Forecasting the diffusion of ISO/IEC 27001: a Grey model approach

Purpose – The aim of this paper is to present the first diffusion analysis of ISO/IEC 27001, the fourth most popular ISO certification at global level and the most important standard for information security. Design/methodology/approach – To achieve the purposes, the authors applied Grey Models (GM) – Even GM (1,1), Even GM (1,1, α , θ ), Discrete GM (1,1), Discrete GM (1,1, α ) – complemented by the relative growth rate and the doubling time indexes on the six most important countries in terms of issued certificates. Findings – Results show that a growing trend is likely to be expected in the years to come and that China will lead at country level. Originality/value – Thestudycontributestothescientificdebatebypresentingthefirstdiffusiveanalysisof ISO/IEC 27001 and by proposing a forecasting approach that to date has found little application in the field of international standards.


Introduction
Over the last years, information security (IS) has become one of the main managerial priorities.The implementation of digital technologies and the switch to smart working practices are increasing the vulnerability of firms' networks (e.g.Contieri et al., 2022;Koohang et al., 2020).This is also testified by the growing interest in the ISO/IEC 27001 information security management standard: prominent technology providers (e.g.Apple and Microsoft) but also companies belonging to the old economy (e.g.Stellantis and General Electric) have already decided for its adoption (Culot et al., 2021).
Consistently with other management system standards (e.g.ISO 9001, ISO 14001), ISO/ IEC 27001 builds on a process-oriented approach based on formalization and systematization: Forecasting ISO/IEC 27001 diffusion it introduces a structured framework aimed at ensuring integrity, availability and confidentiality of the information that is maintained and processed by an organisation (Zimon et al., 2022;Rebelo et al., 2014;Gillies, 2011).In doing this, the norm does not impose any specific technological approach or requirement.Rather, it calls for a continuous exploration of available solutions related to logical, physical and organisational aspects of information security; this way integrating both operational practices and technologies.Despite the relevance of the topic, extant research has highlighted several aspects that may hinder the diffusion of the norm (e.g.lack of clarity on the outcomes of ISO/IEC 27001 adoption, potential competition with other standards, implementation failure).As a result, after 15 years from ISO/IEC 27001 enactment, the number of issued certificates (85,000 as of 2020) is still lagging when compared with other management systems (e.g. over the same period ISO 9001 and ISO 14001 were recording, respectively, 560,000 and 245,000 valid certificates -ISO, 2021).
Against this background, the main aim of this paper is to open the debate on the future diffusion patterns of ISO/IEC 27001.Studies exploring standards dissemination can shed light on a complex phenomenon affected by factors such as regulatory background, economic structure, stakeholder pressures and governmental incentives (Podrecca et al., 2022a).Moreover, according to Castka and Corbett (2015), research focused on long-term adoption patterns is usually neglected in the early stages of management system standards, as available data are usually limited.Nearly two decades after ISO/IEC 27001 enactment, we, therefore, believe that investigating future trajectories could also disclose any similarities between dissemination patterns of ISO/IEC 27001 and those of other more mature norms, thus highlighting potential critical issues of the standard under examination.
To achieve our purpose, we shed light on the diffusion process of ISO/IEC 27001 certifications up to 2030 for the six countries with the highest number of adherents (i.e.Japan, UK, India, China, Germany and Italy).
The remainder of the manuscript is structured as follows.Section 2 provides an overview of the relevant literature.Section 3 introduces the adopted methodology.Section 4 presents and discusses the findings.Finally, conclusions, contributions and limitations of the paper are highlighted in section 5.

Literature review
Our study builds on three main research streams: literature on ISO/IEC 27001, studies investigating the diffusion of international management standards and methodological papers on Grey models.

ISO/IEC 27001
Enacted in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as an evolution of the British norm BS 7799, ISO/IEC 27001 has currently become the most prominent standard in the field of information security (Culot et al., 2021).It "[. ..] specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of the organization" (ISO/IEC 27001:2013, p. 1).Consistently with other ISO norms (e.g.ISO 9001, ISO 14001), the standard is applicable to all companies without any precondition in terms of size, nature, or industry; ISO/IEC 27001 is not only intended for firms having a high digital maturity level since it does not require any specific security technology.The norm shares the same principles as other ISO standards such as risk-based thinking, process orientation and a continuous improvement logic based on a plan-do-check-act (PDCA) approach.In terms of structure, ISO/IEC 27001 consists of ten chaptersthe first TQM 35,9 three introduce the standard, the other seven define the requirements for setting up and running an ISMScomplemented by a list of controls (Annex A).
