Search results

The aim of this paper is to present the first diffusion analysis of ISO/IEC 27001, the fourth most popular ISO certification at global level and the most important standard for information security.

To achieve the purposes, the authors applied Grey Models (GM) – Even GM (1,1), Even GM (1,1,α,θ), Discrete GM (1,1), Discrete GM (1,1,α) – complemented by the relative growth rate and the doubling time indexes on the six most important countries in terms of issued certificates.

Results show that a growing trend is likely to be expected in the years to come and that China will lead at country level.

The study contributes to the scientific debate by presenting the first diffusive analysis of ISO/IEC 27001 and by proposing a forecasting approach that to date has found little application in the field of international standards.

After 15 years of research, this paper aims to present a review of the academic literature on the ISO/IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theory-based research agenda to inspire interdisciplinary studies in the field.

The study is structured as a systematic literature review.

Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors.

The study presents a structured overview of the academic body of knowledge on ISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and quality management. Managers interested in the implementation of the standard and policymakers can find an overview of academic knowledge useful to inform their decisions related to implementation and regulatory activities.

This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.

This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.

The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.

This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

In the context of the globalization of markets and free trade, the importance of the Internet in the systems of negotiation, communication, and data exchange grows, which puts the problem of information security at the forefront. Actions and improvement activities on the management of confidential information are becoming increasingly important in organizations.

However, information is not just stored in computers; information can be on paper, on a disc, and in the minds of those who work for the organization. Information becomes part of the heritage, and it must be preserved throughout its entire life cycle.

Nowadays, the mere use of some information defence technology is no longer enough; therefore, it becomes essential to implement an efficient Information Security Management System (ISMS) to guarantee a competitive advantage compared to competitors. ISO/IEC 27001 standard outlines the structure for implementing an ISMS and helps organizations manage and protect information assets.

This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005.

Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices.

The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards.

This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance.

This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.

The purpose of this paper is to identify various information security management parameters and develop a conceptual framework for it.

Interpretive Structural Modeling (ISM) and MICMAC approaches have been used to identify and classify the key factors of information security management based on the direct and indirect relationship of these factors.

The research presents a classification of key parameters according to their driving power and dependence which enable information security management in an organization. It also suggests parameters on which management should pay more attention.

In the paper, 12 parameters were identified based on a literature study and expert help. It is possible to identify some more parameters for ISM development. The help of experts was also used to identify the contextual relationship among the variables for the ISM model. This may introduce some element of bias. Although a relationship model using ISM has been developed, it has not been validated statistically. For future research, it is suggested that the structural equation modelling (SEM) technique may be used to corroborate the findings of ISM. Some of the variables have been grouped together, being a part of a subset due to their similar nature; but it is possible to treat them as independent variables. Future researches may establish their interrelationships also.

The paper has tremendous practical utility for organizations which want to reap the benefits of information and communication technology for their growth but are struggling to find a right approach to deal with information security breach incidents.

Development of a framework for information security management in an organization is the major contribution of this paper. This would be of help to strategic managers in managing information security with emphasis on key parameters identified here.

The purpose of this paper is to propose a framework for security controls automation, in order to achieve greater efficiency and reduce the complexity of information security management.

This research reviewed the controls recommended by well known standards such as ISO/IEC 27001 and NIST SP 800‐53; and identified security controls that can be automated by existing hard‐and software tools. The research also analyzed the Security Information and Event Management (SIEM) technology and proposed a SIEM‐based framework for security controls automation, taking into account the automation potential of SIEM systems and their integration possibilities with several security tools.

About 30 per cent of information security controls can be automated and they were grouped in a list of ten automatable security controls. A SIEM‐based framework can be used for centralized and integrated management of the ten automatable security controls.

By implementing the proposed framework and therefore automating as many security controls as possible, organizations will achieve more efficiency in information security management, reducing also the complexity of this process. This research may also be useful for SIEM vendors, in order to include more functionality to their products and provide a maximum of security controls automation within SIEM platforms.

This paper delimits the boundaries of information security automation and defines what automation means for each security control. A novel framework for security controls automation is proposed. This research provides an automation concept that goes beyond what it is normally described in previous works and SIEM solutions.

This study aims to determine the extent to which information security management (ISM) practices impact the organisational agility by examining the relationship between both concepts.

A quantitative method research design has been used in this study. This study was conducted throughout Malaysia with a total of 250 valid questionnaires obtained from managers and executives from the Multimedia Super Corridor (MSC)-status companies. Structural equation modelling (SEM) using partial least square was used to analyse the data and to test all nine hypotheses developed in this study.

Findings from this study indicate that operational agility (OA) is significantly related to ISM practices in MSC-status companies. The validation of the structural model of nine hypotheses developed for this study has demonstrated satisfactory results, exhibited six significant direct relationships and three insignificant relationships.

This study has addressed the needs for a comprehensive, coherent and empirically tested ISM practices and organisational agility framework. The current theoretical framework used in this study emphasised on the ISM–organisational agility dimensions that are predominantly important to ascertain high level of ISM practices and perceived agility level among the information technology (IT) business companies in Malaysia. With the application of SEM for powerful analysis, the empirical-based framework established in this study was validated by the empirical findings, thus contributing significantly to the field of information security (InfoSec).

This study has filled the research gap between different constructs of ISM practices and OA. The model put forth in this study contributes in several ways to the InfoSec research community. The recognition of InfoSec practices that could facilitate organisational agility in the IT industry in Malaysia is vital and contributes to more value creation for the organisations.

Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures, organizations are required to determine the maturity level of their information security governance. Literature review reveals that there is no recent study on information systems' security maturity level of banks in Ethiopia. This study thus seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators.

Four private banks are selected as a representative sample. The system security engineering capability maturity model (SSE-CMM) is used as the maturity measurement criteria, and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study were gathered using a questionnaire.

A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations but its existence was not thoroughly proven and institutional inconsistency still exists.

This study seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. This topic has not been attempted previously in the context of Ethiopian financial sector.

Augmentation of an ISO 10001 code system for healthcare worker (HW) satisfaction with ISO/IEC 27701 and ISO/IEC 29184 privacy-related subsystems is shown. Four specific codes regarding the privacy of HWs using electronic devices for hand hygiene (HH) monitoring and the related activities are presented.

HWs’ concerns involving automated hand hygiene monitoring technologies were identified through a literature review and classified. Privacy codes (PCs) that deal with such concerns were developed. ISO/IEC 27701 requirements for privacy information were mapped to the elements of these codes, labelled as “Healthcare Workers’ Hand Hygiene Privacy Codes (HW-HH-PCs)”. Both ISO/IEC 27701 and ISO/IEC 29184 guidelines for Privacy Notices and consent were linked with the activities for preparing the code resources.

Components of an ISO/IEC 27701 system, the guidance of ISO/IEC 29184 and the definitions provided in ISO/IEC 29100 can assist the preparation of HW-HH-PCs and the required resources. An ISO/IEC 29184 Privacy Notice can be used as input for developing an Informed Consent Form, which can be implemented to suit two of the four developed HW-HH-PCs.

HW-HH-PCs and the supporting resources, which healthcare organizations could implement to potentially increase quality assurance of an automated HH monitoring service, are illustrated.

Integrative augmentation of ISO 10001:2018, ISO/IEC 27701:2019 and ISO/IEC 29184:2020 within an underlying framework from ISO/IEC 20000–1:2018 for information technology service, together with the related examples of privacy-related customer satisfaction codes and the corresponding resources, is introduced.