ISO/IEC 27001 INFORMATION SYSTEMS SECURITY MANAGEMENT STANDARD : EXPLORING THE REASONS FOR LOW ADOPTION

Vladislav V. Fomin <v.fomin@if.vdu.lt>

Vytautas Magnus University Kaunas, LITHUANIA

and Rotterdam School of Management, Erasmus University

Rotterdam, THE NETHERLANDS

Henk J. de Vries <HVries@rsm.nl>

Rotterdam School of Management, Erasmus University Rotterdam, THE NETHERLANDS

Yves Barlette

<y.barlette@supco-montpellier.fr> GSCM-Montpellier Business School

Montpellier, FRANCE

Abstract In this paper we attempt to find the reasons for low adoption of the international standard ISO/IEC 2700 on information security management. We benchmark ISO/IEC 27001 against the two other widely applied management system standards – ISO 9001 for quality management and ISO 14001 for environmental management We show that besides low adoption rates, ISO/IEC 27001 standard has received significantly less interest from academia, as measured by the number of scholarly publications on the topic. We compare the reasons for the ISO/IEC 27001 standard’s application with those for ISO 9001 and conclude with listing possible drivers and barriers for the standards diffusion and suggesting a roadmap for future research on the topic.

1 Introduction The role of computerized information in a contemporary company is often vital for a company’s daily operations and survival (CLUSIF, 2006). Information becomes more and more a synonym of patrimony, currency, and future of the company: historical data, research and development, intellectual property rights, and patents, just to name some organization’s assets which are critically dependant on daily operation of information systems (IS) and the information and communication technology (ICT) infrastructure of the firm. At the same time, the average annual increase of IS/ICT vulnerabilities reported by companies in leading post-industrial countries exceeds 45 percent per annum (CERT, 2007). The high ratio of vulnerabilities highlights the fact that the ICT security issues are far from being solved. Management of a contemporary company is facing a problem of having a high dependence on the digitized information and the high risk of vulnerabilities of this information at the same time. The specifics of ICT-dependent business and the global competition drive firms to optimize and standardize their business processes (Wüllenweber & Weitzel, 2007). A need for transparency and common reference points within and across firm boundaries (Davenport, 2005) in the global competitive environment gave rise to IS security methods and standards as a crucial component of good corporate governance (von Solms & von Solms, 2005). In the tradition of professional and scholarly publications, large numbers of works dedicated to the topic of information security management systems are published every year. Only in the last three years, a total of over 6.000 publications on the topic reached the audience. Over 1.5 percent of these were scholarly publications1. 1 See Table 1 below.

Inspired by the success of global diffusion of two series of management system standards (MSS) for quality management (Bergenhenegouwen et al., 2002) and environmental management (Whitelaw, 2004), respectively, the International Organization for Standardization (ISO) has published a series of information security management systems (ISMS) standards including the standard ISO/IEC 27001 “Information Technology - Security Techniques - Information Security Management Systems - Requirements” (ISO, 2005a). Publication of this standard is intended to offer the global markets a possibility for harmonizing diverse IS security methods and methodologies by adopting the newly published one. In the context of the observed high interest to the topic of ISMS among practitioners and academia, the global business informatization processes, and the success of ISO management system standards, one would expect to see growing attention to the standard as expressed in the number of related publications and the diffusion of ISO/IEC 27001 information security management system (ISMS) standard worldwide. In this paper we bring to the reader’s attention the oddly low number of publications dedicated to the ISO/IEC 27001 standard. The discovery of the discrepancy between the overall high interest in the ISMS topic and the low number of publications dedicated to the international ISMS standard triggered our scholarly interest in investigating this phenomenon (Weick, 1989). We also found out that the diffusion of the ISO/IEC 27001 standard isn’t taking place at the expected rate. Our work, thus, is motivated by the scholarly tradition of reconciling the official rhetoric with reality. The research question we ask is what are the possible reasons for the limited number of implementations and certifications of ISO/IEC 27001. The paper is organized as follows. In the next section, we introduce the series of ISO management system standards, and report findings from literature that explain success of ISO 9001 and 14001 MSS. We demonstrate that the global acceptance of these two standards can be explained by both commonsensical logic, and by popular diffusion of innovation theory (DOI) (Rogers, 1995). We also demonstrate that there is a consistent level of scholarly interest in the two standards, as reflected in the number of publications. Then, we demonstrate that with the introduction of the ISO/IEC 27001 standard both the certification rate and the scholarly publications rate were disrupted, which is at odds with both the DOI and the commonsensical logic. We conclude the article by analyzing possible factors that contributed to this observed phenomenon.

2 ISO management system standards The International Organization for Standardization (ISO) is a worldwide organization whose membership is comprised of the national societies that establish and monitor standards for commerce, trade, and communication in more than 150 countries. ISO has developed thousands of internationally accepted voluntary international standards. Among these standards, the ISO 9000 series of process-oriented standards for quality management, has gained more rapid acceptance than any other international standard in history (Miles et al., 1997, p.365).