Given the pivotal role played by data in both today's economy and society, the norm has attracted the interest of several scholars.Culot et al. (2021) provide a systematic literature review on ISO/IEC 27001 highlighting that research on the topic has moved around three main areas: motivations, implementation process and outcomes.
As for the motivations, scholars have highlighted both institutionalist (i.e. firms embrace ISO/IEC 27001 to achieve a formal certification to qualify in the eyes of external stakeholders) and functionalist (i.e. firms resort to the standard to improve their activities/ processes) drivers.In terms of institutionalist motivations, extant research (e.g.Stewart, 2018) reports that ISO/IEC 27001 is adopted to improve the corporate image and attract more customers.Other studies argue that ISO/IEC 27001 is also implemented due to isomorphic phenomena or as a response to specific client requests (e.g.Raabi et al., 2020).In this latter case, however, scholars (e.g.Cowan, 2011) have also warned that firms may decide to adhere only to some requirements of the standard (i.e.those explicitly requested by their customers) without achieving formal certification.Moving to the functionalist aspects, the main drivers are related to expectations around improved information security capabilities and skills and increased efficiency of information security-related processes (e.g.Annarelli et al., 2020).
For what concerns the implementation process, several studies stress that ISO/IEC 27001 adoption requires a significant amount of resources.In particular, companies need to invest considerable time of their staff in activities and meetings related to the set-up/configuration of the information management system (e.g.Pardo et al., 2016), as well as relevant costs are reported in case organizations decide to resort to the help of external consultants (e.g.Rezaei et al., 2014).When it comes to the specific controls that firms should implement, extant research has also highlighted that the norm provides only limited advice on their mutual interdependence and a lack of guidance on cost/benefit assessments in their selection (e.g.Ho et al., 2015).Similarly, relevant difficulties have been highlighted as regards potential relationships between the organization and the external environment; many implementations fail because of an unstructured approach to shared assets and difficult identification of the organizations' dependencies on outsourced services (e.g.Stewart, 2018).
Moving to the outcomes of ISO/IEC 27001 adoption, the literature highlights lower IS risk levels (e.g.Al-Karaki et al., 2022) and improved business continuity (e.g.Rezaei et al., 2014) with consequent reduction of expenditures stemming from legal costs and bad news (e.g.due data leaks - Bakar et al., 2015).Scholars have also argued that the structured approach to information-related activities/processes demanded by ISO/IEC 27001 could result in clearer roles and accountabilities and fewer redundancies (e.g.Annarelli et al., 2020).Moreover, ISO/IEC 27001 can be considered a "ticket to the market" for exporting firmsin particular, when they conduct their activities in contexts characterized by high diffusion degrees (e.g.Dionysiou, 2011) and vendors located in offshored countriese.g.India, Taiwan, Singaporeas it allows companies to show their international customers the care paid in ensuring data protection (e.g.Hla ca et al., 2008).Despite these positive implications, the formalization required by some of the ISO/IEC 27001 dictates has also been connected to flexibility losses with negative implications for both labour productivity and the ability to fulfil customers' requests (Crowder, 2013, van Wessel et al., 2011).As a result, concerns related to potential side effects on firms' profitability have been raised too (Tejay and Shoraka, 2011).Furthermore, some studies (e.g.Culot et al., 2019) have questioned the potential differentiating role of the standard, arguing that it only provides limited reputational benefits.
