The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda

Purpose – After15yearsofresearch,thispaperaimstopresentareviewoftheacademicliteratureontheISO/ IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theory-based research agenda to inspire interdisciplinary studies in the field. Design/methodology/approach – The study is structured as a systematic literature review. Findings – Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors. Originality/value – ThestudypresentsastructuredoverviewoftheacademicbodyofknowledgeonISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and qualitymanagement.Managersinterestedintheimplementationofthestandardandpolicymakerscanfindanoverviewofacademicknowledgeusefultoinformtheirdecisionsrelatedtoimplementationandregulatoryactivities.


Introduction
Economy and society are becoming increasingly data-driven, yet most of the debate across managerial disciplines has been focusing on how to extract value from datae.g.through business model innovation (Spiekermann and Korunustovska, 2017;Hagiu and Wright, 2020;Iansiti and Lahkani, 2020) rather than protecting what seems to be a crucial asset today: information.Emerging technologies, platform-based business models and the spread of smart working practices are multiplying the number of entry points in computer networks and thus their vulnerability (Hooper and McKissack, 2016;Lowry et al., 2017;Corallo et al., 2020).Holistic approaches are required to face the increasingly complex challenge of information system security (ISS): substantial managerial focus is needed to balance trade-off decisions between protection and legal compliance, on the one hand, and cost and operational agility, on the other TQM 33,7 (e.g.Vance et al., 2020;D'Arcy and The, 2019;Burt, 2019;Antonucci, 2017).In spite of an increasing practitioners' interest in the topic (e.g.Gartner, 2018;McKinsey, 2019), ISS is still perceived in academia as an essentially technical topic (Aguliyev et al., 2018;Lezzi et al., 2018;Sallos et al., 2019).
Over the years, ISS standards and frameworks have been playing a pivotal role in the dissemination of now much-needed holistictechnical, organizational and managerialapproaches (Von Solms, 1999;Ernst and Young, 2008).Among them, ISO/IEC 27001 is probably the most renowned one, being the third most widespread ISO certification worldwide, following ISO 9001 and ISO 14001 (ISO, 2019).The standard was designed and published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 as an evolution of BS 7799.It "[. ..] specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization"; the requirements "[. ..] are generic and are intended to be applicable to all organizations, regardless of type, size or nature" (ISO/IEC 27001:2013).Several leading organizations ask their business partners to be ISO/IEC 27001 certifiede.g.Netflix for postproduction partnersand widespread publicity has been given over the years to the attainment of ISO/IEC 27001 certification by prominent technological providers, including Apple Internet Services, Amazon Web Services, GE Digital, several Microsoft business units andmore recently -Facebook's Workplace (e.g.Venters and Whitley, 2012).
Overall, the literature on ISS standards is marked by ongoing concerns about their efficacy and validation (e.g.Siponen and Willison, 2009;Silva et al., 2016;Niemimaa and Niemimaa, 2017).After 15 years of scientific research on ISO/IEC 27001 and in light of its growing popularity, we believe that it is time for academia to assess how these fundamental concerns have been addressed so far with respect to this specific standard and to question related research prospects against a context characterized by an ever-increasing connectivity and digitalization.We believe that more interdisciplinarity in the study of ISS standards is necessary considering howaccording to many observers (e.g.Blackburn et al., 2020; The Economist, 2020)the COVID-19 health crisis is expected to accelerate the role of digital technologies in the business environment as well as in daily life.
This study moves in this direction by developing a systematic literature review on ISO/ IEC 27001.As Webster and Watson (2002) point out, a systematic approach is the starting point for advancing research in a given field, laying strong foundations for future studies.Differently than previous reviews, our work does not focus on a specific topic in the ISO/IEC 27001 researchi.e.diffusion in Barlette and Fomin (2010) and technical approaches in Ganji et al. (2019) but aims at providing a comprehensive synthesis of the debate in the field.The results are read through the lenses of social systems thinking to formulate a theory-based research agenda to inspire future studies at the intersection between information systems (IS) and managerial disciplines, including quality management.In line with renewed calls for theory-grounded research (e.g.Breslin et al., 2020;Post et al., 2020) and following Seuring et al. (2020) considerations, we extend the reach of three specific system theoretical approaches to the study of ISO/IEC 27001.As we leverage theoretical perspectives never applied for ISO/ IEC 27001 and not common in research on other voluntary standards (Sartor et al., 2016(Sartor et al., , 2019;;Orzes et al., 2018), we trust that our effort can stimulate the academic debate by integrating new streams of theory and allowing scientific exchange beyond what is already present.
Under this premise, this study delivers two main contributions to the literature.First, we present and organize the body of knowledge on ISO/IEC 27001 across several research streams and topics, providing a comprehensive overview targeted at scholars from different backgrounds.Second, we add a novel analytical perspective to the research on ISO/IEC 27001 through the lenses of social systems thinking, which may apply to the study of other voluntary standards as well.

ISO/IEC 27001 literature review
Our paper has also substantial practical implications.The results of the literature review provide managers with an overall picture of the knowledge created over the years by academic research on the ISO/IEC 27001 standard, including relevant elements to consider in pursuing, implementing and managing the certification.Moreover, policymakers may find pertinent perspectives that inform their decisions regarding public support to the diffusion process of the certification.The paper actually shifts the focus of the debate from firm-level implementation of ISO/IEC 27001 to a system-level perspective, urging decision-makers to consider ISS needs and practices in the broader business environment in which organizations exchange data and information.
The remainder of the paper is structured as follows.The next section illustrates the methodology adopted for the literature review.Thereafter, we present the descriptive characteristics of the contributions included in our analysis.The results of the thematic coding are presented in two main sections.Next, the discussion revolves around the main issues and current knowledge gaps, followed by the formulation of a theory-based research agenda.We conclude outlining the contributions of our research.

