Top Banner
Literature Review Sample www.dissertationwritersuk.co.uk 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining to ISO27001, specifically in relation to SME’s and business implementation, and also incorporating frameworks which have been developed in regards to ISO27001 development and use. It is fair to suggest that the literature devoted specifically to ISO27001 in an SME context is fairly limited, which can in part be attributed to the relative youth of ISO27001 as a standard, as it was formerly launched in October 2005 (ISO, 2011). Moreover, despite the noble and farsighted intentions of ISO27001 bearing in mind the dramatically increased use of technology in recent years, there has still been limited adoption of ISO27001 due to several challenges associated with its use. Thus, this chapter will also consider these issues, as well as those of the risks associated with information security management. 2.2 ISO27001 The first section of this literature review gives specific consideration to ISO27001 itself, beginning with an overview of its evolution as an international standard, and some of its perceived benefits and challenges. Providing this contextual background will be of particular use when seeking to understand why SME’s have not embraced ISO27001. The formal name of ISO27001 is “ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements” (ISO, 2011). The standard is a formal specification of a management control system which is directly concerned with information security management. Under the principles of all ISO standards, ISO27001 mandates certain requirements for information control on all organisations which claim to have adopted it. Moreover, the adoption of ISO27001 means that any organisation who claims to adhere to the mandate will be audited by the ISO, and if they are found to be compliant they can be certified as being such.
13

Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Jan 05, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

2.0 Literature Review

2.1 Introduction

This chapter is devoted to providing a review of the literature pertaining to ISO27001,

specifically in relation to SME’s and business implementation, and also incorporating

frameworks which have been developed in regards to ISO27001 development and use. It is

fair to suggest that the literature devoted specifically to ISO27001 in an SME context is fairly

limited, which can in part be attributed to the relative youth of ISO27001 as a standard, as it

was formerly launched in October 2005 (ISO, 2011). Moreover, despite the noble and

farsighted intentions of ISO27001 bearing in mind the dramatically increased use of

technology in recent years, there has still been limited adoption of ISO27001 due to several

challenges associated with its use. Thus, this chapter will also consider these issues, as well

as those of the risks associated with information security management.

2.2 ISO27001

The first section of this literature review gives specific consideration to ISO27001 itself,

beginning with an overview of its evolution as an international standard, and some of its

perceived benefits and challenges. Providing this contextual background will be of particular

use when seeking to understand why SME’s have not embraced ISO27001.

The formal name of ISO27001 is “ISO/IEC 27001:2005 - Information technology -- Security

techniques -- Information security management systems – Requirements” (ISO, 2011). The

standard is a formal specification of a management control system which is directly

concerned with information security management. Under the principles of all ISO standards,

ISO27001 mandates certain requirements for information control on all organisations which

claim to have adopted it. Moreover, the adoption of ISO27001 means that any organisation

who claims to adhere to the mandate will be audited by the ISO, and if they are found to be

compliant they can be certified as being such.

Page 2: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

ISO27001 sets out a number of specific over-arching requirements as follows:-

• “Systematically examine the organisation's information security risks, taking account

of the threats, vulnerabilities and impacts;

• Design and implement a coherent and comprehensive suite of information security

controls and/or other forms of risk treatment (such as risk avoidance or risk transfer)

to address those risks that are deemed unacceptable; and

• Adopt an overarching management process to ensure that the information security

controls continue to meet the organisation's information security needs on an ongoing

basis”. (ISO, 2011)

As is immediately apparent, these specific requirements are broad and adopt a holistic

perspective, and they also require that the organisation in question takes an active role in

regularly monitoring and reviewing their information security practices. According to Meyer

and Heymans (2007) it is this on-going and reasonably labour intensive requirement that may

provide a clue as to why adoption of ISO27001 has been lower than anticipated. Bearing this

in mind, the following section will examine the evolution of ISO 27001 to understand how it

came to be developed and why it was felt necessary to introduce such broad and resource-

intensive requirements in order to satisfy the criteria.

2.21 The Evolution of ISO27001

ISO 27001 evolved in recognition of the fact that although most organisations have some

form of information security or control, their efforts are often disjointed and in the words of

Parkin and van Moorsel (2009:9) “disorganised”. To that effect, the ISO determined that it

would prudent to introduce an over-arching standard of information security and compliance.