To conclude, it is worth acknowledging the specific context in which the empirical studies on ISO/IEC 27001 have been conducted [1].Most of the authors (4 contributions) investigate Forecasting ISO/IEC 27001 diffusion issues related to US companies (Tarn et al., 2009;Tejay and Shoraka, 2011;Deane et al., 2019;Podrecca et al., 2022b).German organizations have been considered in three papers (Beckers et al., 2013;Mirtsch et al., 2020Mirtsch et al., , 2021)).Spain (Pardo et al., 2013;Mesquida et al., 2014), Iran (Rezaei et al., 2014;Khajouei et al., 2017), Taiwan (Ku et al., 2009;Liao and Chueh, 2012) and Turkey (Bas ¸aran, 2016;Ozkan and Karabacak, 2010) follow with two contributions each.Surprisingly, except for the German case, the focus of the studies is not consistent with the diffusion of the standard; many of the countries with the highest number of issued ISO/IEC 27001 certificates (ISO, 2021) have never been considered (e.g.Japan, India) or have been included only in studies resorting to a multi-country perspective (e.g.UK, China, Netherlands van Wessel et al., 2011; UK, Italy - Annarelli et al., 2020).Against this background characterized by the emergence of some controversial aspects that may hinder ISO/IEC 27001 adoption (e.g.avoidance of formal certification by firms, implementation failures due to lack of guidance on control selection and shared assets, lack of clarity around the outcomes of the adoption) and of discrepancies between the countries investigated in empirical studies and those recording the highest number of issued ISO/IEC 27001 certificates, a prominent need exists to investigate ISO/IEC 27001 future trajectories and to compare them with those of more mature and widespread management standards (i.e.ISO 9001, ISO 14001).As we will see in the next section, the diffusion patterns of these standards have been widely investigated, while a specific study on ISO/IEC 27001 is still missing.

Diffusion studies
The first studies analysing the (long-term) diffusion patterns of international standards appeared in the early 2000s when Franceschini et al. (2004) noticed that their adoption follows an S-shaped (or sigmoid curve) divided into three different phases: an initial exponential growth (expansion) due to the firms' desire to give formal evidence of their commitment towards a specific topic (e.g.quality assurance, sustainability, social responsibility), a subsequent phase (maturation) characterised by a linear growth, and a last phase (retrocession) in which the interest reaches the peak and becomes stable gradually moving towards saturation.
The abovementioned patterns are close to those of population growth in environments with scarce resources (Pearl, 1978) and innovation adoption (Gurbaxani, 1990), i.e. two topics extensively studied by applying diffusion models like Verhulst (logistic) and Gompertz curves.Franceschini et al. (2004) used these models to study diffusive patterns of some international management standards.Firstly, they resorted to Verhulst's equation to shed light on ISO 9001 dissemination across Europe.Subsequently, other scholars showed that the estimates of diffusive models can describe adoption trends of other standards (e.g.ISO 14001, SA8000, Global Reporting Initiative -GRI, United Nations Global Compact) both considering them at country and industry level (i.e.shedding light on the dissemination of international standards in specific countries and industries) (see Table 1).
A slightly different technique has, instead, been adopted by most recent contributions (Ikram et al., 2019(Ikram et al., , 2021)).In particular, scholars have started to investigate the future diffusion of international standards using more sophisticated approaches, namely Grey models.When compared with Verhulst and Gompertz curves, the Grey method can provide several benefits such as high accuracy of the forecasts (e.g.several contributions based on logistic approaches underestimated the number of issued certificates) against a reduced computational effort (Liu et al., 2017;Javed and Liu, 2018).The next section provides a review of extant research on Grey models highlighting their characteristics, previous usage for research purposes and main limitations.TQM 35,9

Grey models
First introduced in the '80s by the Chinese scholar Julong Deng, Grey models are a datadriven intelligent time-series forecasting technique that is particularly useful in the study of samples characterized by reduced size, poor information and uncertainty (Liu et al., 2016); three limitations that usually affect studies dealing with the diffusion of management system standards (Ikram et al., 2019(Ikram et al., , 2021)).The main characteristic of this forecasting approach is the capability of "extracting useful information from what is available" (Liu et al., 2015, p. 141); this way the law describing the system can be effectively explained and quantitative predictions can be done.