Review approach
Management system standards are inherently multi-dimensional phenomena that can be analyzed according to several research perspectives (Uzumeri, 1997;Heras-Saizarbitoria and Boiral, 2013); we opted, thus, for a systematic approach to the literature review to minimize the implicit biases of the researchers involved in the identification, selection and coding of papers.The approachfollowing the guidelines of Tranfield et al. (2003), Rousseau et al. (2008) and Seuring and Gold (2012) is in line with previous studies on other voluntary standards (e.g.Sartor et al., 2016;Boiral et al., 2018).
The review protocol was structured to meet the following research objectives: (1) provide a comprehensive overview of the literature on ISO/IEC 27001; (2) classify themes, sub-themes and type of evidence; (3) underscore recurring patterns, conflicting results and unexplored research areas.
The first step was the identification of the literature.We performed a formal search on multiple online scientific databases: Elsevier's Scopus and Science Direct, Clarivate's Web of Science, EBSCO Business Source Complete and EconLit, ProQuest's Social Sciences, JSTOR, Wiley Online Library and Emerald Insight.The keywords were selected to include different spellings of the standardi.e."ISO270**," "ISO 270**," "IEC 270**," "IEC270**," "ISO/IEC 270**," "ISO / IEC 270**," "ISO / IEC270**" and "ISO/IEC270**"using the operator OR between the terms.The research on title, abstract and keywords covered the period until November 2020.We included only peer-reviewed journal articles, books and book chapters written in English for a total of 537 unique records.
As a second step, abstracts and full texts were screened for their fit with the objectives of the study.Two researchers were involved independently.We excluded contributions that: (1) referred to other standards and (2) merely mentioned the ISO/IEC 27001 without a structured analysis or discussion.We included both theoretical and empirical contributions that: (1) focused specifically on ISO/IEC 27001, (2) analyzed ISO/IEC 27001 together with other standards, (3) discussed ISS/cybersecurity issues at large with explicit reference to ISO/IEC 27001.This way, 116 contributions were pre-selected, their content was further analyzed and their references enabled the identification of other works through a forward/backward citation analysis (Webster and Watson, 2002).This process led to a final list of 96 contributions.
The third step in the process was to analyze the material to capture thematic trends, meanings, arguments and interpretations (Mayring, 2000;Duriau et al., 2007).Books and book chapters were classified based on year and authors' affiliation/geography.Journal TQM 33,7 articles were classified based on year, publication outlet, disciplinary area, authors' affiliation/geography, methodology and underpinning theory (if any).
Thereafter, we performed a content analysis on journal articles following Seuring and Gold's (2012) methodological recommendations.The coding categories and main themes included in Figure 1 were defined deductively, drawing from previous literature reviews on other standards and frameworks (e.g.Stevenson and Barnes, 2002;Heras-Saizarbitoria and Boiral, 2013;Manders et al., 2016;Boiral et al., 2018) and refined inductively through iterative cycles during the coding process.The specific sub-themes were identified inductively, aggregating the arguments emerging from the content analysis by similarity.
The coding activity was conducted independently by two researchers (Duriau et al., 2007).Each researcher mapped on an Excel spreadsheet the recurrence of the sub-themes in the papers, coding whether the evidence was of a conceptual (C) or rather empirical (E) nature.In addition, the researchers noted some relevant passages for each paper/sub-theme to facilitate the interpretation of the results.The few instances of disagreement were resolved through formal discussion.
Finally, the results of the coding activity were examined.We calculated the descriptive characteristics of the papers included in the review and the proportion of studies addressing each sub-theme.A synthesis of the relevant passages reported in the literature for each subtheme was also prepared and discussed within the research team.The following sections illustrate the outcomes of our analysis.
As books and book chapters are practitioner-oriented and rarely peer-reviewed, we did not include them in the scientific coding and present them in a standalone subsection.The coding process followed the same methodological approach as journal articles.

Characteristics of the literature
The classification of the 96 contributions brings to light how the debate on ISO/IEC 27001 developed within the scientific and practitioners community.The main findings are summarized in Figure 2 and clarified in the following paragraphs.
The first contribution on the topic was published in 2005, the same year of the release of ISO/IEC 27001.Since then, the average number of contributions is six per year, with an  Heartland).The analysis of the publication outlets shows that most of the papers belong to the IS literature, either in journals specifically related to ISS or on outlets more broadly related to IS and technology, including computer sciences.The strong technical connotation is confirmed by the analysis of the authors' affiliation.
In terms of geography, the authors belong mainly to institutions located in European countries.The distribution partially reflects the geographical focus of the empirical studies included in the review and is consistent with the international diffusion of ISO/IEC 27001 certifications (ISO, 2019).
From a methodological standpoint, the vast majority of the papers has a conceptual nature.It should be noted that research on ISO/IEC 27001 is characterized by a relatively low theoretical underpinning: six papers built on established theories, i.e. the circuit of power framework in Smith et al. (2010), the resource-based view (RBV) and the crisis management theory in Bakar et al. (2015), the technology acceptance model (TAM) in Ku et al. (2009), Van Wessel et al. (2011) and Dos Santos Ferreira et al. (2018), the theory of cultural differences in Asai and Hakizabera (2010) and the technology-organization-environment (TOE) framework in Mirtsch et al. (2021).