2.1 The ISO 9000 series The ISO 9000 series of standards were first published in 1987 and then revised in 1994 and 2000 (ISO, 2000). Next, ISO developed other management system standards (MSS), for example, the ISO 14001 Environmental Management System (EMS), and the ISO/IEC 27001 Information Security Management (ISMS) standards. All three management system standards have much in common (Brewer & Nash, 2005, p.1). First, they are built on the Plan-Do-Check-Act (PDCA) process cycle model, which specifies the requirements and processes to enable a business to establish, implement, review and monitor, manage and maintain effective management system, whether it be quality, environmental, or information security management (Humphreys, 2005, p.15). Second, they are made to complement one another in a way to enable organizations create an integrated management system, i.e., a single management system that complies with more than one management system standard (Brewer & Nash, 2005, p.1). Third, due to the correspondence between ISO 9001, ISO 14001 and ISO/IEC 27001 it makes it easier for firms that have experience with one standard to implement another one. Forth, all MSS can be certified against the applicable standard. Certification is not mandatory, but most organizations that implement the standard also go for a certificate . Empirical studies report a positive impact of certification on business of the firm (Nicolau & Sellers, 2002) though some authors dispute this (Seddon, 2000). The underlying premise of ISO 9001/14001/27001 certification is that the process of creation of products and services can be managed using a system. The inputs to and outputs from the system can be measured at various points as the system adds value (Stevenson & Barnes, 2002, p.696). Fifth, MSS are made to be applicable to the whole range of organizations: from small, to medium sized, to large (Humphreys, 2005, p.16), and in any branch of business.

Empirical research reports on a number of benefits associated with the adoption of MSS. Besides the already mentioned ‘external’ benefit of company’s stock price increase, which may be a short-lived effect, the implementation of a quality management system based on ISO 9001 may result in ‘internal’ benefits related to production (Corbett et al., 2005; Tzelepis et al., 2006). Overall, the positive effects stemming from certification should outweigh the high cost (Delmas, 2002) of MSS standard implementation and certification (which holds also for SMEs) (Vlachos et al., 2002).

2.2 The ISO 14000 series The ISO 14000 series of EMS standards (ISO, 1996, 2004a) were introduced on the coattails of the success of ISO 9000 (Delmas, 2002, p.93). The UN conference on environment and development (the ‘Earth summit’) in Rio de Janeiro, 1992, can be seen as the starting point for the development of the ISO 14000 series of standards, in combination with the Uruguay Round of the General Agreement on Tariffs and Trade (GATT) (Gunawardena, 2006). The Rio Summit focused on the protection of the global environment, GATT on reducing non-tariff barriers to trade. Since the existence of different standards in different countries may cause such barriers, it may be argued that an important rationale for the creation of ISO 14001 was an attempt to harmonize otherwise diverse environmental management standards and thus foster international trade by providing an internationally accepted single point of reference for such current environmental issues as pollution prevention, and compliance assurance (Delmas, 2002, pp.91-92; Miles et al., 1997, p.364). When introduced in 1996, the ISO 14001 was seen as likely to “enjoy widespread adoption similar to that of ISO 9000 as organizations worldwide are encouraged by their stakeholders… to become more environmentally sensitive” (Miles et al., 1997, p.365). It was expected that dominant multinational corporations would initially be affected by ISO 14000, eventually trickling down the standard to those firms that supply larger firms, the small and medium-sized enterprises (SMEs) (Miles et al., 1997, p.365). In 1995, Rothery wrote: “Both ISO 9000, the quality management standard, and ISO 14000, the environmental management standard soon to be released, represent what biologists would call a dominant tendency. The spread of a standard is facilitated by its own growth, a cascade effect. The mechanism causing this biological-like growth is the customer-buyer interface. As sophisticated buyers demand standard certification from their immediate suppliers, they in turn pass on the demand to their supplies, and the standards movement cascades through the supply chain” (Rothery, 1995). Indeed, the predicted cascade effect did have place in the diffusion of both the ISO 9000 and 14000 series of standards.

2.3 ISO/IEC 27001 ISO/IEC 27001 has been developed for protecting organizations’ information assets, “the ‘life-blood’ of all businesses” (Humphreys, 2005, p.15). To what extent information assets are the “life-blood” of business can be measured in different ways. One indicator of criticality of IS to businesses is reflected in empirical findings that 50 percent of the companies that lose business critical systems for more than 10 days never recover and go out of business (Louderback, 1995). Adoption of ISMS helps the company develop countermeasures to IS-related vulnerabilities. Another indicator is reflected in the percentage of GDP in post-industrial service societies generated by information-intensive service industries. Yet another indicator is the weight of information(al) assets and the role of patents and intellectual property rights (IPRs) in contemporary global business environment. As more and more information is digitally created, processed and stored, and more percentage of companies’ revenue is generated by information-critical processes, the more valuable an asset ISO/IEC 27001 standard becomes. ISO/IEC 27001 can be viewed as an overall program that combines risk management, security management, governance and compliance. It helps the firm ensure that the right people, processes and technologies are in place, and facilitates a proactive approach to managing security and risk (Benner, 2007). Given the centrality of IS/ICT to business, publication of ISO/IEC 27001 was met as a big event in the world of information security (Humphreys, 2005). Recently introduced (in 2005), the ISO/IEC 27001 ISMS standard is a revised version of the hugely successful British Standard’s BS 7799-2, the first version of which became available already in 1998. Already prior to the publication of ISO/IEC 27001, the feedback coming in from around the world was that businesses have been eagerly waiting for the arrival of the standard – an indicator of expected growth in the certification business following on the success of ISO 9001 and ISO 14001 (Humphreys, 2006, p.11). As already mentioned above, ISO/IEC 27001 uses the process-based approach of ISO 9001 and ISO 14001 (Humphreys, 2005, p.15), thus building on the adopting companies’ established knowledge base in MSSs implementation. Indeed, it is designed to be practical and flexible enough to integrate with existing management systems and adaptable to any risk

approach the organization might adopt (Humphreys, 2005, p.16).