Starting from the original first order and one variable Grey Model (1,1) -GM (1,1), over the last 40 years the research on the grey forecasting technique has been particularly active due to both practical needs and its applicability to a wide range of situations.This has led to the development of four basic forms of GM (1,1), namely Even Grey Model (1,1) -EGM (1,1), Original Difference Grey Model (1,1) -ODGM (1,1), Even Difference Grey Model (1,1) -EDGM (1,1) and Discrete Grey Model (1,1) -DGM (1,1).Without entering into the specific  Liu et al. (2015) which argues that ODGM, EDGM and DGM are more useful in the case of homogeneous exponential sequences of data, while EGM describes well non-exponential increasing and vibration (i.e.data moving around a reference value) sequences of data.Building on these basic forms, many contributions have focused on the characteristics of the models (e.g.Ji et al., 2001); on optimizing the parameters of the models (e.g.Jie and Bo, 2012); on strategies aimed at improving the initial values included in the models (e.g.Dang et al., 2005); and on identifying the application boundaries of the different models (e.g.Xie and Liu, 2006).As a result, the different (1,1) models have been used in a wide range of fields including agriculture (e.g.Li et al., 2022), tourism (Dang et al., 2020), energy (Javed and Cudjoe, 2022) and management (Ikram et al., 2021).Additional improvements in the discipline have led to the development of Grey (1,N) models.In (1,N) models the forecasted values depend not only on the sequence of original data of the dimension being estimated (e.g. the number of issued certificates), but scholars can also include some (independent) variables to investigate the sensitivity of the results to some contextual factors of interest (e.g. they can introduce the GDP growth to take into account the effect of the general economic situation) (Liu et al., 2017).Despite the accuracy improvements achievable thanks to (1,N) models, two main drawbacks hinder their large-scale applicability for prediction purposes (Ofosu-Adarkwa et al., 2020).First, these models can be used for predicting future values only when the original data vary slightly.Second, their estimates are based on the original data sequence of relevant factors (i.e.suppose we want to estimate ISO/IEC 27001 diffusion up to 2030, we would need the values of independent variables up to 2030, which is not feasible).For such reasons, scholars resorting to Grey models to estimate the future trends of international management standards have always adopted (1,1) models (Ikram et al., 2019(Ikram et al., , 2021)).

Dataset and modelling approach
The dataset used in this paper comes from the list of ISO/IEC 27001 issued certifications available on the ISO website (ISO, 2021).Analysed data refer to the period from 2010 to 2020 and, consistently with extant research (e.g.Ikram et al., 2019Ikram et al., , 2021)), consider the six countries with the highest number of certified organizations (i.e.Japan, China, UK, India, Germany, Italy).
As previously argued, when compared with traditional Verhulst and Gompertz equations, Grey models provide several benefits including the higher reliability of the forecasts and the possibility to present the results in a simple mathematical form (Liu et al., 2017).Hence, we resorted to (1,1) Grey models to investigate the diffusion patterns of ISO/IEC 27001.Based on the classification of Liu et al. (2015) described in the previous section and considering the characteristics of the data, we decided to use both a model suitable for exponential sequences and a model useful for non-exponential increasing sequences.While EGM (1,1) was the only available model for non-exponential increasing sequences (Liu et al., 2015), in terms of exponential sequences we preferred DGM (1,1) rather than OGM (1,1) or EDGM (1,1).This is because over the last years many scholars have proposed variations to the DGM (1,1) estimation algorithm aimed at improving its forecasting performance.As such, in line with the most recent contributions (e.g.Javed et al., 2020;Javed and Cudjoe, 2022), the Even Grey model -EGM (1,1), the discrete Grey model -DGM (1,1) and their generalized versions -EGM (1,1,α,θ), DGM (1,1,α)were selected [2].TQM 35,9 3.2 Grey models 3.2.1 DGM (1,1) and EGM (1,1).Suppose to consider a sequence of raw data ð1Þ; x ð0Þ ð2Þ; . . .; x ð0Þ ðnÞ Á ; x ð0Þ ðkÞ ≥ 0 (1) its direct use is not appropriate in grey models as raw data are usually characterized by significant noise, and this decreases the forecast accuracy (Liu et al., 2017).To solve the issue, Deng (2004) introduced the concept of "accumulation of raw data".In the classical DGM (1,1) and EGM (1,1) the data accumulation is usually performed with the "once accumulating generation operator" usually called 1-AGO (i.e. a cumulative sum operator) (Liu et al., 2017).Therefore, the 1-AGO of the sequence of raw data (1) would result in x ð0Þ ðiÞ; k ¼ 1; 2; . . .; n: The 1-AGO sequence of data is then introduced in the DGM (1,1) and EGM (1,1) to forecast the desired values.