Forerunners to ISO 27001 included BS 7799 (BSI, 2011). BS 7799 was formed in 1995 by

the British Standards Institute in recognition of the growing need to form some control over

the increasing use of electronic and ‘soft copy’ data. It consisted of three main elements in a

not dissimilar manner to the existing ISO 27001. These elements were:

(i) Best practice in regards to information security management

(ii) The second element was concerned with implementation of such an information

security system and was titled “Information Security Management Systems -

Specification with guidance for use” (BS 7799).

Page 3: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

(iii) The third element was concerned with risk assessment and its control and

management in relation to information security.

In 1998 this tri-partite approach was eventually codified by the ISO, and the standard became

known as ISO 17799 “Information Technology - Code of practice for information security

management" (ISO, 2011). After a number of revisions which included the introduction of

the Deming Quality control model PDCA (Plan – Do – Check – Act) in 2002, ISO 27001 as

we know it today was finally confirmed in October 2005. Moreover, the standard has

continued to undergo revision and expansion, and in July 2007 a code of practice was

included in the standard as an addendum.

The heritage of the current ISO 27001 is apparent in the origins of BS7799, and the basic

principles have remained valid as a comprehensive means of ensuring the security and

management of information in organisations. Even before ISO 27001 was launched in its

current form, academics such as Hanson (2002:1) regarded BS 7799 as being a “must for

success in the digital economy”. His view was shared by scholars such as Wolley (2000) and

Ferrant (2002). At the time they were primarily focussing on the concept of internet banking

which was in its very early stages as a domestic offering.

This raises a number of interesting questions in respect of why there has not been more

widespread take-up of ISO 27001. Clearly it is regarded by scholars and practitioners alike

as a critical management tool in the digital era. If this was the case nearly a decade ago, then

why have most firms failed to adopt best practice in information security and management?

This is especially concerning given that the use of the internet and digital information formats

has increased exponentially in that time. The vast majority of the populations of the

developed nations use the internet for their daily lives and share huge amounts of personal

data on a daily basis (Mace et al, 2009). Moreover, the success of hackers breaching the

security of high profile Multinational Corporations (MNC’s) such as Sony (The Economist)

demonstrate that it is alarmingly easy to acquire personal data and effectively take over

someone’s personal identity. The fact that despite these risks so few companies and in

particular SME’s fail to adopt ISO 27001 brings us to the core of this study.

Page 4: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

2.2.2 Benefits of ISO27001

Having provided a contextual picture of the evolution of ISO 27001 and the environment in

which firms now operate, it is useful at this stage to critically consider the perceived benefits

of ISO 27001, and the ontological discussions which have developed around its existence.

Although much of the ontological discussion relates to human behaviour and the perceptions

of risk relative to experience and knowledge, (Parkin and van Moorsel, 2009), there are a

number of obvious and immediate benefits to implementing an information security

management system of some nature.

A review of the literature pertaining to ISO 27001 has identified four main benefits to its

implementation. These are (i) compliance; (ii) a marketable advantage; (iii) reduced long

term costs; and (iv) business control. The core principle of ISO 27001 is that it helps to

reduce the risks associated with data and information management, and in a knowledge

economy then it would seem logical that ISO 27001 is perhaps the most important control

standard of all. However, it is useful to critically address each of these benefits in turn in

relation to the existing literature.

Compliance: Although ISO 27001 is certainly not a legal requirement it does help to provide

an organisation with a framework for information security management and a means of

legitimising their internal control procedures (Muhaya, 2010). For smaller businesses

especially this is a useful means of demonstrating to suppliers and potential customers that

the business is entirely serious about the protection and management of data. Muhaya (2010)

also notes that in the light of increasing social awareness of digital security issues,

compliance with ISO 27001 can give smaller companies an edge when they are tendering for

large-scale Government or national contracts because it demonstrates a level of

professionalism and the existence of a robust methodology that will differentiate them from

their competitors in a tender situation.

Marketable Advantage: Mataracioglu and Ozkan (2011) build of the notion of compliance

and argue that organisations who implement ISO 27001 have a marketable edge or

advantage. They argue that this is largely implied from the existence of demonstrable

Page 5: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

business control, but still exists. They further expand that in the digital age it is more

important than ever before for organisations to demonstrate that they take information

security very seriously, regardless of whether they are a public or private body, and therefore

an ability to demonstrate compliance with ISO 27001 should provide a ‘marketable

advantage’. This is especially true if there is a need to handle personal data.