3 Diffusion of ISO 9001, ISO 14001, and ISO/IEC 27001 The three MSS we review in this paper are developed to be suitable for the adoption by the whole range of companies, from small to large ones. However, the observed “cascade effect” of adoption starts from large companies. One of the principal reasons why large companies, not SMEs, embrace the MSS certification first, is the cost of standard’s adoption. The cost of certification for ISO 14001, for example, may vary from less than $50.000 for small firms to greater than $200.000 for bigger firms (Delmas, 2002, p.95). Factors that have an influence on final total costs are company size, number and type of products, and the existing state of the quality and environmental control systems. Four major contributors to the cost in achieving MSS certification are time, consultants, training, and the registration itself (Stevenson & Barnes, 2002, p.698). Although the certification process is daunting, lengthy, and costly (Stevenson & Barnes, 2002, p.697), since the inception of ISO 9000 many sources have been developed that provide step-by-step procedures to facilitate the process (ISO, 2001; Stevenson & Barnes, 2002, p.697). The fact that ISO 14001 adoption is partly driven by compliance with environmental regulations also contributes to the success of the standard – by managing compulsory environmental, health and safety, and public and product safety legislation, this standard provides comfortable assurance of legal compliance (Rothery, 1995). So, the early adopting business sectors for ISO 14001 were those that may impact the environment considerably: Basic chemicals / Chemical manufacturing, Electro-/Electronic & Optical, and Base metals / Metal manufacturing (Mizuno, 2002). In the forerunning economies in Asia (Korea, Japan and Taiwan), government stimulated the standards adoption (Mizuno, 2002). Other global factors driving the adoption of the EMS standard in an increasingly regulated world are industrial and social needs, energy and environmental concerns, but also the third-party verifiable concepts of truth and honesty, which are incorporated into the standard (Rothery, 1995). Finally, the great success of ISO 9000 series standards and the familiarity of firms with this predecessor in MSS also drives the certification process for ISO 14001. There are several internal and global drivers for the adoption of ISO/IEC 27001. Internal to the company, adoption of the standard creates awareness of possible IS vulnerabilities and critical processes (Barlette, 2006). While the awareness effect resulting from adoption of the standard may be self-evident, it is important to note here that certification is not mandatory, and therefore firms may choose adoption of the standard without its consequent certification. Among the global drivers, is seeing certification based on ISO/IEC 27001 as establishing a common reference point for the certified company in the global market. In the context of EU, the “global” driver for certification is reflected in e.g., the promotion and realization of the e-Europe initiative, which promotes different governmental “e-” strategies, such as “e-government”, “e-health”, etc. (Council of the European Union, 2000, 2001, 2004), and therefore stimulates national governments to apply ISMS standards as part of their e-government strategies and implementation roll-outs (Humphreys, 2005, p.16). The organizations that are already implementing ISO/IEC 27001 cut across a wide range of market sectors, including: telecommunications, financial and insurance services, manufacturing sectors, utilities (electricity, gas, oil, water), retail industry, service industry, healthcare, police and emergency services, universities, and government departments (Humphreys, 2006). The cascade effect that was expected and observed in earlier issues of MSS of ISO 9001 and ISO 14001 is also present in ISO/IEC 27001, where a request from a partner firm (to keep a client-supplier partnership) or an insurance company (offering to lower an insurance indemnity) may become the leitmotif in creating incentives for adopting security methods or certifications (Barlette & Fomin, 2008). The diffusion curves for both ISO 9001 and ISO 14001 standards followed the typical S-curves, which can be explained by the widely popular diffusion of innovation (DOI) theory (Rogers, 1995). DOI theory postulates that each adopter’s willingness and ability to adopt an innovation would depend on their awareness of the novelty, their interest in it, trial-ability of the new product or service, and the local or global adoption rate of this innovation (the more others have already adopted, the more likely the new potential adopter will adopt) (Rogers, 1995). Looking at the diffusion of ISO 9001 and ISO 14001 (Figure 1 and Figure 2), the cascade effect of the standards’ diffusion applies not only to buyer-supplier

relationship in the case of a single standard adoption (Rothery, 1995), but also to the facilitation of adoption of consequent management standards, once one similar standard has been adopted. This thesis is coherent with DOI: a positive experience stemming from earlier adoptions positively affects such critical diffusion factors as trial-ability, awareness, global adoption rate, and reduces the negative novelty factor. Indeed, we can observe that the expectations for success of ISO 14001 were met as reflected by the rate of worldwide certification. The development of the scholarly interest for ISO 9001 and ISO 14001 was correlated to the rate of certification (see Figure 1 and Figure 2).

Figure 1. ISO 9001: certification and publication rates

Figure 2. ISO 14001: certification and publication rates

Figure 3. ISO/IEC 27001: certification and publication rates

Sources: Certificates - (ISO, 2004b, 2005b, 2006),

http://www.iso27001certificates.com. Publications - ABI/Inform Global (ProQuest) database2.

Following the thesis of DOI and the commonsensical logic, we can assume that 1) scholars who have previously published on one of the ISO management standards, would continue with the topic as new ISO standards emerge, and 2) given the criticality of IS to the contemporary business (as compared to e.g., the environmental issues), both the rate of standards adoption and the rate of increase in numbers of scholarly publications might even be higher for information security management ISO/IEC 27001 standards than it was for earlier MSS ISO 9001 and ISO 14001. What we see, however, is that the reality disproves this logical argument (see Figure 3).

2 The search was conducted using ABI/Inform Global (ProQuest) online database. Search in abstracts using the keywords “9001”, “14001”, “27001”. The ProQuest search engine distinguishes between scholarly and non-scholarly publications.