Thematic findings
4.1 ISO/IEC 27001 and other standards/frameworks Only 33% of the journal articles included in the review focus exclusively on ISO/IEC 27001.The vast majority of contributions examines it together with other ISS standards and management certifications.Themes and issues are essentially related to standard comparison and integration, as illustrated in the following paragraphs and in Table 1.
Regarding the relation of ISO/IEC 27001 and other standards with similar scope, it should be noted that the list of options available to organizations approaching ISS and cybersecurity  Table 1.ISO/IEC 27001 and other standards/ frameworks ISO/IEC 27001 literature review approach to ISS and cybersecurity (e.g.Lomas, 2010;Rezakhani et al., 2011;Fuentes et al., 2011).Substantial issues, however, are reported in the literature with respect to their integration, including a different scope, the number of requirements and the only partial overlap among them and the different terminology used (Broderick, 2006;Pardo et al., 2012;Beckers et al., 2013;Bettaieb et al., 2019).Against these challenges, several papers (17 contributions, 23%) suggest harmonization methods, also supported by empirical testing (e.g.Pardo et al., 2012Pardo et al., , 2013;;Mesquida et al., 2014;Bettaieb et al., 2019).The issues addressed in these studies are diverse.(2013,2016) approach ISO standards related to software quality, IT service management and ISS.Seven papers (Susanto et al., 2011;Montesino et al., 2012;Sheikhpour and Modiri, 2012a, b;Mukhtar and Ahmad, 2014;Bettaieb et al., 2019;Faruq et al., 2020)  Similar integration issues are analyzed in the literature with respect to other Management system standards, especially other ISO management systems.Overall, the potential benefits of management system integration have been described in terms of implementation synergies (e.g.Crowder, 2013) and better outcomes (e.g.Bakar et al., 2015;Hannigan et al., 2019), despite possibly an increasing level of complexity (Heston and Phifer, 2011).However, researchers also highlight partial misalignments in the terminology, structure and scope of management system standards (Barafort et al., 2019).Methods and harmonization strategies are described in six papers in our review (8%).Heston and Phifer (2011) illustrate a framework for the selection of standards depending on organizational archetypes.Majern ık et al. (2017) describe a conceptual model for the integration of ISO/IEC 27001, ISO 9001 for quality management, ISO 14001 for environmental management and OHSAS 18001 for occupational health and safety (now replaced by the ISO 45001).The work of Barafort et al. (2017Barafort et al. ( , 2018Barafort et al. ( , 2019) ) focuses on risk management activities foreseen by ISO/IEC 27001, ISO 9001, ISO 21500 (guidance on project management) and ISO/IEC 20000 (IT service management).Hoy and Foley (2015) delve into the integration of ISO 9001 and ISO/IEC 27001 audits.
Along the same lines, a further area of inquiry concerning ISO/IEC 27001 and other ISO management standards examines diffusion patterns, the order of implementation and possible effects on country-level economic indicators (Gillies, 2011;Cots and Casades us, 2015;Bas ¸aran, 2016;Armeanu et al., 2017).The results show that ISO/IEC 27001 is often implemented after ISO 9001 (Mirtsch et al., 2021), and its diffusion is correlated with ISO/IEC 20000, following the logic that more specific standards are subsequently adopted after more general ones (Cots and Casades us, 2015).

Motivations
In the literature on voluntary standards, significant attention has been paid to the motivations driving organizations in the pursuit of certifications (e.g.Heras-Saizarbitoria and Boiral, 2013;Sartor et al., 2016).This is also a common topic in the ISO/IEC 27001 literature, observed in 48% of the studies, although mostly through conceptual arguments.
Following Nair and Prajogo (2009), we classified the motivations as functionalisti.e.organizations expect the standard to improve processes and documentationand institutionalisti.e.organizations view the certification as a means to better qualify against external stakeholders, including competitors, customers and regulatory agencies.Results are shown in Table 2.

TQM 33,7
Most of the studies reporting functionalist motivations refer to expectations around higher levels of ISS.This is obviously related to the scope of the standard as well as to the continuous improvement logic underpinning the ISMS (Lomas, 2010;Smith et al., 2010;Pardo et al., 2016) and the acquisition of new skills and competences (Ku et al., 2009;Bakar et al., 2015).Several papers also indicate expectations around more efficiency in the processes related to information management (e.g.Kossyva et al., 2014;Hla ca et al., 2008;Annarelli et al., 2020).This seems particularly relevant for organizations with previous experience in the implementation of other management systems, as they are aware of the benefits of a structured approach on processes and accountabilities (Crowder, 2013).
Several institutionalist motivations also emerge from our analysis.Many authors report expectations for a better corporate image: through the attainment of the certification, it is possible to demonstrate that the organization can be considered a trustworthy partner by its stakeholders, including employees, suppliers, financial institutions and customers (Freeman, 2007;Liao and Chueh, 2012a).This, in turn, appears to be an indirect goal to attract more customers and consolidate client relationships (Beckers et al., 2013).In this respect,   Lomas (2010) underlines that in the UK, information security scandals have raised public awareness; Ku et al. (2009) stress that organizations embrace the ISO/IEC 27001 certification to show that they are willing to take a more proactive stance.
Along the same lines, it has been suggested that ISO/IEC 27001 may be adopted following market demands, i.e. large private-sector corporations demand their suppliers to be certified (T ¸ig anoaia 2015; Barafort et al., 2019).The reason for this might be independent of large corporations being certified themselves, but ratheras reported by Everett (2011) be related to a standardization in the bidding and procurement process.In this respect, however, it should be noted that several companies pursue an informal implementationi.e. they shape ISMS in compliance with the standard but do not seek the certificationas ISMS requirements can be self-certified through suppliers' questionnaires (Cowan, 2011;Dionysiou, 2011).
A further motivation mentioned in the studies refers to the presence of governmental regulatory and promotion activities fostering ISO/IEC 27001 diffusion.The past decade has seen a progressive intensification of national (e.g. in the USA, the "National Strategy to Cyberspace Security") and international initiatives (e.g. the Organization for Economic Cooperation and Development -OECD guidelines, European-level initiatives such as the recent EU Cybersecurity act).Overall, these initiatives have been contributing to the dissemination of ISS awareness (Ku et al., 2009); some of them have fostered explicitly the ISO/IEC 27001 certification, as in the case of Japan (Everett, 2011;Gillies, 2011).Smith et al. (2010) note that the Australian Government preferred ISO/IEC 27001 over other ISS standards because of its flexibility in accommodating local legal requirements.The reach of European-level policies is well described in Dionysiou (2011), together with the peculiar example of Cyprus adopting certification as a "ticket to the European market " (p. 198).
Finally, some studies point to the presence of isomorphic dynamics.In the case illustrated by Hla ca et al. (2008), the ISO/IEC 27001 was adopted in light of the growing number of certified companies worldwide.The rationale behind this is illustrated in Stewart (2018) through the concept of network effects.This dynamic seems further reinforced by the global reputation of the ISO umbrella of standards (Deane et al., 2019).

