Improving the quality of information security management systems with ISO27000

The ISO27001 standard provides a model for “establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS)”. This paper seeks to consider the global adoption of the ISO27000 series of standards, and to compare them with the adoption rates for ISO9000 and ISO14000. The paper aims to compare the barriers to adoption for the different standards.

Previous studies suggest that ISO27001 adoption is slower than for the other standards. The uptake of ISO27001 has been slower than the related management system standards ISO9001 and ISO14001, with approximately half the certifications compared with ISO14001. In response to the issues raised in this analysis, the paper considers how an approach based on a maturity model can be used to help overcome these barriers, especially in smaller companies.

The 2008 survey of ISO27001‐certificated companies found that 50 per cent of the certificated organisations which responded had fewer than 200 employees, and were therefore in the SME category. Perhaps more surprisingly, around half of these had fewer than 50 employees The framework has used the ISO27002 code of practice to define the elements, which should be considered within the ISMS. Each element is then developed through a maturity model lifecycle to develop processes to the point where an ISO27001‐compliant ISMS can be implemented.

The principal contribution of the paper is a step‐by‐step framework designed to simplify the process for organisations working towards ISO27001 and offer significant benefits at milestones before systems are mature enough to achieve certification.