Over several decades there has been considerable research and development put into IS security methods, both in academia and by practitioners. As a result, many IS security policies, standards, and guidelines have been proposed, developed, and adopted by companies (Barlette, 2006). During the first three years since the publication of ISO/IEC 27001, which was tooted to become a single point of reference for information security management and compliance assurance, we see the lack of scholarly interest to the standard (Table 1). This is highly contrasted by the overall number of publications on the topic of “information security management system” with a rate of 1:32 for scholarly publications and 1:79 for all publications (see Table 1). During the first years of ISO 14001 standard, for example, these ratios were 1:6 and 1:5 when comparing the number of publications on “14001” vs. “environmental management system”. The later ratios appear to represent the “saturated” level of publications, as these are consistent with the same numbers for ISO 9001 for years 1996-8 (almost a decade since the standard’s publication), and 2005-7 (almost two decades since the publication date), as well as with the numbers for ISO 14001 for years 2005-7 (a decade since the standard’s publication) (see Table 1). Table 1. Number of publications during the first three years since the publication of ISO/IEC 27001 standard*

27001 ISMS** Search key Year All / scholarly All / scholarly

2005 1/ 0 2774/ 26 2006 51/ 2 2541/ 31 2007 27/ 1 934/ 38

Ratio# 1:79/ 1:32 * Source: ABI/Inform Global (ProQuest) database. Search for abstracts using key words ** ISMS – “Information Security Management System” # – The average number of publications on ISO/IEC 27001 standard vs. the average number of publications on the topic of ISMS. For

example, for ISO/IEC 27001, the ratios are calculated as follows: (1+51+27):(2774+2541+934) / (0+2+1):(26+31+38) We have obtained standards’ sales data from one of the European standardization organizations – Netherlands Standardization Institute (NEN, see Table 2, Table 3, Table 4). The choice of country is justified not only by the practical reason of access to the case organization for the researchers, but also because NEN is known to be a pro-active National Standards Organization (NSO) with, measured against the gross national product, a huge influence in international and European standards setting (de Vries, 1999, p.45)3. We get several important insights from analyzing the data. Table 2. Sales of the ISO 9001, ISO 9002 and ISO 9003 by NEN - Netherlands Standardization Institute

Standard Standards sold each year Standard’s title Language 1999 2000 2001 2002 2003 2004 2005 2006 2007 Total ISO 9001:1994, 2000 EN 55 398 133 11 20 4 7 1 629 NEN-ISO 9001:1994, 2000 NL 1,158 382 7,730 2,970 1,625 792 817 815 985 17,274 815 985 NEN-ISO 9001:2000 EN 815 98 1,000 241 122 225 225 363 215 2,391

ISO 9002:1994 EN 42 12 3 2 5 2 66 NEN-ISO 9002:1994 NL 720 344 36 13 2 1 1 1,117

ISO 9003:1994 EN 4 1 1 3 1 10 NEN-ISO 9003:1994 NL 47 9 5 2 63

Total 2,026 1,146 8,903 3,237 1,782 1,024 1,049 1,183 1,200 21,550

Number of certificates 374 8,842 3,195 Source: NEN First, in The Netherlands, the number of standards sold is almost equal to the number of certificates (see Table 2 and Table 3, the bottom rows, numbers for the first three years since the revision of the standard).

3Since 1999, NEN’s position has further improved.

Table 3. Sales of ISO 14001 by NEN - Netherlands Standardization Institute Standard Standards sold each year Standard title Language 1999 2000 2001 2002 2003 2004 2005 2006 2007 Total ISO 14001:1996, 2004 EN 38 46 47 37 40 99 253 73 74 718 NEN- ISO 14001:1996, 2004 NL 594 380 415 321 393 125 1,334 398 309 4,269

Total 632 426 462 358 433 224 1,587 471 383 4,987

Number of certificates 80 1,585 471 Source: NEN Second, we can see that the language issue is critical for the sales of standards. In case of ISO/IEC 27001, for example, the sales of the Dutch version of the older British BS 7799:2 standard were strong in 2005, the year when the new ISO/IEC 27001 was introduced, and continued into 2006. In 2007, when the Dutch version of the new standard was introduced, the Dutch version outsold the English one with ratio six to one (Table 4). For ISO 9001 and ISO 14001 the difference was significantly bigger (Table 2 and Table 3). Table 4. Sales of the ISO/IEC 27001 and BS 7799:2 standards by NEN - Netherlands Standardization Institute

Standard Standards sold each year Standard title Language 1999 2000 2001 2002 2003 2004 2005 2006 2007 Total ISO/IEC 27001:2005 EN 20 125 31 176 NEN-ISO/IEC 27001:2005 NL 117 187 304

BS 7799-1/2:1998, 1999, 2002, 2005

EN 32 47 43 13 8 9 2 154

NEN 7799-2:2004 NL 304 325 17 646

Total 32 47 43 13 8 313 347 259 218 1,280 Source: NEN The number of issued certificates worldwide for ISO/IEC 27001 in three years since the standard was published represented only 50 percent from the same number for ISO 14001 – 4.000 vs. 8.000 certificates (ISO, 2006). In the Netherlands, in case of ISO/IEC 27001, the total number of standards sold in the first three years was 480 (see Table 4). During the same period, there were only 41 companies certified (ISO, 2006). This large difference in numbers may be explained by the fact that there may be a period of 1-2 years between company’s purchase of a standard and its certification. Thus, the number of certificates is expected to grow to several hundreds, the number which will anyway remain lower than in case of ISO 14001 (see Table 3). Given the success of ISO 9001 and ISO 14001, and the importance of information security management in the contemporary business environment, we are puzzled to observe the inadequately low adoption of the ISO/IEC 27001 standard and the low scholarly interest to it. In trying to reconcile the overly-positive official rhetoric on the importance of ISO/IEC 27001 with reality, in the following sections we examine what could be the possible reasons for the observed discrepancy.