3.2.1.1DGM (1,1).The DGM (1,1)the discrete form of a first-order single variable Grey modeltime-response function of X ð0Þ (i.e. the formula that provides the forecasts) is (Zhao et al., 2018) x 0 ð0Þ ðkÞ ¼ ðβ 1 À 1Þ x ð0Þ ð1Þ À in which x 0 ð0Þ ð1Þ ¼ x ð1Þ ð1Þ ¼ x ð0Þ ð1Þ To estimate the parameters β1 and β2, an ordinary least squares (OLS) approach can be adopted (Zhao et al., 2018), namely ).The EGM (1,1)the even form of a first-order single variable Grey model time-response function of X ð0Þ (i.e. the formula that provides the forecasts) is (Liu et al., 2017) x 0 ð0Þ ðkÞ ¼ ð1 À e a Þ x ð0Þ ð1Þ À b a e ÀaðkÀ1Þ ; k ¼ 2; 3; . . .; n (5) in which x 0 ð0Þ ð1Þ ¼ x ð1Þ ð1Þ ¼ x ð0Þ ð1Þ To estimate the parameters a and b, an Ordinary Least Square (OLS) approach can be adopted (Liu et al., 2017) .Despite the concept of 1-AGO is widely adopted, it presents some limitations that might worsen the prediction performance of GM (1,1) models.In particular, the models resulting from Deng (2004) definition of 1-AGO are linear models and thus they are oversimplified for many real applications in which diffusion patterns may accelerate or reduce over time.This issue prompted researchers to propose alternative operators for data accumulation.One of the most successful attempts was made by Ma et al. (2020) that proposed the conformable fractional accumulation of raw data and the inverse conformable accumulation of simulated data.The fractional-order accumulation allows considering nonlinearity in data (i.e. it accounts for any potential increase or decrease in the diffusion rate of the phenomenon being investigated) and thus improves the reliability of the model and its adherence to reality (Javed and Cudjoe, 2022).

Forecasting performance evaluation
To evaluate the forecasting performance of the four models we resorted to the Mean Absolute Percentage Error (MAPE) defined as follows: where xðkÞ and x 0 ðkÞ represent, respectively, the actual observation and the predicted (forecasted) value.MAPE is one of the most widely adopted measures of goodness-of-fit and has been already used in different contexts (see for example Ikram et al., 2021Ikram et al., , 2019;;Javed et al., 2020).According to the Lewis scale (Lewis, 1982), MAPE values can be considered as follows (Table 2).

Growth analysis and doubling time
To complement our analyses, two additional indicators were used: the Relative Growth Rate (RGR) and the Doubling time (Dt).The first was employed to shed light on the country-wise relative growth of ISO/IEC 27001 certificates; the second to understand the time needed to double the number of ISO/IEC 27001 certificates.Previous adoption of these indexes can be found, among others, in Javed and Liu (2018).
RGR is defined as (Javed and Liu, 2018): where N 2 and N 1 are the cumulative numbers of ISO/IEC 27001 certifications in years t 2 and t 1 .By considering (t 2 -t 1 ) equal to 1 year, the above equation can be written as: Moving to the Doubling time (Dt), the underlying equation is given as (Javed and Liu, 2018): Similarly to the RGR, (t 2 -t 1 ) is equal to one year.Therefore, Dt equation becomes:

Results and discussion
This chapter is structured into two sections.The first evaluates the effectiveness of the models in describing current and future trends of ISO/IEC 27001 adoption.The second presents and discusses the findings.
4.1 Performance evaluation of the models Table 3-8 report the findings for the six countries under investigation: Japan, China, UK, India, Germany, Italy.For each of them, we first simulated data from 2010 to 2020 and then we predicted the number of issued certificates from 2021 to 2030.