Reduced Long Term Costs: There is little argument over the fact that the implementation

and continued application of ISO 27001 in a compliant form is cost and resource intensive,

especially at the implementation stage (Meyer and Heymans, 2007; Mataracioglu and Ozkan,

2011). This factor has been attributed by both academics and practitioners as the main reason

that firms do not adopt ISO 27001, as the compliance factor is comprehensive but not

particularly complex. However, Kosutic (2010) argues that in the long term it is better to

implement ISO 27001 than run the risk of having to deal with a security breach. Bearing in

mind that the estimated cost to Sony is in the region of $3 million in lost consumer

confidence and insurance claims, this argument makes perfect economic sense. Kosutic

(2010) further observes that although the cost to Sony was considerable, they were able to

withstand this because of the overall size and existing reputation of their business. For

smaller firms the costs of dealing with an information security breach could be enough to

destroy the business entirely in terms of payouts and lost business reputation.

Business Control: Finally, Henson and Hallas (nd) suggest that business control is a little

recognised but extremely useful benefit of ISO 27001. The reason for this is entirely

pragmatic, but many successful SME’s grow exponentially and organically meaning that the

finer detail of control processes and organisational frameworks are often left behind in the

drive to attract new clients and build the business. Moreover many entrepreneurs often lack

the necessary mindset for routine but detailed work such as the creation of process documents

and regular audits. Thus Henson and Hallas (nd) indicate that ISO 27001 can actually serve

the dual function of brining some control to a rapidly expanding SME, as well as helping

them to focus their attention to detail and information security in a digital age.

2.2.3 Challenges of ISO27001

As can be seen from the foregoing discussion, it is clear that there are a number of advantages

and benefits which accompany the implementation of ISO 27001. However the fact remains

Page 6: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

that many organisations have failed to adopt it, and therefore it is necessary to critically

consider the challenges and disadvantages of its introduction and use. A review of the

literature in this regard has revealed that there are six main challenges in the successful

implementation of ISO 27001, which might immediately help us to understand why there is

limited adopting of ISO 27001 if the perceived challenges outweigh the benefits. These

challenges are perceived as (i) obtaining information and support; (ii) translating the technical

jargon of ISO 27001 into pragmatic instruction; (iii) integrating ISO 27001 with existing

standards and control procedures; (iv) making ISO 27001 ‘workable’ in a small business (v)

understanding the ISO audit process (vi) selling the perceived benefits to clients.

Obtaining Information and Support : according to Fraser (2010) despite the proliferation of

technical information in respect of ISO 27001, there is in fact very limited information and

support for non-technical experts. Bearing in mind that many small businesses lack the

resource to employ a full time IT specialist, and some cannot even afford the consultant costs,

this immediately sheds light on why so many small businesses fail to even consider the

implementation of ISO 27001. Quite simply, the ISO provides insufficient practical support.

Translating the Technical Jargon: Lee and Jang (2009) found that the cost of hiring a

technical expert to decode the jargon of ISO 27001 was simply too much for many small

businesses. They determined that although the over-arching principles of ISO 27001 were

straightforward, the detail of ISO 27001 is complex for a non-specialist. Many SME’s

perceived the risk of misinterpreting the requirements as being too high, and therefore as ISO

27001 is not a legal requirement they failed to consider that it was of sufficient benefit.

Integrating ISO 27001 with other Standards: Fraser (2010) also found that of those SME’s

who had attempted to introduce ISO 27001 had in fact found it very difficult to integrate with

existing ISO standards, in particular ISO 14000 (environmental management) and the

management of third party data. Although ISO 27001 and ISO 14000 are designed to work

together in reality it seems that the burden of compliance is often too much for a small

business to manage and a diluted version would be far preferable.

Making ISO 27001 ‘workable’: This was a complaint picked up by several researchers such

as Liberman (2011). Quite simply, many SME’s found that ISO 27001 is unworkable for a

Page 7: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

small firm because of the rigorous level of compliance and ongoing audit required. It seems

that SME’s lack the resource necessary for ongoing review. Whilst this review is entirely

understandable from a theoretical perspective as information security threats are constantly

evolving, the level of resource required in a practical context is simply too much for an SME

which is focussed on generating new business in order to grow and survive.