4 Analysis

“Without information security, the business is faced with various negative impacts including financial consequences, weakened protection of the organization’s intellectual capital and IPR, loss of market share, poor productivity and performance ratings, ineffective operations, inability to comply with laws and regulations, or loss of image and reputation”

(Humphreys, 2006, p.10). In this section we attempt to reveal the factors for low adoption of IS security standards in general, and ISO/IEC 27001 in particular. The general criticism found in literature reviewed suggests that companies in general, and SMEs in particular,

are not well positioned to adopt ISMS standards (Barlette & Fomin, 2008). However, in the tradition of system sciences (Axelrod & Cohen, 1999), we believe important insights on the drivers and barriers to standards adoption can be obtained from similar past developments. A systemic approach to complex organizational problems is to develop expectations of how the future will unfold and to define actions that would lead to more desirable predicted futures (Axelrod & Cohen, 1999). This approach requires an expert knowledge from similar past developments. In this respect, we find that benchmarking the ISO/IEC 27001 standard to its well-known predecessor, ISO 9001, can inform us on future adoption of the former.

4.1 Common critical factors for ISO 9001 and 27001 standards adoption By the end of 2005, more than 775.000 certificates for ISO 9001 had been issued in 161 countries, with an annual growing rate close to 10-15 percent (ISO, 2006). However, we may infer that the certification market for ISO 9001 is coming to saturation, and even to end of life cycle in most of the developed countries. Also, the saturation level represents only a fraction of the total number of corporation companies. The empirical saturation values for U.K., Germany and France, respectively, were 9, 8 and 2 percent of corporation companies during the upslope of the cumulative adoption curve (Franceschini et al., 2006). Today, in some countries which were among the early adopters, the number of certificates is lowering, resulting in the down slope of the cumulative curve (ISO, 2002, 2003, 2004b, 2005b, 2006). The driving push begins to attenuate under the effect of some factors: the reduction of the competitive gap between certified and not certified companies, and the limited number of enterprises potentially interested to certification (Franceschini et al., 2006). Critical success factors for companies seeking to obtain ISO 9001 certification were identified as the following (Augustyn & Pheby, 2000): • proper driving force towards obtaining the ISO 9001 certification; • expert advice; • uniqueness of the system, reflecting the nature of the company’s operation (McLachlan, 1996); • internal and external customer focus; • value-added approach to quality cost; • use of the standard in an integrated manner (Subba Rao et al., 1997); • positive attitude towards ISO 9001 on the part of staff; • dynamic approach to quality improvement; • presenting ISO 9001 in an easy manner to the employees (Conway, 1994). The aforementioned critical factors are coherent, if not identical, to those identified in the literature review on ISMS standards. Another commonality is the special position of SMEs in adoption of the standard - SMEs face particular difficulties with gaining ISO 9001 certification, where the lack of commitment of employees and managers is the most frequently mentioned problem (Barlette & Fomin, 2008). Further commonalities are found in the complexity of the standards - ISO 9000 series standards cannot be easily understood by a non-professional person, and there are difficulties in understanding exactly what the standard requires and inconsistencies with the interpretation of standards by consultants and assessors (Barlette & Fomin, 2008). The cost of implementing the standard presents another common point of reference - ISO 9000 series qualification is generally an expensive process for SMEs as they are more reliant on outside assistance (Barlette & Fomin, 2008). The issue of generality of guidelines vs. specificity of business processes is also not a unique problem of security management system standards - ISO 9000 standards only give a set of general/generic guidelines, but they do not guarantee that the process is durable, capable and mature in the application of related constructs (Franceschini et al., 2006).

4.2 Differences between the ISO 9001 and 27001 standards 4.2.1 Drivers for adoption Quality certification contributes to business performance when the quality culture in the organization is well developed and the manager’s motivation to gain the certification is to improve business performance and not just to conform to a standard (Franceschini et al., 2006). We can find the same aspect in ISMS certification in the improvement of the security of the information assets. The stock market reacts positively to a quality certification. Quality certification can be