Presentation of the findings
As regards data up to 2020 (Tables 3 and 8; see Figures 1-6 for a graphical representation of the results), Japan (18,103 certifications) has recorded the highest number of ISO/IEC 27001 issued certificates followed by China (12,489), UK (5,897), India (5,449), Germany (3,367) and Italy (3,324).Moving to the EGM (1,1,α,θ) predicted values (2021-2030), the estimates exhibit exponential growth (Figures 1-6) in the years to come with China (412,338 certificates) that is likely to become the leading country in terms of ISO/IEC 27001 certifications, followed by Japan (59,704), Germany (40,752), Italy (35,708), UK (29,465) and India (26,509).Based on these results, two interesting findings emerge.On the one hand, with 24,292 certificates in 2022 China will overtake Japan (20,763) at the top of the chart.On the other, UK is predicted to lose some positions in favour of Germany and Italy.
After shedding light on the (current and future) diffusion trends, we can notice that the countries characterized by the highest amount of ISO/IEC 27001 certificates are also leading as regards the adoption of more mature standards (i.e.ISO 9001, ISO 14001 -ISO, 2021; Ikram et al., 2021Ikram et al., , 2019)).These results can be explained considering the findings of Mirtsch et al. (2020), Cots and Casades us (2015) and Dahlin and Isaksson (2017): firms usually start to implement general standards (i.e.ISO 9001) and then resort to more specific ones.Accordingly, in areas with an established tradition of certifications, many organizations have already validated the quality of their operational processes and therefore they are starting to approach other (more specific) standards like ISO/IEC 27001.In such contexts, ISO/IEC 27001 exhibits two main strengths.On the one hand, the learning process followed for ISO 9001 and ISO 14001 could help firms to adhere more quickly to ISO/IEC 27001 (Podrecca et al., 2022a); companies can therefore take advantage of the positive externalities of ISO/IEC 27001 (e.g.streamlined buyer-supplier relationships -Hannigan et al., 2019; differentiation effect -Stewart, 2018) without all the burdens faced by firms approaching ISO standards for the first time.On the other hand, by implementing ISO/IEC 27001 together with other management standards (and by integrating them into a single management system) firms can benefit from the peculiarities of each of them while reducing costs, complexity and time efforts required to manage common mandatory requirements like documentation, audits and procedures (Hoy and Foley, 2015;Sampaio et al., 2012).
Based on the data up to 2020, the RGR estimates show the following sequence:    The outcomes of these analyses highlight two main findings.First, up to 2020, China has recorded the highest RGR (0.441).Second, after an initial euphoria, the growth rate of Japan has slowed down and the country is currently characterized by the highest Dt (2.072).This evidence is consistent with the dictates of Mastrogiacomo et al. (2021): diffusion patterns are not "synchronous" across different contexts.Some countries exhibit an immediate adoption followed by a reduction of interest (or at least a decrease in the diffusion rate), while in other regions the diffusion processes start more slowly and the sustained growth occurs Forecasting ISO/IEC 27001 diffusion only at a later stage.These dynamics are generally linked to some peculiar economic and socio-political conditions of each country (Ikram et al., 2019).Accordinglyin parallel with their expansion in worldwide markets -Chinese firms may have been asked to achieve ISO/ IEC 27001 as a mandatory prerequisite for establishing some business partnerships (Dionysiou, 2011).On the contrary, the slowdown recorded in Japan might be linked to the issues faced by Japanese firms: both their market shares and their productivity exhibit stagnating trends (e.g.Akram, 2019).
The relevance of both scope and scale of these interactions poses several new challenges to information system security (Wong et al., 2019); supply chains are increasing their digitalization level, online solutions are connecting a relevant amount of customers and suppliers, cloud-based platforms are leading to massive outsourcing of computing capabilities and data storage.In this new landscape, holistic approachessuch as ISO/IEC 27001are a given for worldwide companies and organizations (Rauniyar et al., 2023;Vance et al., 2020).Moreover, as more and more firms are demanding the external validation of the IS-related processes of their business partners, ISO/IEC 27001 is becoming a common ground to overcome transaction barriers (Villarreal, 2019).Summing up, while some scholars (e.g.Mirtsch et al., 2021) have raised potential concerns regarding ISO/IEC 27001 long-term diffusion, our study shows that such controversial issues will not overshadow the adoption of the standard.As long as information security will remain a hot business topic, ISO/IEC 27001 adoption will continue growing and giving certified organizations the required capabilities to ensure data availability, integrity and confidentiality together with the chance to present formal evidence of their commitment.
