Literature Review Sample www.dissertationwritersuk.co.uk 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining to ISO27001, specifically in relation to SME’s and business implementation, and also incorporating frameworks which have been developed in regards to ISO27001 development and use. It is fair to suggest that the literature devoted specifically to ISO27001 in an SME context is fairly limited, which can in part be attributed to the relative youth of ISO27001 as a standard, as it was formerly launched in October 2005 (ISO, 2011). Moreover, despite the noble and farsighted intentions of ISO27001 bearing in mind the dramatically increased use of technology in recent years, there has still been limited adoption of ISO27001 due to several challenges associated with its use. Thus, this chapter will also consider these issues, as well as those of the risks associated with information security management. 2.2 ISO27001 The first section of this literature review gives specific consideration to ISO27001 itself, beginning with an overview of its evolution as an international standard, and some of its perceived benefits and challenges. Providing this contextual background will be of particular use when seeking to understand why SME’s have not embraced ISO27001. The formal name of ISO27001 is “ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements” (ISO, 2011). The standard is a formal specification of a management control system which is directly concerned with information security management. Under the principles of all ISO standards, ISO27001 mandates certain requirements for information control on all organisations which claim to have adopted it. Moreover, the adoption of ISO27001 means that any organisation who claims to adhere to the mandate will be audited by the ISO, and if they are found to be compliant they can be certified as being such.
13
Embed
Literature Review Sample - New Essays · Literature Review Sample 2.0 Literature Review 2.1 Introduction This chapter is devoted to providing a review of the literature pertaining
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Literature Review Sample
www.dissertationwritersuk.co.uk
2.0 Literature Review
2.1 Introduction
This chapter is devoted to providing a review of the literature pertaining to ISO27001,
specifically in relation to SME’s and business implementation, and also incorporating
frameworks which have been developed in regards to ISO27001 development and use. It is
fair to suggest that the literature devoted specifically to ISO27001 in an SME context is fairly
limited, which can in part be attributed to the relative youth of ISO27001 as a standard, as it
was formerly launched in October 2005 (ISO, 2011). Moreover, despite the noble and
farsighted intentions of ISO27001 bearing in mind the dramatically increased use of
technology in recent years, there has still been limited adoption of ISO27001 due to several
challenges associated with its use. Thus, this chapter will also consider these issues, as well
as those of the risks associated with information security management.
2.2 ISO27001
The first section of this literature review gives specific consideration to ISO27001 itself,
beginning with an overview of its evolution as an international standard, and some of its
perceived benefits and challenges. Providing this contextual background will be of particular
use when seeking to understand why SME’s have not embraced ISO27001.
The formal name of ISO27001 is “ISO/IEC 27001:2005 - Information technology -- Security
techniques -- Information security management systems – Requirements” (ISO, 2011). The
standard is a formal specification of a management control system which is directly
concerned with information security management. Under the principles of all ISO standards,
ISO27001 mandates certain requirements for information control on all organisations which
claim to have adopted it. Moreover, the adoption of ISO27001 means that any organisation
who claims to adhere to the mandate will be audited by the ISO, and if they are found to be
compliant they can be certified as being such.
Literature Review Sample
www.dissertationwritersuk.co.uk
ISO27001 sets out a number of specific over-arching requirements as follows:-
• “Systematically examine the organisation's information security risks, taking account
of the threats, vulnerabilities and impacts;
• Design and implement a coherent and comprehensive suite of information security
controls and/or other forms of risk treatment (such as risk avoidance or risk transfer)
to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security
controls continue to meet the organisation's information security needs on an ongoing
basis”. (ISO, 2011)
As is immediately apparent, these specific requirements are broad and adopt a holistic
perspective, and they also require that the organisation in question takes an active role in
regularly monitoring and reviewing their information security practices. According to Meyer
and Heymans (2007) it is this on-going and reasonably labour intensive requirement that may
provide a clue as to why adoption of ISO27001 has been lower than anticipated. Bearing this
in mind, the following section will examine the evolution of ISO 27001 to understand how it
came to be developed and why it was felt necessary to introduce such broad and resource-
intensive requirements in order to satisfy the criteria.
2.21 The Evolution of ISO27001
ISO 27001 evolved in recognition of the fact that although most organisations have some
form of information security or control, their efforts are often disjointed and in the words of
Parkin and van Moorsel (2009:9) “disorganised”. To that effect, the ISO determined that it
would prudent to introduce an over-arching standard of information security and compliance.
Forerunners to ISO 27001 included BS 7799 (BSI, 2011). BS 7799 was formed in 1995 by
the British Standards Institute in recognition of the growing need to form some control over
the increasing use of electronic and ‘soft copy’ data. It consisted of three main elements in a
not dissimilar manner to the existing ISO 27001. These elements were:
(i) Best practice in regards to information security management
(ii) The second element was concerned with implementation of such an information
security system and was titled “Information Security Management Systems -
Specification with guidance for use” (BS 7799).