considered as a useful tool for reducing the information asymmetry between buyers and sellers, as well as a strategic element for the companies to distinguish themselves in the business competition (Nicolau & Sellers, 2002), by giving an external and formal evidence of their organizational efforts towards quality practice (Franceschini et al., 2006). However, if information security management system certification is considered as leverage for confidence between companies (OECD, 2002) engaged in business transactions, the literature review does not reveal the presence of the distinguishing effect for adopting companies in the business competition nor any positive reaction of the stock market. Apparently, information security has the same peculiar quality as ICT infrastructure in general – it is something “visible only on breakdown” (Star, 1999). A correlation among QMS certification and business performances is not univocally demonstrable. Is the increase of business due to the management methodology prescribed by QMS standards or is certification a way for distinguishing itself in a global market (Franceschini et al., 2006)? More so, the low threshold level for certification saturation suggests that when the number of certified organizations reaches a certain limit, certification loses its connotation and becomes less attractive for the remaining companies (Franceschini et al., 2006). The ISMS certification has been designed for the protection of IS. Therefore, similarly to the QMS standards, quantification of benefits of ISMS standard adoption is problematic. The interest of an information security management system standard is to prevent the security failures and to mitigate their consequences. Among the most significant benefits of ISO 9001 certification are the raising quality awareness in an organization (Brown et al., 1998), reinforcing business relationships with important customers, improving the process management (de Jong et al., 2001). This reinforces the view that certification is a good foundation upon which to start the quality improvement process. Surveyed ISO-certified SMEs rank improved awareness of problems and improved customer service as 2nd and 3rd respectively. On the contrary, such factors as improved market share, reduced costs, and help in international market rank 18, 21, and 23, respectively (Brown et al., 1998). The expected benefits of ISMS certification are very similar on this point: they raise the security awareness and facilitate a gradual improvement of the security (Barlette & Fomin, 2008; OECD, 2002). The benefits of ISO 9001 certification have gradually shifted from the state when its certification was used as a signal to markets (Rodríguez-Escobar et al., 2006) to one where firms can take advantage of the good use of the quality management system that has been implemented to obtain the certification. While this may be already the case for ISO/IEC 27001 and the good use of the ISMS, in the countries with the largest number of certificates for ISO/IEC 27001 the certification process is driven by either government regulation (Japan) or supplier/buyer demands or the necessity of outsourcing/offshoring (Taiwan, Singapore, India) (Backhouse et al., 2006, p.425-427). Overall, an important driver for ISMS certification is that of demonstrating to their partners’ network that they have identified and measured their security risks and implemented a security policy and controls that will mitigate these risks (Saint-Germain, 2005). Also, international invitations to tender are beginning to require that organizations be compliant with certain security standards, and security audit demands from financial institutions and insurance companies are increasing (Saint-Germain, 2005). Lower insurance premiums for ISO 27001 certified companies represent another important driver (von Solms & von Solms, 2005). 4.2.2 Barriers to adoption The high costs in money and time of ISMS standards implementation are definitely barriers to standard’s adoption by smaller size companies (Brewer & Nash, 2005). In ISO 9001 certification prior to 2000 revision (ISO, 2000), disappointment came from the increase in paperwork (Brown et al., 1998), which is not an issue in the recent MSSs. The higher expectations of companies with respect to ISO 9001 certifications refer to commercial aspects: access to new markets, increase of market share and business portfolio, image improvement, and so on. However many of these objectives depend on the differentiating power of certification. Such power was significant when ISO 9001 certification was not widely extended and the certified companies stood out from the others. In many cases, this differentiating power has fallen and empirical data have shown that this effect results in lower commercial advantages and higher dissatisfaction of small businesses managers with respect to ISO 9001 certification (Rodríguez-Escobar et al., 2006).

Any competitive advantage to a single enterprise may be short lived, as it is usually only a matter of time before many companies in the same industry achieve certification. It is then seen by many as just another cost of doing business without any corresponding improvements in market share (Brown et al., 1998). If, however, the manager of the business sees certification as an opportunity to improve internal processes and systems from the outset rather than a mechanism to get a certificate on the wall, it is likely to yield positive results (Brown et al., 1998). Furthermore, in this situation, employees are more likely to be involved in developing the system with the assistance from external consultants. It becomes a workable system which has the commitment of employees (Brown et al., 1998).

5 Conclusions In this paper we attempted to find the reasons for little attention for ISO/IEC 27001. In doing so, we examined the adequacy of information security management system standards to the needs of organizations and attempted to reveal critical barriers for certification. Our work was motivated by the discovery that the number of publications dedicated to the ISO/IEC 27001 standard is oddly low as compared to the overall number of publications dedicated to the topic of “information security management system.” To make sense of the situation (Weick, 1989), we first benchmarked the ISO/IEC 27001 certification dynamics against that of two other management system standards from ISO with a 20 and 10 years history – ISO 14001 environmental management and ISO 9001 quality management system standards, respectively. Juxtaposition of standards diffusion rates only confirmed the initial observation, but did not elucidate the issue. Our next step was to use AbiInform (Proquest) database to analyze the publication frequencies for the three ISO management system standards. This analysis showed that ISO/IEC 27001 standard, as compared to the other two ISO standards, has received significantly less interest from academia, as measured by the number of scholarly publications on the topic. In an attempt to reconcile the official rhetoric on the criticality of ISMS methods in general and ISO/IEC 27001 standard in particular to contemporary business operations with the observed real situation, we identified general criticism for ISMS standards. Further, in the tradition of a systemic approach to complex organizational problems (Axelrod & Cohen, 1999), we compared the pros and cons of ISO/IEC 27001 to those of similar standards. Through this benchmarking, we attempted to explain the low adoption of ISO/IEC 27001. Given the exploratory nature of this research, the contribution of this work is fairly moderate.

6 Contribution and future research Building on our recent literature review (Barlette & Fomin, 2008), we contribute to management practice by identifying a number of important drivers for ISMS standards adoption, some of which are already in place, and some can be triggered by appropriate action. Our conclusion is that the general negative issues pertaining to ISMS should not become inhibitors to the ISO/IEC 27001 standard’s adoption. It appears that ISO 9001 standard has seen a steady increase of adoption over the years despite receiving virtually the same criticism as that we find for ISO/IEC 27001 standard. Given the situation with very low number of scholarly publications dedicated to ISO/IEC 27001, we call for more research on this standard. Our second contribution to the management and scholarly domain is in suggesting directions for future research:

1. The role of competing ISMS standards (Barlette & Fomin, 2008) in the diffusion of ISO/IEC 27001 should be examined – does the availability of at least a dozen of ISMS standards and methods represent a stumbling block to the diffusion of ISO/IEC 27001 that did not exist for ISO 14001 and ISO 9001 standards?