At this point, it is worth acknowledging some factors that may alter the estimates in the years to come.Building on extant research (e.g.Sampaio et al., 2009;Franceschini et al., 2006;Corbett and Kirsch, 2001) two macroeconomic aspects appear particularly relevant: the economic development and the export propensity of the different countries.First, as for economic development, previous studies have posited that the greater the development of the country, the higher the number of companies and the larger the number of issued certificates (e.g.Corbett and Kirsch, 2001).A potential economic slowdown in the years to come (e.g.due to the rising energy prices -We Forum, 2022), could reduce the number of companies interested in adopting ISO/IEC 27001 and thus cause the estimates of this study to be revised downward.Second, as for the export propensity of the companies' home country, firms usually implement international management standards as a response to the coercive pressures of some foreign commercial partners that require formal evidence of their commitment towards a specific topic (e.g.quality assurance, sustainability, social responsibility - Guler et al., 2002).Some recent events (e.g.Brexit, US-China trade war, Russia-Ukraine war) might, however, decrease the economic openness and the export propensity of the countries (e.g.Goulard, 2020) potentially leading to a reduction in the Forecasting ISO/IEC 27001 diffusion number of issued certificates in the years to come.To conclude, in addition to the macroeconomic factors emerging from the literature, other relevant aspects such as the enactment of incentives aimed at fostering the adoption of ISO/IEC 27001 and modifications in the dictates underpinning this certification scheme might further modify the dissemination patterns.In particular, in case governments decide to resort to promotional and regulatory activities aimed at sustaining the adoption of ISO/IEC 27001, the estimates might need to be revised upward.As regards potential modifications to the ISO/IEC 27001 dictates, a specific prediction cannot be made: less stringent requirements could lead to faster diffusion, thanks to the possibility for firms to invest a lower amount of resources in the implementation of this international management standard; too loose requirements could reduce the trustworthiness of ISO/IEC 27001 and lead to a slow-moving diffusion or even a reduction of interest in the standard (e.g.Seppala, 2009;Soederberg, 2007).

Conclusions
The growing digitalization of business processes is increasing the risks associated with security breaches.Organizations are now asked to take holistic approaches to ensure the continuity of their activities and preserve data availability, integrity and confidentiality; in such context, information security standards play a pivotal role.Against this background, the aim of this paper was to provide the first systematic analysis of the diffusion of ISO/IEC 27001, the fourth most popular ISO certification at the global level, and the most important standard for information security.Based on the number of ISO/IEC 27001 issued certificates from 2010 to 2020, the study shed light on the issue by combining Grey models with the relative growth rate and the doubling time indexes.The findings show that a generalized growing trend is likely to be expected in the years to come and that China will lead as regards the number of issued certificates.Moreover, the results highlight the usefulness and high reliability of Grey Models to investigate the diffusion of international management standards.According to the outcomes and the considerations reported in the previous sections, this paper contributes to both academia and practice.From an academic point of view, four main contributions can be identified.First, we answer previous calls for more research on the diffusion trends of ISO/IEC 27001 (Culot et al., 2021) by proposing the first analysis of its past, present and future adoption patterns.This way, we increase the understanding of ISO/IEC 27001 spread and, in particular, we point out a difference between the countries investigated in empirical studies and those recording the highest number of issued ISO/IEC 27001 certificates.This calls for further investigations aimed at shedding light on issues related to the adoption (e.g.motivations) and effectiveness (e.g.performance implications) of ISO/IEC 27001 for organizations operating in these contexts.Second, looking at the growing interest in IS, we highlight the relevance that ISO/ IEC 27001 is likely to have in the years to come.Based on the data of issued certificates from 2010 to 2020 in the six leading countries, we show that a rising trend is likely to be expected in the near future.This finding is particularly relevant considering the concerns posed by extant research as regards the usefulness of this international management standard and the competition it might suffer from other general and context-specific standards.Third, by shedding light on the diffusion trends of ISO/IEC 27001, we contribute to the literature on management systems and voluntary standards, also enabling comparisons among them; the number of ISO/IEC 27001 issued certificates will approach that of more mature standards such as ISO 9001 and ISO 14001.Finally, scholars investigating the diffusion of international management standards may find our findings particularly relevant: the use of Grey models shows an analytical methodology that, with the exception of Ikram et al. (2021Ikram et al. ( , 2019)), has been rarely employed and which may apply to other voluntary standards as well.