Literature Review Sample
www.dissertationwritersuk.co.uk
(iii) The third element was concerned with risk assessment and its control and
management in relation to information security.
In 1998 this tri-partite approach was eventually codified by the ISO, and the standard became
known as ISO 17799 “Information Technology - Code of practice for information security
management" (ISO, 2011). After a number of revisions which included the introduction of
the Deming Quality control model PDCA (Plan – Do – Check – Act) in 2002, ISO 27001 as
we know it today was finally confirmed in October 2005. Moreover, the standard has
continued to undergo revision and expansion, and in July 2007 a code of practice was
included in the standard as an addendum.
The heritage of the current ISO 27001 is apparent in the origins of BS7799, and the basic
principles have remained valid as a comprehensive means of ensuring the security and
management of information in organisations. Even before ISO 27001 was launched in its
current form, academics such as Hanson (2002:1) regarded BS 7799 as being a “must for
success in the digital economy”. His view was shared by scholars such as Wolley (2000) and
Ferrant (2002). At the time they were primarily focussing on the concept of internet banking
which was in its very early stages as a domestic offering.
This raises a number of interesting questions in respect of why there has not been more
widespread take-up of ISO 27001. Clearly it is regarded by scholars and practitioners alike
as a critical management tool in the digital era. If this was the case nearly a decade ago, then
why have most firms failed to adopt best practice in information security and management?
This is especially concerning given that the use of the internet and digital information formats
has increased exponentially in that time. The vast majority of the populations of the
developed nations use the internet for their daily lives and share huge amounts of personal
data on a daily basis (Mace et al, 2009). Moreover, the success of hackers breaching the
security of high profile Multinational Corporations (MNC’s) such as Sony (The Economist)
demonstrate that it is alarmingly easy to acquire personal data and effectively take over
someone’s personal identity. The fact that despite these risks so few companies and in
particular SME’s fail to adopt ISO 27001 brings us to the core of this study.
Literature Review Sample
www.dissertationwritersuk.co.uk
2.2.2 Benefits of ISO27001
Having provided a contextual picture of the evolution of ISO 27001 and the environment in
which firms now operate, it is useful at this stage to critically consider the perceived benefits
of ISO 27001, and the ontological discussions which have developed around its existence.
Although much of the ontological discussion relates to human behaviour and the perceptions
of risk relative to experience and knowledge, (Parkin and van Moorsel, 2009), there are a
number of obvious and immediate benefits to implementing an information security
management system of some nature.
A review of the literature pertaining to ISO 27001 has identified four main benefits to its
implementation. These are (i) compliance; (ii) a marketable advantage; (iii) reduced long
term costs; and (iv) business control. The core principle of ISO 27001 is that it helps to
reduce the risks associated with data and information management, and in a knowledge
economy then it would seem logical that ISO 27001 is perhaps the most important control
standard of all. However, it is useful to critically address each of these benefits in turn in
relation to the existing literature.
Compliance: Although ISO 27001 is certainly not a legal requirement it does help to provide
an organisation with a framework for information security management and a means of
legitimising their internal control procedures (Muhaya, 2010). For smaller businesses
especially this is a useful means of demonstrating to suppliers and potential customers that
the business is entirely serious about the protection and management of data. Muhaya (2010)
also notes that in the light of increasing social awareness of digital security issues,
compliance with ISO 27001 can give smaller companies an edge when they are tendering for
large-scale Government or national contracts because it demonstrates a level of
professionalism and the existence of a robust methodology that will differentiate them from
their competitors in a tender situation.
Marketable Advantage: Mataracioglu and Ozkan (2011) build of the notion of compliance
and argue that organisations who implement ISO 27001 have a marketable edge or
advantage. They argue that this is largely implied from the existence of demonstrable
Literature Review Sample
www.dissertationwritersuk.co.uk
business control, but still exists. They further expand that in the digital age it is more
important than ever before for organisations to demonstrate that they take information
security very seriously, regardless of whether they are a public or private body, and therefore
an ability to demonstrate compliance with ISO 27001 should provide a ‘marketable
advantage’. This is especially true if there is a need to handle personal data.
Reduced Long Term Costs: There is little argument over the fact that the implementation
and continued application of ISO 27001 in a compliant form is cost and resource intensive,
especially at the implementation stage (Meyer and Heymans, 2007; Mataracioglu and Ozkan,
2011). This factor has been attributed by both academics and practitioners as the main reason
that firms do not adopt ISO 27001, as the compliance factor is comprehensive but not
particularly complex. However, Kosutic (2010) argues that in the long term it is better to
implement ISO 27001 than run the risk of having to deal with a security breach. Bearing in
mind that the estimated cost to Sony is in the region of $3 million in lost consumer
confidence and insurance claims, this argument makes perfect economic sense. Kosutic
(2010) further observes that although the cost to Sony was considerable, they were able to
withstand this because of the overall size and existing reputation of their business. For
smaller firms the costs of dealing with an information security breach could be enough to
destroy the business entirely in terms of payouts and lost business reputation.