2. What is the role of ISO 9001 in the diffusion of ISO/IEC 27001 – does the QMS standard with its comprehensive process quality guidelines render the ISO/IEC 27001 standard redundant?

3. What is the role of the legislative environment in the diffusion of ISO/IEC 27001 – under European laws (to which EU nation-states must comply to), for example, companies not having sufficient data protection can be penalized with prison sentences and fines measured in hundreds of thousands Euro. But are companies’ managers aware of these laws and their implications?

4. We suggest that future research must be directed towards developing constructive methods for dissemination of knowledge on IS security legislation to businesses, and SMEs in particular (as simple step as creating a standard adoption guide can contribute to standards dissemination efforts4) – experience from the standards’ sales data from the Dutch standardization office NEN, for example, clearly indicate that the number of standards sold was always high following a publicity campaign by NEN.

5. What is the role of national language in standards adoption? Standards sales data from the Dutch standardization office clearly indicate translations of international standards into the national language is an important driver for standards adoption even for such a multilingual country as the Netherlands. However, language issue alone is not the main barrier to standards diffusion, as the example of France would tell – while ISO standards are published in French, too, France is among the laggards in ISO/IEC 27001 adoption.

6. What is the role of scholarly publications dedicated to a standard in the standards diffusion process? Is the oddly low number of scholarly publications on ISO/IEC 27001 the result of the low diffusion rates of the standard, or the other way around?

Finally, the anonymous reviewers for this paper identified several important issues for future research. One suggested reason for the low adoption of ISO/IEC 27001 in Europe and the U.S. may be related to the bias of current generation of IT specialists (CIOs, consultants, and alike, who can exert influence on the standard’s adoption in organizations) towards IETF standards, and not those from ISO. Another reason for the low adoption rates of ISO/IEC 27001 in post-industrial countries may be related to the outsourcing of information related business to the emerging software powers in the Far East. This thesis, however, is not supported by statistics, as India, for example, by July 2008 had almost equal number of certificates as the U.K. – 381 and 347, respectively – while Japan had 2,668 and the U.S. had only 73.5 Third issue worth investigating is the influence of business principles and norms in different countries on how company managers perceive the need for adoption vs. certification of the standard, as the statistics on the standard’s adoption are actually showing the numbers for certificates sold, and not the actual number of companies implementing the system management standard.

References Augustyn, M. M., & Pheby, J. D. (2000). ISO 9000 and performance of small tourism enterprises: A focus on Westons

cider company. Managing Service Quality, 10(6), 374-388. Axelrod, R. M., & Cohen, M. D. (1999). Harnessing complexity : Organizational implications of a scientific frontier. New

York: Free Press. Backhouse, J., Hsu, C. W., & Silva, L. (2006). Circuits of power in creating de jure standards: Shaping an international

information systems security standard. MIS Quarterly, 30(Special Issue). Standard Making: A Critical Research Frontier for Information Systems Research), 413-438.

Barlette, Y. (2006). Les comportements sécuritares des acteurs dans les systémes d'information des pme. Université de Montpellier I, Montpellier.

Barlette, Y., & Fomin, V. V. (2008). Exploring the suitability of is security management standards for SMEs. Paper presented at the The 41st Hawaii International Conference on System Sciences, Hawaii.

Benner, J. (2007). ISO 27001: Risk management and compliance. Risk Management Magazine, 55, 24-29. Bergenhenegouwen, L., de Jong, A., & de Vries, H. J. (2002). 100 frequently asked questions on the ISO 9000:2000

series. Milwaukee, WI: ASQ Quality Press. Brewer, D., & Nash, M. (2005). The similarity between ISO 9001 and BS 7799-2: Gamma Secure Systems Ltd. Brown, A., Van der Wiele, T., & Loughton, K. (1998). Smaller enterprises’ experiences with ISO 9000. International

Journal of Quality & Reliability Management, 15(3), 273-285. CERT. (2007). CERT/CC: Statistics 1988-2007. USA: Computer Emergency Response Team (CERT). CLUSIF. (2006). Politiques de sécurité des systémes d'information et sinistralité en france. Paris: Club de la sécurité des

informations français (CLUSIF). Conway, T. (1994). BS 5750-a logical step. The TQM Magazine, 6(5), 38-40. Corbett, C. J., Montes-Sancho, M. J., & Kirsch, D. A. (2005). The financial impact of ISO 9000 certification in the United

States: An empirical analysis. Management Science, 51(7), 1046-1059.

4 As a peculiar note, in the “A-Z index” on the ISO website (http://www.ISO.org/ISO/publications_and_e-products/a-z_subject_index.htm, accessed on April 8, 2008), the occurrences of “ISO 9001”, “ISO 14001”, and “ISO/IEC 27001” is twelve, seven, and zero respectively. Among the publications available on the website, there are handbooks for ISO 9001 and ISO 14001 standards implementation. No handbooks available for ISO 27001 standard (http://www.ISO.org/ISO/publications_and_e-products/management_standards_publications.htm#090514, accessed on April 8, 2008). 5 Data from ISMS user group found at http://www.iso27001certificates.com/.