Implementation
A considerable number of studies (68%) report issues and opportunities related to the implementation of the standard.We classified them according to three main questions: (1) how effectively ISO/IEC 27001 tools and methods provide support to the implementing organization?; (2) how do organizations structure the project governance?; (3) what differences in the actual adoption of practices have been documented?
The themes and sub-themes identified in the studies are illustrated in Table 3.
As for the efficacy of the (1) tools and methods indicated by ISO/IEC 27001, the literature is ambivalent.Whereas several authors (e.g.Smith et al., 2010) praise ISO/IEC 27001 flexibility, a number of studies see this as a potential drawback in the implementation process (e.g.Lomas, 2010;Rezaei et al., 2014).The requirements are often perceived as too formal and wideranging; they provide guidance for what should be done, but organizations are responsible for choosing "how" to achieve those goals (Bounagui et al., 2019).The lack of precise methodological indications may translate into low accuracy in the risk analysis and asset assessment.Much is left to the expertise of the individuals in charge (e.g.Ku et al., 2009;Liao and Chueh, 2012a), with often too much emphasis placed on the technical side (Ozkan and Karabacak, 2010;Itradat et al., 2014).Some specific issues in this respect emerge from the literature.The most relevant one is related to the security controls, in particular considering the set of 133 controls described in the Annex A of the 2005 version of the standard.Although no longer mandatory in the   (Liao and Chueh, 2012b), entailed too rigid procedures (Crowder, 2013) and were costly to implement due to the possibility of an only partial automation through hardware and software tools (Montesino et al., 2012).As for the new version of the ISO/IEC 27001, Ho et al. (2015) note that the standard still does not provide guidance on the mutual interdependence among the different control items; similarly, Stewart (2018) and Topa and Karyda (2019) refer to the lack of indications regarding a cost/benefit assessment in the selection of controls.On this, Bettaieb et al. (2019) propose an approach based on machine learning for the identification of the most relevant controls, given the characteristics and the context of the implementing organization.
The literature has also highlighted a lack of guidance regarding possible interdependencies between the organization and the external environment.As reported by Smith et al. (2010) and Stewart (2018), many implementations fail because of an unstructured approach toward shared assetse.g.services and IT infrastructure shared among local units of the same corporationand poor identification of the organizations' dependencies from third parties and outsourced services.
The support provided by ISO/IEC 27001 in aligning the organization ISMS to local legislation has also been discussed.The standard states that the implementing organization should identify autonomously the applicable local regulation and contractual obligations (Diamantopoulou et al., 2020;Simi c-Draws et al., 2013); however, in the absence of precise instructions, organizations face complex reconciliations and the challenge of complying with multiple local legislations in the case of multinational enterprises (Broderick, 2006).In connection to this, recent studies have investigated how the norm supports organizations in complying with the General Data Protection Regulation (GDPR), issued in 2016, to regulate data protection and privacy in the European Union and the European Economic Area.The ISO/IEC 27001 was last updated in 2013, i.e. before the GDPR publication, while the new regulatory requirements were included in the new ISO/IEC 27552 (Privacy Information Management).Nevertheless, previous research has highlighted similar requirements between the GDPR and ISO/IEC 27001 (Annarelli et al., 2020) as well as the fact that a structured ISMS is a prerequisite to meet the European directives (Serrado et al., 2020).
Another issue underscored in the studies concerns the fact that ISO/IEC 27001 does not provide adequate guidance on cultural and psychological dimensions relevant for ensuring employees' compliance (Van Wessel et al., 2011).As highlighted by Topa and Karyda (2019), there are only limited indications regarding the appraisal of individual habits and values, e.g.privacy concerns and compliance attitude.Similarly, Asai and Hakizabera (2010) underline the presence of cultural differences in the attitude toward ISS.
With regard to the second overarching theme -(2) project governancethe studies show that IT, organizational and legal competencies are necessary, and therefore, companies need to formulate well-defined coordination mechanisms (e.g.Crowder, 2013).In terms of the structure of the project team and implementation phases, the literature reports various approaches, normally starting with local pilots and then moving on to large-scale rollouts (Ku et al., 2009;Van Wessel et al., 2011).Along the same linesalthough it is a well-documented fact that a successful management system requires leadership endorsement (e.g.Crowder, 2013) several articles indicate that ISO/IEC 27001 is mostly developed by IT departments alone (Van Wessel et al., 2011;Akowuah et al., 2013).Stewart (2018) notes that information security leaders are unlikely to be included in the management committee.Everett (2011) reports that limited directors' awareness often results in low budget allocation.An unsolved implementation issue seems to be the potential involvement of consultants.Whereas specialistic ISS competencies lead many organizations to seek external support (e.g.Dionysiou, 2011;Hoy and Foley, 2015;Annarelli et al., 2020), several studies underline how TQM 33,7 this may hamper organizational learning and lead to unsuccessful implementation (Ku et al., 2009;Gillies, 2011).In any case, there is agreement on the fact that the process to obtain the ISO/IEC 27001 certification usually absorbs significant company resources in terms of working hours and financial resources (e.g.Gillies, 2011;Van Wessel et al., 2011).
Finally, the last theme emerging from our review concerns the possibility of differences in the (3) actual adoption of practices, namely, to what extent the written documentation is internalized by the organization (Nair and Prajogo, 2009).This has emerged as a key research area in relation to other standards and voluntary initiatives (e.g.Heras-Saizarbitoria and Boiral, 2013;Orzes et al., 2018), but few studies addressed specifically the question with regard to ISO/IEC 27001.Some papers stress that a "cosmetic and not substantial" application of the standard might take place (Culot et al., 2019, p. 83) and that some companies "put in as little effort as possible" (Everett, 2011, p. 7).Moreover, the reasons why several companies conform to ISO/IEC 27001 requirements but not seek formal certification are overall underinvestigated (Mirtsch et al., 2021).
Comparatively more attention has been paid to employee compliance.The studies refer to organizational inertiai.e.employees are skeptical about the required reconfiguration of processes and reluctant to change (e.g.Heston and Phifer, 2011;Topa and Karyda, 2019) and opposition whenever the implementation of the standard is externally mandated (Smith et al., 2010).