Business Control: Finally, Henson and Hallas (nd) suggest that business control is a little
recognised but extremely useful benefit of ISO 27001. The reason for this is entirely
pragmatic, but many successful SME’s grow exponentially and organically meaning that the
finer detail of control processes and organisational frameworks are often left behind in the
drive to attract new clients and build the business. Moreover many entrepreneurs often lack
the necessary mindset for routine but detailed work such as the creation of process documents
and regular audits. Thus Henson and Hallas (nd) indicate that ISO 27001 can actually serve
the dual function of brining some control to a rapidly expanding SME, as well as helping
them to focus their attention to detail and information security in a digital age.
2.2.3 Challenges of ISO27001
As can be seen from the foregoing discussion, it is clear that there are a number of advantages
and benefits which accompany the implementation of ISO 27001. However the fact remains
Literature Review Sample
www.dissertationwritersuk.co.uk
that many organisations have failed to adopt it, and therefore it is necessary to critically
consider the challenges and disadvantages of its introduction and use. A review of the
literature in this regard has revealed that there are six main challenges in the successful
implementation of ISO 27001, which might immediately help us to understand why there is
limited adopting of ISO 27001 if the perceived challenges outweigh the benefits. These
challenges are perceived as (i) obtaining information and support; (ii) translating the technical
jargon of ISO 27001 into pragmatic instruction; (iii) integrating ISO 27001 with existing
standards and control procedures; (iv) making ISO 27001 ‘workable’ in a small business (v)
understanding the ISO audit process (vi) selling the perceived benefits to clients.
Obtaining Information and Support : according to Fraser (2010) despite the proliferation of
technical information in respect of ISO 27001, there is in fact very limited information and
support for non-technical experts. Bearing in mind that many small businesses lack the
resource to employ a full time IT specialist, and some cannot even afford the consultant costs,
this immediately sheds light on why so many small businesses fail to even consider the
implementation of ISO 27001. Quite simply, the ISO provides insufficient practical support.
Translating the Technical Jargon: Lee and Jang (2009) found that the cost of hiring a
technical expert to decode the jargon of ISO 27001 was simply too much for many small
businesses. They determined that although the over-arching principles of ISO 27001 were
straightforward, the detail of ISO 27001 is complex for a non-specialist. Many SME’s
perceived the risk of misinterpreting the requirements as being too high, and therefore as ISO
27001 is not a legal requirement they failed to consider that it was of sufficient benefit.
Integrating ISO 27001 with other Standards: Fraser (2010) also found that of those SME’s
who had attempted to introduce ISO 27001 had in fact found it very difficult to integrate with
existing ISO standards, in particular ISO 14000 (environmental management) and the
management of third party data. Although ISO 27001 and ISO 14000 are designed to work
together in reality it seems that the burden of compliance is often too much for a small
business to manage and a diluted version would be far preferable.
Making ISO 27001 ‘workable’: This was a complaint picked up by several researchers such
as Liberman (2011). Quite simply, many SME’s found that ISO 27001 is unworkable for a
Literature Review Sample
www.dissertationwritersuk.co.uk
small firm because of the rigorous level of compliance and ongoing audit required. It seems
that SME’s lack the resource necessary for ongoing review. Whilst this review is entirely
understandable from a theoretical perspective as information security threats are constantly
evolving, the level of resource required in a practical context is simply too much for an SME
which is focussed on generating new business in order to grow and survive.
Understanding the Audit Process: Both Fraser (2010) and Liberman (2011) concurred that
the ISO could do more to clarify the audit process for non specialists. Although an auditor
must obviously be highly trained, there is in fact a dearth of practical advice in respect of
preparing for an ISO 27001 audit.
Selling the Perceived Benefits: This is a further practical consideration raised by Fraser
(2010) and also acknowledge by Kosutic (2010). ISO 27001 has a number of benefits as
discussed above, but these benefits mean nothing if the recipient (client or customer) does not
actually know what ISO 27001 is. It seems from anecdotal evidence that although specialists
are acutely aware of ISO 27001, the greater proportion of the business community is not.
This further demonstrates why SME’s do not implement ISO 27001 – they do not know what
it is or that it even exists.
