpreting information systems in organizations, Chichester, Wiley.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Ezingeard, JN., Birchall, D. (2005). Information Security Standards: Adoption Drivers (Invited Paper). In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds) Security Management, Integrity, and Internal Control in Information Systems. IICIS 2004. IFIP International Federation for Information Processing, vol 193. Springer, Boston, MA. https://doi.org/10.1007/0-387-31167-X_1
Download citation
DOI: https://doi.org/10.1007/0-387-31167-X_1
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29826-9
Online ISBN: 978-0-387-31167-8
eBook Packages: Computer ScienceComputer Science (R0)