Outcomes
As illustrated in Table 4, few studies (26%) have cited the outcomes of the ISO/IEC 27001 certification, with just half of them providing empirical evidence in support.Only three studies focus explicitly on the impact of the standard.Tejay and Shoraka (2011)   The other papers either report impacts in the description of case studies and through expert opinions (Van Wessel et al., 2011;Crowder, 2013;Rezaei et al., 2014;Hannigan et al., 2019;Annarelli et al., 2020) or derive outcomes from conceptual reasoning (Freeman, 2007;Dionysiou, 2011;Fuentes et al., 2011;Gillies, 2011;Bakar et al., 2015).
The performance dimensions emerging from our analysis are diverse, some more in line with the scope of the standardi.e.lower risk levels (Freeman, 2007;Rezaei et al., 2014) and improved business continuity (Van Wessel et al., 2011;Bakar et al., 2015) others related to organizational and financial improvements.The studies refer to streamlined and efficient processes because of ISMS redesign (Fuentes et al., 2011;Crowder, 2013).Process improvements may translate into increasing employees' and customers' satisfaction, even though Van Wessel et al. (2011) report that, for one of the companies they analyzed, the certification also meant losing some operational flexibility.Kossyva et al. (2014) suggest a reduction in miscommunication and opportunism in information exchange.
Some authors looked at the impact of the certification from a financial perspective.The cases analyzed in Van Wessel et al. (2011) report a payback period in line with the expectations.Bakar et al. (2015) claim that ISO/IEC 27001 may prevent the leaking of private information to unauthorized parties, and subsequent legal actions, bad publicity and profit losses.Moreover, the insurance premium of certified companies is lower (Gillies, 2011;Susanto et al., 2012).
Besides organizational-level benefits, it should be noted that two papers correlate ISO/IEC 27001 diffusion with country-level indicators.The study of Armeanu et al. (2017) shows that the presence of ISO standards has a positive influence on the economic sentiment indicator, a cross-industry composite confidence indicator published monthly by the European Commission.Bas ¸aran ( 2016) illustrates the strength of the association between the number of ISO certificates and industrial property rights granted in Turkey.

Context
Several studies (50%) indicate that the adoption of ISS standards as well as ISO/IEC 27001 motivations, implementation and outcomes should be read against the context in which the organization operates, as shown in Table 5.
Most of the papers stressing differences among countries refer to international (e.g.Europe, OECD) and governmental (e.g.Japan, Australia) initiatives fostering the diffusion of ISO/IEC 27001 (e.g.Lomas, 2010;Dionysiou, 2011;Serrado et al., 2020).Other studies highlight higher adoption in offshored countriese.g.Taiwan, Singapore and Indiabecause of the need to ensure a secure environment for intellectual property to maintain attractiveness (Ku et al., 2009).Less export-oriented countries mighton the contrarybe less likely to see high adoption rates (Dyonysiou, 2011).Interestingly, Heston and Phifer (2011) point out that multinational enterprises (MNEs)although structuring their process homogeneously at global levelmight formally pursue the certification only in some countries depending on local opportunities and constraints.
Country-specific elements are underscored also in relation to cultural differences in terms of employees' attitudes toward ISMS compliance (Asai and Hakizabera, 2010;Topa and Karyda, 2019).Moreover, the approach to ISO/IEC 27001 implementation seems different between European and Chinese companies (Van Wessel et al., 2011).
Differences based on organizations' size are mentioned in the literature to a lesser extent.Even though smaller public companies might expect greater returns from certification than larger firms (Deane et al., 2019), only large companies seem to assign sufficient priority to ISS due to resource availability (Dionysiou, 2011;Gillies, 2011).With regard to the implementation processas stressed by Stewart (2018) -ISO/IEC 27001 is designed for TQM 33,7 an "average organization," and it might not be suitable for companies deviating the most from this average profile, e.g.owing to their dimension or level of centralization (Smith et al., 2010;Stewart, 2018).
In terms of industry-specific dynamics, the literature points to differences in the diffusion patterns.Although the standard is generic by design, it is adopted more in regulated industriessuch as financial services and health care (Dionysiou, 2011;Heston and Phifer, 2011;Mukhtar and Ahmad, 2014) and where information security attacks have been   (Deane et al., 2019).In other industries, there seems to be less interest (Everett, 2011;Liao and Chueh, 2012a, b), although it might represent a differentiation factor (Ku et al., 2009;Crowder, 2013).Finally, although the standard does not require the implementing organization to have any form of IT in place, it is often perceived as applicable only to highly digitalized contexts (Crowder, 2013).On the contrary, the most recent literature shines the spotlight on the limited effectiveness of ISO/IEC 27001 against emerging technologies.Overall, the studies underline the fact that the emergence of cloud computing, the internet of things and platform-based business models makes it increasingly difficult to define the scope and boundaries of the ISMS (Culot et al., 2019).Being ISO/IEC 27001 process-driven seems better suited to meet these challenges than more document-oriented standards (Beckers et al., 2013).However, ISO/IEC 27001 alone seems not sufficient to guarantee both IS security and safety (Park and Lee, 2014), but it may represent the backbone on which more specific standards are integrated (Leszczyna, 2019).
Lastly, the literature highlights the presence of contingencies related to the organizational culture.Depending on this, ISS can be understood as a purely technical issue rather than a farreaching business goal (e.g.Everett, 2011).In a survey, cultural change is identified as the main challenge to overcome (Gillies, 2011); organizations more prone to innovation and change are expected to be more successful in the standard implementation (e.g.Ku et al., 2009;Liao and Chueh, 2012a).