2.3 The Ontology of Information Security
Having discussed the perceived benefits and challenges of ISO 27001 it is also useful to
briefly address the ontology of information security and some of the theories and frameworks
which have been developed. In its most straightforward form ontology discusses the
underlying philosophy of information security, or in other words the perceived risk from the
viewpoint of various stakeholders. Parkin and van Moorsel (2009) proposed the following
framework in respect of information security in general, which is shown in figure 1 below.
Literature Review Sample
www.dissertationwritersuk.co.uk
Figure 1: Overview of the Information Security Ontology (Parkin and van Moorsel, 2009)
It is immediately apparent that there are a considerable number of factors which influence
perceived information security. According to Bartsch et al (2008) this can partially
illuminate why so many SME’s fail to adopt ISO 27001, or any other form of information
security control for that matter – they simply do not perceive it as a risk. Moreover, both
Parkin and van Moorsel (2009) and Bartsch et al (nd) have demonstrated that information
security has as much to do with human behaviour as it does to do with technological control.
When this is viewed from a pragmatic prism it can by hypothesised that many SME’s do not
realise that existing technical controls (for example virus scanners) do not constitute
information security. In fact it is human process control which often has a greater effect
(Barlette, 2008). It seems from the literature that there are a number of pragmatic steps that
many SME’s could take, but they do not realise the necessity of doing so – a point which was
raised as a challenge of ISO 27001.
Literature Review Sample
www.dissertationwritersuk.co.uk
2.4 ISO27001 Implementation and SME’s
It is also useful to provide a concise overview of the existing information relating to ISO
27001 and SME’s from a combined theoretical and pragmatic perspective as this appears to
be the sticking point which inhibits many SME’s from adopting ISO 27001. Valdevit et al
(2010) posit that for those SME’s who do decide to implement ISO 27001, there is a dearth of
practical advice a view which is shared by Foster (2010) and Lee and Jang (nd). It seems
from the dearth of existing literature in this regard the most likely explanation is a case of
‘chicken and egg’ insofar as there is limited guidance because so few SME’s have adopted it,
and on a secondary basis the costs of doing so are perceived as extortionate or not delivering
a quantifiable Return On Investment. In order to address this issue, Valdevit et al (2010)
proposed a simple approach based on the Deming PDCA framework and the requirements of
ISO 27001 as shown in figure 2 below.
Figure 2: ISO 27001 Requirements (Valdevit et al, 2010)
Literature Review Sample
www.dissertationwritersuk.co.uk
Their intent was to produce a means of selecting the pertinent aspects of ISO 27001 in a
workable form for SME’s such that they could adhere to the mandate in an affordable
manner. Given the recent publication of this paper there is yet to be any published criticism
or challenge to their suggestion. Moreover there is also a lack of practitioner opinion which
will be addressed in this work using the framework set out above.
2.5 Summary
In summary of this chapter, there has been a discussion of ISO 27001, its purpose,
application, benefits and challenges. There has also been a brief discussion pertaining to the
ontology of ISO 27001 and information security management in general, and a possible series
of explanations for its limited adoption by SME’s which in the majority of cases appears to
be largely pragmatic. Finally, this chapter has explored the framework which will be used as
the basis for primary research in understanding why there is such as limited take-up of ISO
27001 amongst small firms.
Literature Review Sample
www.dissertationwritersuk.co.uk
Bibliography
Audretsch, D.B., Keilbach, M.C. and Lehmann, E.E. (2006) Entrepreneurship and Economic
Growth. Oxford: Oxford University Press
Barlette (2008) Exploring the suitability of IS security management standards for SMEs
Proceedings of the 41st Hawaii International Conference on System Sciences – 2008
Barlette and Fomin, (2008) Information Systems Security: Scope, State-of-the-art, and
Evaluation of Techniques", International journal of information management, Vol. 15 (3),
pp. 165-180; [47b]
Bartsch, Karsten Sohr, and Carsten Bormann (2008) Supporting Agile Development of
Authorization Rules for SME Applications CollaborateCom(2008) 461-471
BERR. (2008) Information Security Breaches Survey, technical report.
PriceWaterHouseCoopers, in association with Symantec, HP and The Security Company.
Available from: http://www.security-survey.gov.uk
British Standards Institute BSI (2011) main website available at http://www.bsigroup.com/
Bryman, A and Bell, E (2007), Business Research Methods, 2nd Edition, OxfordUniversity
Press, Oxford.
Dojkovski et al (2007) "Implementing information security in the 21st century – Do you have
the balancing factors?", Computers and security, Vol. 19 (4), pp. 337- 347;
Glouch et al (2008) Policies, procedures and standards: an approach for implementation",
Information Management & Computer Security, Vol. 3 (3), pp. 7-16;
Hamson (2002) BSI’s Information Security Standard - BS 7799 - Becomes Global Standard
Literature Review Sample
www.dissertationwritersuk.co.uk
Information security - a must for success in the digital economy Business Standards ISO