Understanding the Audit Process: Both Fraser (2010) and Liberman (2011) concurred that

the ISO could do more to clarify the audit process for non specialists. Although an auditor

must obviously be highly trained, there is in fact a dearth of practical advice in respect of

preparing for an ISO 27001 audit.

Selling the Perceived Benefits: This is a further practical consideration raised by Fraser

(2010) and also acknowledge by Kosutic (2010). ISO 27001 has a number of benefits as

discussed above, but these benefits mean nothing if the recipient (client or customer) does not

actually know what ISO 27001 is. It seems from anecdotal evidence that although specialists

are acutely aware of ISO 27001, the greater proportion of the business community is not.

This further demonstrates why SME’s do not implement ISO 27001 – they do not know what

it is or that it even exists.

2.3 The Ontology of Information Security

Having discussed the perceived benefits and challenges of ISO 27001 it is also useful to

briefly address the ontology of information security and some of the theories and frameworks

which have been developed. In its most straightforward form ontology discusses the

underlying philosophy of information security, or in other words the perceived risk from the

viewpoint of various stakeholders. Parkin and van Moorsel (2009) proposed the following

framework in respect of information security in general, which is shown in figure 1 below.

Page 8: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

Figure 1: Overview of the Information Security Ontology (Parkin and van Moorsel, 2009)

It is immediately apparent that there are a considerable number of factors which influence

perceived information security. According to Bartsch et al (2008) this can partially

illuminate why so many SME’s fail to adopt ISO 27001, or any other form of information

security control for that matter – they simply do not perceive it as a risk. Moreover, both

Parkin and van Moorsel (2009) and Bartsch et al (nd) have demonstrated that information

security has as much to do with human behaviour as it does to do with technological control.

When this is viewed from a pragmatic prism it can by hypothesised that many SME’s do not

realise that existing technical controls (for example virus scanners) do not constitute

information security. In fact it is human process control which often has a greater effect

(Barlette, 2008). It seems from the literature that there are a number of pragmatic steps that

many SME’s could take, but they do not realise the necessity of doing so – a point which was

raised as a challenge of ISO 27001.

Page 9: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

2.4 ISO27001 Implementation and SME’s

It is also useful to provide a concise overview of the existing information relating to ISO

27001 and SME’s from a combined theoretical and pragmatic perspective as this appears to

be the sticking point which inhibits many SME’s from adopting ISO 27001. Valdevit et al

(2010) posit that for those SME’s who do decide to implement ISO 27001, there is a dearth of

practical advice a view which is shared by Foster (2010) and Lee and Jang (nd). It seems

from the dearth of existing literature in this regard the most likely explanation is a case of

‘chicken and egg’ insofar as there is limited guidance because so few SME’s have adopted it,

and on a secondary basis the costs of doing so are perceived as extortionate or not delivering

a quantifiable Return On Investment. In order to address this issue, Valdevit et al (2010)

proposed a simple approach based on the Deming PDCA framework and the requirements of

ISO 27001 as shown in figure 2 below.

Figure 2: ISO 27001 Requirements (Valdevit et al, 2010)

Page 10: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

Their intent was to produce a means of selecting the pertinent aspects of ISO 27001 in a

workable form for SME’s such that they could adhere to the mandate in an affordable

manner. Given the recent publication of this paper there is yet to be any published criticism

or challenge to their suggestion. Moreover there is also a lack of practitioner opinion which

will be addressed in this work using the framework set out above.

2.5 Summary

In summary of this chapter, there has been a discussion of ISO 27001, its purpose,

application, benefits and challenges. There has also been a brief discussion pertaining to the

ontology of ISO 27001 and information security management in general, and a possible series

of explanations for its limited adoption by SME’s which in the majority of cases appears to

be largely pragmatic. Finally, this chapter has explored the framework which will be used as

the basis for primary research in understanding why there is such as limited take-up of ISO

27001 amongst small firms.

