Implementing Information Security Management Systems

Abstract

This paper presents the findings of an empirical study of certification auditors' and information security consultants' experiences and insights concerning the implementation and certification of information security management systems. Using an action research strategy and a grounded theory research method, the study describes these particular experiences and insights primarily in terms of critical success factors vital to the implementation and certification processes. Two tentative theoretical frameworks, providing synthesized views of these factors, are put forth. 1. INTRODUCTION Implementation and certification of ISMS (information security management systems) currently interests many researchers and practitioners. Especially 7799 – the British and now also international standard for ISMS (ISO 2000, BSI 1999) -have received a lot of attention in the information security research community lately: Siponen (2001) criticises 7799, and other information security (management) standards, from the viewpoint of philosophy of science and argues that these standards are were developed based on personal observations that were not scientifically justified. In addition, Siponen argues, the standards in question claim to be universally valid, although they are not. Eloff and S. Von Solms (1998, 2000a, 2000b) suggests that both IT product security (measured by for example Common Criteria) as well as procedural information security (measured against for example 7799) have to be taken into account when measuring the level of information security in an organisation.