Enhancing Information Security Management in Small and Medium Enterprises (SMEs) Through ISO 27001 Compliance

Mera-Amores, Fabricio; Roa, Henry N.

doi:10.1007/978-3-031-53963-3_14

Fabricio Mera-Amores¹⁰ &
Henry N. Roa¹⁰

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 920))

Included in the following conference series:

Future of Information and Communication Conference

198 Accesses

Abstract

The ISO 27001 standard is a crucial framework for establishing Information Security Management Systems (ISMS) in organizations, irrespective of their size or sector. Its core objective is safeguarding information confidentiality, integrity, and availability through security controls and regular audits. ISO 27001 certification assures stakeholders of effective security control implementation and sensitive data management. Implementing ISO 27001 is ideal for ensuring information security but can be cost-prohibitive due to the need for process improvements, role adaptations, and a lengthy implementation process. Smaller organizations, such as SMEs, often struggle to afford the associated expenses. Consequently, many organizations opt for practical yet incomplete information security solutions. However, adopting ISO 27001 can be a valuable tool for managing information security without incurring substantial costs. This research explores how organizations can utilize ISO 27001 as a strategic tool to enhance information security management without immediate full-scale implementation. This approach provides a stepping stone towards eventual ISO 27001 certification, allowing organizations to gradually improve their information security capabilities while managing costs effectively.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 149.00; Price excludes VAT (USA)

Softcover Book: USD 199.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

ISO 27001 - Seguridad de la información: norma ISO IEC 27001/27002, Normas ISO. https://www.normas-iso.com/iso-27001/. Accessed 25 Feb 2023
The High Table Global Ltd., The Ultimate Guide To ISO 27001 For Small Business. https://hightable.io/iso-27001-for-small-business/. Accessed 06 Jan 2022
Antunes, M., Maximiano, M., Gomes, R., Pinto, D.: Information security and cybersecurity management: a case study with SMEs in Portugal. J. Cybersecur. Priv. 1(2), 219–238 (2021)
Article Google Scholar
International Organization for Standarization, ISO/IEC 27000:2018. Information technology — Security techniques — Information security management systems — Overview and vocabulary (2018)
Google Scholar
International Organization for Standarization, ISO/IEC 27001:2013. Information technology — Security techniques — Information security management systems — Requirements (2013)
Google Scholar
Culot, G., Nassimbeni, G., Podrecca, M., Sartor, M.: The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda. TQM J. 33(7), 76–105 (2021). https://doi.org/10.1108/TQM-09-2020-0202
Article Google Scholar
Kosutic, D., ISO 27001 Annex A Controls in Plain English. Advisera Expert Solutions Ltd. https://www.perlego.com/book/975335/iso-27001-annex-a-controls-in-plain-english-a-stepbystep-handbook-for-information-security-practitioners-in-small-businesses-pdf
The National Archives, Identifying Information Assets and Business Requirements. OGL (2017). https://cdn.nationalarchives.gov.uk/documents/information-management/identify-information-assets.pdf
Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014)
Article Google Scholar
Curtis, P., Carey, M.: Committee of Sponsoring Organizations of the Treadway Commission. Risk assessment in practice (2012)
Google Scholar

Download references

Acknowledgment

We wish to express our sincere gratitude to the Pontificia Universidad Católica del Ecuador for their support of our research, which was conducted as part of the activities of the Applied Information Systems and Technologies research group (SITECIA), registered under GI-Quito-071-2022. Furthermore, we extend our heartfelt appreciation to the Anonymous Reviewers whose thoughtful and constructive recommendations greatly enhanced the quality of this paper. Their expertise and feedback played a pivotal role in refining our research and ensuring its rigor and credibility.

Author information

Authors and Affiliations

Facultad de Ingeniería, Pontificia Universidad Católica del Ecuador, Av. 12 de Octubre 1076 y Vicente Ramón Roca, 17-01-2184, Quito, Ecuador
Fabricio Mera-Amores & Henry N. Roa

Authors

Fabricio Mera-Amores
View author publications
You can also search for this author in PubMed Google Scholar
Henry N. Roa
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Henry N. Roa .

Editor information

Editors and Affiliations

Saga University, Saga, Japan
Kohei Arai

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Mera-Amores, F., Roa, H.N. (2024). Enhancing Information Security Management in Small and Medium Enterprises (SMEs) Through ISO 27001 Compliance. In: Arai, K. (eds) Advances in Information and Communication. FICC 2024. Lecture Notes in Networks and Systems, vol 920. Springer, Cham. https://doi.org/10.1007/978-3-031-53963-3_14

Download citation

DOI: https://doi.org/10.1007/978-3-031-53963-3_14
Published: 17 March 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-53962-6
Online ISBN: 978-3-031-53963-3
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)

Publish with us

Policies and ethics