Page 11: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

Bibliography

Audretsch, D.B., Keilbach, M.C. and Lehmann, E.E. (2006) Entrepreneurship and Economic

Growth. Oxford: Oxford University Press

Barlette (2008) Exploring the suitability of IS security management standards for SMEs

Proceedings of the 41st Hawaii International Conference on System Sciences – 2008

Barlette and Fomin, (2008) Information Systems Security: Scope, State-of-the-art, and

Evaluation of Techniques", International journal of information management, Vol. 15 (3),

pp. 165-180; [47b]

Bartsch, Karsten Sohr, and Carsten Bormann (2008) Supporting Agile Development of

Authorization Rules for SME Applications CollaborateCom(2008) 461-471

BERR. (2008) Information Security Breaches Survey, technical report.

PriceWaterHouseCoopers, in association with Symantec, HP and The Security Company.

Available from: http://www.security-survey.gov.uk

British Standards Institute BSI (2011) main website available at http://www.bsigroup.com/

Bryman, A and Bell, E (2007), Business Research Methods, 2nd Edition, OxfordUniversity

Press, Oxford.

Dojkovski et al (2007) "Implementing information security in the 21st century – Do you have

the balancing factors?", Computers and security, Vol. 19 (4), pp. 337- 347;

Glouch et al (2008) Policies, procedures and standards: an approach for implementation",

Information Management & Computer Security, Vol. 3 (3), pp. 7-16;

Hamson (2002) BSI’s Information Security Standard - BS 7799 - Becomes Global Standard

Page 12: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

Information security - a must for success in the digital economy Business Standards ISO

9000 14000 QS-9000 Environmental Management System EMS TL 9000 AS9000 Jan/Feb

Environment 2002

Henson and Hallas (nd) SMEs, Information Risk Management, and ROI Marmalade Box

Consulting

Horn, R., (2009) Researching and Writing Dissertations: A complete guide for business and

management students Chartered Institute of Personnel and Development

International Organisation for Standardisation ISO (2011) main website available at

http://www.iso.org/iso/home.html

ISO 27001 (2011) Information security and risk available at

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103

Johnson and Toth (2007) Corporate information security management", New Library World,

Vol. 100, n°1150, pp. 213-227, MCB University press;

Kajava, J. et al (2010) Information security standards and global business: Proceedings of

International Conference on Industrial Technology (ICIT 2010), December 15-17, Mumbai,

India. p. 2091- 2095

Lee and Jang (2009) A Study on Information Security Management System Model for Small

and Medium Enterprises RECENT ADVANCES in E-ACTIVITIES, INFORMATION

SECURITY and PRIVACY 84-88

Lieberman (2011) Practical Advice for SMBs to Use ISO 27001 CIOZone.com - Professional

Network for CIOs and IT Professionals

Mace, Simon Parkin, Aad van Moorsel (2009) Ontology Editing Tool for Information

Security and Human Factors Experts TECHNICAL REPORT SERIES No. CS-TR-1172

September 2009

Page 13: Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining

Literature Review Sample

www.dissertationwritersuk.co.uk

Mataracioglui and Ozkanz (2011) Analysis of the User Acceptance for implementing

ISO27001:2005 in Turkish Public Organisations International Journal of Managing

Information Technology (IJMIT) Vol.3, No.1, February 2011

Mayer, Patrick Heymans, Member, IEEE and Raimundas Matulevičius (2007) Design of a

Modelling Language for Information System Security Risk Management Proceedings of

Workshop on Information Security – System Rating and Ranking, Virginia;

Muhaya (2010) An Approach for the Development of National Information Security Policies

International Journal of Advanced Science and Technology Vol. 21, August, 2010

Parkin and van Moorsel (2009) An Information Security Ontology Incorporating Human-

Behavioural Implications Technical Report Series No. CS-TR-1139 Feb 2009

Saunders, M., Lewis, P., and Thornhill, A., (2009) Research Methods for Business Students

(5th Edition), Financial Times Prentice Hall

The Economist (2011) Cybersecurity: hacked off in print 14th July 2011

The Times (2011) Hacking of data firm Epsilon exposes customers of 50 firms in print 5th

April 2011

Valdevit, Nicolas Mayer, Béatrix Barafort (2008) Tailoring ISO/IEC 27001 for SMEs: A

guide to implement an Information Security Management System in small settings National

Information Infrastructure Initiatives: Vision and Policy Design, MIT Press, Cambridge,

Mass.