Abstract
The ISO 27001 standard is a crucial framework for establishing Information Security Management Systems (ISMS) in organizations, irrespective of their size or sector. Its core objective is safeguarding information confidentiality, integrity, and availability through security controls and regular audits. ISO 27001 certification assures stakeholders of effective security control implementation and sensitive data management. Implementing ISO 27001 is ideal for ensuring information security but can be cost-prohibitive due to the need for process improvements, role adaptations, and a lengthy implementation process. Smaller organizations, such as SMEs, often struggle to afford the associated expenses. Consequently, many organizations opt for practical yet incomplete information security solutions. However, adopting ISO 27001 can be a valuable tool for managing information security without incurring substantial costs. This research explores how organizations can utilize ISO 27001 as a strategic tool to enhance information security management without immediate full-scale implementation. This approach provides a stepping stone towards eventual ISO 27001 certification, allowing organizations to gradually improve their information security capabilities while managing costs effectively.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ISO 27001 - Seguridad de la información: norma ISO IEC 27001/27002, Normas ISO. https://www.normas-iso.com/iso-27001/. Accessed 25 Feb 2023
The High Table Global Ltd., The Ultimate Guide To ISO 27001 For Small Business. https://hightable.io/iso-27001-for-small-business/. Accessed 06 Jan 2022
Antunes, M., Maximiano, M., Gomes, R., Pinto, D.: Information security and cybersecurity management: a case study with SMEs in Portugal. J. Cybersecur. Priv. 1(2), 219–238 (2021)
International Organization for Standarization, ISO/IEC 27000:2018. Information technology — Security techniques — Information security management systems — Overview and vocabulary (2018)
International Organization for Standarization, ISO/IEC 27001:2013. Information technology — Security techniques — Information security management systems — Requirements (2013)
Culot, G., Nassimbeni, G., Podrecca, M., Sartor, M.: The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda. TQM J. 33(7), 76–105 (2021). https://doi.org/10.1108/TQM-09-2020-0202
Kosutic, D., ISO 27001 Annex A Controls in Plain English. Advisera Expert Solutions Ltd. https://www.perlego.com/book/975335/iso-27001-annex-a-controls-in-plain-english-a-stepbystep-handbook-for-information-security-practitioners-in-small-businesses-pdf
The National Archives, Identifying Information Assets and Business Requirements. OGL (2017). https://cdn.nationalarchives.gov.uk/documents/information-management/identify-information-assets.pdf
Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014)
Curtis, P., Carey, M.: Committee of Sponsoring Organizations of the Treadway Commission. Risk assessment in practice (2012)
Acknowledgment
We wish to express our sincere gratitude to the Pontificia Universidad Católica del Ecuador for their support of our research, which was conducted as part of the activities of the Applied Information Systems and Technologies research group (SITECIA), registered under GI-Quito-071-2022. Furthermore, we extend our heartfelt appreciation to the Anonymous Reviewers whose thoughtful and constructive recommendations greatly enhanced the quality of this paper. Their expertise and feedback played a pivotal role in refining our research and ensuring its rigor and credibility.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mera-Amores, F., Roa, H.N. (2024). Enhancing Information Security Management in Small and Medium Enterprises (SMEs) Through ISO 27001 Compliance. In: Arai, K. (eds) Advances in Information and Communication. FICC 2024. Lecture Notes in Networks and Systems, vol 920. Springer, Cham. https://doi.org/10.1007/978-3-031-53963-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-53963-3_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-53962-6
Online ISBN: 978-3-031-53963-3
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)