Themes and topics related to books and book chapters
In addition to what has been illustrated in the previous sections, the results of the analysis of the books and chapters on ISO/IEC 27001 are consistent with the themes emerging from the coding of academic articles.As shown in Table 6, besides some contributions providing a general overview of the norm (e.g.Accerboni and Sartor, 2019;Arnason and Willet, 2007), most of the books focus either on the relationship of ISO/IEC 27001 with other standards for ISS (e.g.Calder 2008Calder , 2018;;Calder and Geraint, 2008) or on complementing the norm guidelines with implementation methods, technical tools (e.g.Calder, 2006a;Calder and Watkins, 2008;Beckers, 2015) and risk management approaches (e.g.Calder and Watkins, 2010).Legal issues and the auditing process have received comparatively little attention so far (Pompon, 2016).Managerial topics related to the standard implementation refer to limited leadership awareness (Calder, 2010) as well as to motivations and guidelines' effectiveness (Erkonen, 2008;Dionysiou et al., 2015).

Summary and research challenges
The systematic review on ISO/IEC 27001 helps to clarify the main themes and results elaborated in almost 15 years of academic research on the standard.Emerging clearly from the literature is that: (1) a structured approach to information and cybersecurity requires the integration of multiple standards; (2) the motivations to pursue the ISO/IEC 27001 certification are also related to governmental incentives and market demands; (3) implementation entails several challenges due to guidelines that are generic by design, different approaches/internalization levels are possible; (4) there is limited evidence demonstrating the outcomes of the certification; (5) integration of ISS standards, motivations, implementation and outcomes are dependent on a series of contextual factors, including the technological environment in which the organization operates.Overall, the paucity of empirical studies on ISO/IEC 27001 is striking, especially in light of significant public efforts to sustain the diffusion of the certification.The fact that the academic debate has seen a limited cross-fertilization between subject areas further exacerbates the knowledge gaps on this subject.
Today, value creation is all about exchanging information within and beyond organizational boundaries (Culot et al., 2020;Hagiu and Wright, 2020).New forms of interorganizational collaborations allow intellectual property and data to flow between organizations (Bititci et al., 2012;Pagani and Pardo, 2017).The scale and scope of such interactions are posing new challenges to ISS (Hinz et al., 2015;Jeong et al., 2019;Feng et al., 2020).Supply chains are becoming increasingly digitalized, augmenting the risk of losing intellectual property (Kache and Seuring, 2017;Ardito et al., 2019;B€ uy€ uk€ ozkan and G€ oçer, 2018).Online platforms and tech giants are connecting vast numbers of suppliers and customers (Jacobides et al., 2018;Benitez et al., 2020); the participants of these ecosystems place their trust in the platform orchestrators' ability to ensure ISS at large, including those of relevant third parties (Burns et al., 2017).The spread of cloud-based solutions implies massive outsourcing of data storage and computing capabilities (Beckers et al., 2013;Markus, 2015).
Overall, this scenario demands ISS to be seen no longer as an issue affecting single organizations in isolation but more as a question of flows and relations involving multiple partners; an inherently "wicked problem" calling for a broad rethinking of assumptions (Lowry et al., 2017).This rings all the more relevant with regard to the challenges that the COVID-19 pandemic is generating.Social distancing resulted for many organizations in a surge of work-from-home arrangements, higher activity on customer-facing networks and greater use of online services and platforms, all of which are causing immense stress on ISS controls and operations (Boehm et al., 2020;Deloitte, 2020).In parallel, several concerns have been raised about contact-tracing applications deployed in the attempt to contain the contagion; the potential damages from the misuse of personal and biometric data are unprecedented (Harari, 2020).As we write, the storm continues to rage in many areas of the world, yet many observers believe that a structural shift is taking place, making digitalization a key feature of the "new normal" (Smith, 2020;The Economist, 2020).
These considerations should also inform research on ISO/IEC 27001 going forward.Faced with a world where organizational boundaries are increasingly meaningless, the same concept of IS perimeter obsolete (Dhillon et al., 2017;Cavusoglu et al., 2015).Overall, there is an apparent contradiction between the low technological specificity and organizational-level focus of the standard, on the one hand, and ISS requirements that are increasingly advanced and systemic, on the other.
Two aspects emerging from the review seem particularly relevant in this respect.First, other standards, frameworks and not-standardized practices may be integrated on the structure of ISO/IEC 27001 for more comprehensive approaches.Second, the ISO/IEC 27001 certification is often pursued in accordance with inter-organizational requirementse.g.large companies demanding their suppliers be certified, governmental actions sustaining the ISO/IEC 27001 literature review certification, expectations of image improvements and better relations with key stakeholders.Both these aspects, however, have been only superficially addressed so far.The integration of multiple standards and practices has been mostly tackled by technical studies defining methods; whereas the inter-organizational implications of ISO/IEC 27001 have emerged in the literature only with regard to institutional motivations driving adoption.
Against this backdrop, we believe that a shift in the attention is needed from "the part" to "the whole" in the study of ISO/IEC 27001.In light of the growing number of certifications coupled with the endorsement of major digital players, it is important to intensify scientific efforts; the next section is thus devoted to the formulation of a set of research directions addressing these issues.