From a practical point of view, the analysis of the current diffusion of ISO/IEC 27001 and the accurate forecasts regarding its future dissemination patterns presented in this study might TQM 35,9 support companies in improving their awareness of the importance of ISO/IEC 27001 and in taking more informed decisions as regards the choice to certify.In particular, by highlighting the relevant role that ISO/IEC 27001 is likely to assume in the near future, our findings can help firms to align their strategy with global requirements, which are progressively moving towards internationally recognized management standards (Granja et al., 2021), and to strengthen their business by planning, developing and communicating practices related to information security.Organizations' capability to demonstrate care in ensuring data protection is increasingly acknowledged as a relevant lever for value creation (e.g.Deane et al., 2019); hence, the decision to embrace a highly growing standard like ISO/IEC 27001 could allow firms to prove their reliability and signal it to current and prospective customers.The study is also useful for the certification body itself (ISO) which can use our predictions to understand how the ISO/IEC 27001 market will develop in the future, anticipate demands, refine medium-term strategic planning, guide promotional strategies and understand potential areas of improvement.Policymakers may find our results relevant as well; in particular, to develop promotional and regulatory activities aimed at sustaining the diffusion of the standard.To conclude, by highlighting the relevance that ISO/IEC 27001 is likely to have in the years to come, our study might also encourage the adoption of the standard.This may contribute to a society more attentive to the issues related to information security and data protection.
The study is not exempt from limitations, which represent potential avenues for further development of the research.First, we only evaluated a small number of countries exhibiting a high number of issued certificates.Future studies could extend our findings to different settings (e.g.regions, countries, industries); specific diffusion patterns might appear depending on cultural and legal factors, the relevance of IT/IS for the considered context and the existence of alternative standards/approaches (e.g.Culot et al., 2021).Second, despite Grey models (1,1) provide robust and reliable results both in terms of explaining past trends and predicting the future diffusion of ISO/IEC 27001, this forecasting technique can only take into account endogenous factors of growth and does not consider the effects of exogenous factors such as those related to the global economic situation, enactment of incentives aimed at fostering the adoption of ISO/IEC 27001 and modifications in the dictates underpinning this certification scheme.Should these variations occur, it would be advisable to repeat the analyses.This would allow, on the one hand, to obtain updated forecasts; on the other, to understand the specific effect of the discontinuity on the diffusion trends of ISO/IEC 27001.Further research could also resort to Grey models to shed light on the joint adoption of multiple management standards (e.g.ISO 9001 and ISO 14001; ISO 9001 and ISO/IEC 27001; ISO 9001, ISO 14001 and ISO/IEC 27001).Moreover, in light of the managerial challenges posed by information security, further studies could investigate the diffusion patterns of other management standards aimed at helping firms to cope with the risks posed by new technologies (e.g.ISO 27701).To conclude, we hope that by showing the relevance of ISO/IEC 27001 our study will lead more scholars to consider this certification scheme; for instance, by investigating how the motivations for the adoption, the implementation challenges and the effectiveness differ when considering different contexts.OA1 in the Online Appendix 1 for the full list of contributions).
2. The adopted Grey Models present two main limitations (Javed and Cudjoe, 2022;Javed et al., 2020).First, the sequence of input data must consist of at least four values.Second, they can only deal with input numbers greater or equal to zero.These constraints do not represent an issue in our study because our input sequences include values from 2010 to 2020 (i.e. they are longer than four) and they refer to the yearly number of ISO/IEC 27001 issued certificates (i.e.positive numbers).

ForecastingSource
Figure 1.Graphical representation of Japan data Figure 3. Graphical representation of UK data Figure 5. Graphical representation of Germany data

Notes 1 .
Data are based on the literature review of Culot et al. (2021) complemented with the most recent papers on the topic (see Table