Theory-based research agenda
In line with renewed calls for more theory-grounded research (e.g.Breslin et al., 2020;Post et al., 2020), we conclude our study by outlining a series of research opportunities that read the emerging challenges and the current knowledge gaps through theoretical lenses.Several theories have been used over the years in the study of voluntary standards and can be successfully applied in future research on ISO/IEC 27001.The most prominent onesfollowing the review of Tuczek et al. (2018) include: (1) Transaction cost theory (Coase, 1937;Williamson, 1985): As the focus is placed on the costs arising from an economic exchange between a buyer and a seller, the theory has been used to analyze voluntary standards adoption patters and performance implications related to lower information asymmetries (e.g.Prajogo et al., 2012).
(2) Resource-based view (Penrose, 1959;Barney, 1991): Under the assumption that firms should identify and make use of resources that are valuable, rare and difficult to imitate in order to gain competitive advantage, researchers have investigated the motivations to adopt voluntary standards, the implementation process and the impact on performance (e.g.Darnall, 2006;Schoenherr and Talluri, 2013;Jabbour, 2015); (3) Institutional theory (Meyer and Rowan, 1977;DiMaggio and Powell, 1983): The perspective has been leveraged on mainly for investigating voluntary standards diffusion since societal influence might explain why organizations converge and become similar (e.g.Nair and Prajogo, 2009;Boiral and Henri, 2012).
(4) Signaling theory (Spence, 1973): Studies have addressed the role of voluntary standards in supplier selection under conditions of imperfect information, mostly focusing on performance implications, absorption levels and time-dependent dynamics (e.g.Terlaak and King, 2006;Narasimhan et al., 2015).
(5) Stakeholder theory (Freeman, 1984): Due to the integration of business and social issues under this view, prior research has explored how the pressure from (nonbusiness) stakeholders might influence the motivations driving standard implementation and absorption as well the impact on operational and reputational performance (e.g.Castka and Prajogo, 2013).
Although these theories can be applied effectively also for the study of ISO/IEC 27001, we believe that future research should not be limited to the standard implementation within single organizations, but (1) address its role within the suite of ISS practices and standards and (2) take into consideration that the scope of ISS reaches beyond organizational boundaries.Figure 3 clarifies how these two perspectives can be investigated, including a possible theoretical underpinning and a summary of the main research opportunities, which TQM 33,7 are outlined in the following paragraphs.In the figure, the perspectives form a matrix that identifies four overarching research areas with different scopes.With respect to these four quadrants, the rationale behind the research agenda is based on the tenets of social systems thinking (e.g.Checkland, 1997;Weinberg, 2001).We drew from various approaches within this school of thought to provide a comprehensive, yet parsimonious analytical framework targeted at academics from different backgrounds.Reframing and reorganizing research topics through a system-based approach has proved to offer a good basis to provide new stimulus to scientific research and novel outlooks to the business community (e.g.Bititci et al., 2012;Schleicher et al., 2018).
In simple terms, a system is a set of interrelated elements, such that a change in one element affects others in the system (Von Bertalanffy, 1956); the system is characterized by a common purpose, functions as a whole and adapts to changes in the environmental conditions (Boulding, 1956;Katz and Kahn, 1978).Different theories co-exist under this umbrella, this plurality yielding a rich research stream with a strong interdisciplinary connotation (Mele et al., 2010;Post et al., 2020).
Based on the findings of our review and the challenges outlined in the previous section, it is possible to consider as social systems both: (1) the suite of standards, formal and informal practicesincluding ISO/IEC 27001that are implemented by organizations to manage ISS and cybersecurity; and (2) the network of relations in which organizations are embedded, be it supply chains, platform-based ecosystems or industries.
Different frameworks can be applied to these two systems.The first finds analytical support, particularly in the congruence systems model as originally formulated by Nadler andTushman (1980, 1984) and recently re-elaborated by Schleicher et al. (2018).The model sees organizational practices as systems, identifies their inputs and outputs as well as their underlying components, i.e. tasks, individuals, formal and informal processes.These components are assumed to exist in a state of relative balance, their congruence determining the overall

Intra-organization
Congruence Systems Model Nadler and Tushman (1980;1984); Schleicher et al. (2018) -Typologies and taxonomies  (Katz and Kahn, 1978;Schleicher et al., 2018), suggesting that different configurations of various system components can lead to the same output or outcome.Several research opportunities stem from this view to investigate both the implementation of ISO/IEC 27001e.g. the congruence between requirements and actual practices, the opportunity to pursue a certification as opposed to informal implementation and notstandardized practicesand the managerial implications of multiple standard integration, including the analysis of congruence as a predictor of ISS performance.Overall, future research can develop typologies and taxonomies on the basis of the elements identified by the model to clarify the role of ISO/IEC 27001 within the suite of ISS standards and practices.
The second system-level viewi.e.network of relations in which organizations are embeddedis useful for analyzing how ISO/IEC 27001 supports ISS in a context characterized by inter-organizational information flows.The issue can be approached through the complexity-based perspectives germane to social systems thinking: these enable the analysis of emerging structures in the interaction among autonomous agentse.g.firmsand consider the adaptation of the whole system to the external environment.Among these perspectives, two theoretical lenses seem particularly suited to the issue at hand: (1) Collaborative systems -As outlined by Schneider et al. (2017) drawing from Luhmann (1995Luhmann ( , 2013) ) to elucidate how individual organizations shape their approach to ISS depending on the network of relations they are embedded in.
( which shift the unit of analysis from the single organization to the whole network of relations, thus enabling the analysis of ISS practices at the level of the supply chain and the business ecosystem. On the one hand, collaborative systems are based on the general principle that organizational structures and processes need to adapt against changes in the economic, technological and regulatory environment (Luhmann, 1995).Individual organizations can opt for internal solutions, but can also pursue joint initiatives, such as embracing standards or orchestrating industry-wide responses.These joint initiatives are more likely to happen if there is a history of cross-organizational collaboration connecting the agents and when concerns about the relevance of the issue to be addressed are between them (Schneider et al., 2017).These considerations are relevant to future research investigating organizations implementing internal ISS methodologies as opposed to standards, especially in light of new technologies and business models.Similarly, they can be tested with respect to standard diffusion patterns as well as taking the correlation between standards and implementation methodologies into account.
On the other hand, CAS is conceptualized as dynamic networks of autonomous agents (or firms) that interact with one another and in their environment to produce evolving systems (Choi et al., 2001;Carter et al., 2015).The study of CAS is characterized by three analytical dimensions: the internal mechanisms governing the relations among the agents, the adaptability of the network to changes in the external environment and the presence of co-evolutionary dynamics spreading through specific portions of the network.ISO/IEC 27001like other norms and standardsare internal mechanisms of control that limit the freedom of individual agents within the network with the goal of achieving higher system efficiency.The key questions for future research, which can be answered through a CAS perspective, are related to the role of ISO/IEC 27001 in guaranteeing ISS at the level of the supply chain/business ecosystem and the presence of possible performance trade-offs, for instance related to lower flexibility in suppliers' selection.Moreover, future studies can investigate the role of ISO/IEC 27001 and other ISS standards in supporting/impeding network reconfiguration against changes in the external environment, e.g. the rapid TQM 33,7 changes triggered by the current pandemic outlined in the previous section.Moreover, it is possible to identify how ISS approaches spread through specific portions of the network, e.g.platform operators vs ecosystem participants, downstream vs upstream firms along manufacturing supply chains.
In sum, we believe that our reasoning may provide a fresh perspective on the knowledge gaps on ISO/IEC 27001.ISS requires broad interdisciplinary approaches because of the technical and societal nature of the issue coupled with the broad range of stakeholders' interests involved (Siedlok and Hibbert, 2014).For managerial and organizational disciplines, however, the study ISS is still in many respects an uncharted territory.social systems thinking may provide a great entry point for researchers of different backgrounds to engage in issues that are increasingly relevant for managers in the emerging technological and business landscape.

Conclusions
The aim of this study was to map the state of the literature on ISO/IEC 27001 and formulate a theory-based research agenda at the intersection between IS and managerial disciplines, including quality management.The main insights and research challengesalso related to the increasing digitalization brought about by the current COVID-19 pandemicwere discussed, leading to the formulation of a theory-based research agenda grounded on social systems thinking.
This paper contributes to the academic literature in at least two ways.First, it provides an overview of the current knowledge of the standard, highlighting emerging themes and open issues, thereby providing solid foundations for future research on the topic.Second, it explicitly indicates a set of research opportunities, considering ISO/IEC 27001 as part of a system of standard and practices and in the context of networks of business relations.Drawing from Seuring et al. (2020) indications, we borrowed three theories related to social systems thinking to read the results of our analysis through new lenses.This enabled us to problematize the assumption behind ISO/IEC 27001 research as a firm-level phenomenon.We are confident that our study can be seen as a springboard for interdisciplinary research on the matter, including quality, supply chain and operations and human resource management.
The study delivers some implications for policymakers and corporate managers.Overall, we provide a comprehensive overview on the body of knowledge on the standard, allowing for a better understanding of motivations, implementation process and possible performance implications.Managers interested in implementing the standard can read these findings to better understand the implications of being certified as well as to focus potential issues related to the high flexibility of the guidelines, the lack of leadership support and the involvement of external consultants.Policymakers can leverage our results to inform promotion and regulatory activities aimed at sustaining the diffusion of the standard.In any case, the paper argues for a system-level view in ISS.We urge decisionmakers to analyze the context in which information is exchanged and the governance of ISS within such context.The issue is topical considering the increasing relevance of digital ecosystems.
To conclude, ISS and the ISO/IEC 27001 standard are still treated by academia as a technical topic; comparatively few studies adopt a managerial perspective.Today, a change of course is required in front of an increasingly interconnected world, emerging technological opportunities and related challenges.If it holds true that data is the "new oil," then a substantial increase in the research effort is needed to understand how organizations may secure information assets and what role major international standards play in providing guidance against an ever-increasing complexity.
ISO/IEC 27001 literature review

Table 3 .
Implementation ISO/IEC 27001:2013), it is still worth mentioning the main problems highlighted by previous research.Controls seemed not to be applicable in organizations with low-technological profiles