Council of the European Union. (2000, June 14, 2000). eEurope 2002. An information society for all. Action plan. Retrieved May 15, 2003, from http://europa.eu.int/information_society/eeurope/action_plan/index_en.htm

Council of the European Union. (2001, June 2001). eEurope+ 2003. A co-operative effort to implement the information society in Europe. Retrieved February 23, 2004, from http://europa.eu.int/information_society/topics/international/regulatory/eeuropeplus/doc/eEurope_june2001.pdf

Council of the European Union. (2004, 22.Nov). 2010 challenges. Interoperability. The New IS Strategy Communication Retrieved 28.Feb, 2005, from http://europa.eu.int/information_society/eeurope/2005/all_about/2010_challenges/interoperability/text_en.htm

Davenport, T. H. (2005). The coming commoditization of processes. Harvard Business Review, June, 100-108. de Jong, A., de Vries, H. J., & Wentink, T. (2001). Onderzoek naar toepassing van de ISO 9000:1994-normen in

nederland (ISO 9000 in practice. Investigation of application of the ISO 9000:1994-series standards in the netherlands). Delft: NEN - Nederlands Normalisatie-instituut.

de Vries, H. (1999). Standards for the nation. Analysis of national standardization organizations. Doctoral Diss., Erasmus University Rotterdam, Rotterdam.

Delmas, M. A. (2002). The diffusion of environmental management standards in Europe and in the United States: An institutional perspective. Policy Sciences, 35, 91-119.

Franceschini, F., Galetto, M., & Cecconi, P. (2006). A worldwide analysis of ISO 9000 standard diffusion: Considerations and future development. Benchmarking: An International Journal, 13(4), 523-541.

Gunawardena, N. (2006). Case study: Implementation of ISO 14000 environmental management system. In W. Hesser, H. de Vries & A. Feilzer (Eds.), Standardisation in companies and markets (pp. 607-646). Hamburg: Helmut Schmidt University Germany.

Humphreys, T. (2005). State-of-the-art information security management system with ISO/IEC 27001:2005. ISO Management Systems, 15-18.

Humphreys, T. (2006). State-of-the-art information security management system with ISO/IEC 27001:2005. ISO Management Systems, Special report, 9-13.

ISO. (1996). ISO 14001:1996. Environmental management systems - specification with guidance for use. Geneva: International Organization for Standardization.

ISO. (2000). ISO 9001:2000. Quality management systems - requirements. Geneva: International Organization for Standardization.

ISO. (2001). ISO guide 72 ‘guidelines for the justification and development of management system standards.’ Geneva: International Organization for Standardization.

ISO. (2002). The ISO survey of ISO 9001:2000 and ISO 14001 certificates. Geneve: ISO Central Secretariat. ISO. (2003). The ISO survey of ISO 9001:2000 and ISO 14001 certificates. Geneve: ISO Central Secretariat. ISO. (2004a). ISO 14001:2004. Environmental management systems - specification with guidance for use. Geneva:

International Organization for Standardization. ISO. (2004b). The ISO survey - 2004. Geneve: ISO Central Secretariat. ISO. (2005a). ISO/IEC 27001:2005. Information technology - security techniques - information security management

systems - requirements. Geneva: International Organization for Standardization. ISO. (2005b). The ISO survey - 2005. Geneve: ISO Central Secretariat. ISO. (2006). The ISO survey - 2006. Geneve: ISO Central Secretariat. Louderback, J. (1995). Will you be ready when disaster strikes? PC Week, 12, 130-131. McLachlan, V. N. (1996). In praise of ISO 9000. The TQM Magazine, 8(3), 21-23. Miles, M. P., Munilla, L. S., & Russel, G. R. (1997). Marketing and environmental registration/certification. What

industrial marketers should understand about ISO 14000. Industrial Marketing Management, 26, 363-370. Mizuno, K. (2002). Leading by example. ISO Management Systems, 21. Nicolau, J. L., & Sellers, R. (2002). The stock market's reaction to quality certification: Empirical evidence from spain.

European Journal of Operational Research, 142(3), 632-641. OECD. (2002). Guidelines for the security of information systems and networks—towards a culture of security: Paris:

OECD, July. Rodríguez-Escobar, J. A., Gonzalez-Benito, J., & Martínez-Lorente, A. R. (2006). An analysis of the degree of small

companies' dissatisfaction with ISO 9000 certification. Total Quality Management & Business Excellence, 17(4), 507-521.

Rogers, E. M. (1995). Diffusion of innovations (4 ed.). New York: The Free Press. A Division of Simon & Schuster Inc. Rothery, B. (1995, Nov.). Why ISO 14000 will catch ISO 9000. Manufacturing Engineering. Saint-Germain, R. (2005). Information security management best practice based on ISO/IEC 17799. Information

Management Journal, 39(4), 60-66.

Seddon, J. (2000). The case against ISO 9000: Oak Tree Press. Star, S. L. (1999). The ethnography of infrastructure. American Behavioral Scientist, 43(3), 377-392. Stevenson, T. H., & Barnes, F. C. (2002). What industrial marketers need to know now about ISO 9000 certification - a

review, update, and integration with marketing. Industrial Marketing Management, 31(8), 695-703. Subba Rao, S., Luis, T., & Solis, E. (1997). Does ISO 9000 have an effect on quality management practices? An

international empirical study. Total Quality Management & Business Excellence, 8(6), 335-346. Tzelepis, D., Tsekouras, K., Skuras, D., & Dimara, E. (2006). The effects of ISO 9001 on firms’ productive efficiency.

International Journal of Operations & Production Management, 26(10), 1146-1165. Vlachos, N. A., Michail, C., & Sotiropoulou, D. (2002). Is ISO/IEC 17025 accreditation a benefit or hindrance to testing

laboratories? The greek experience. Journal of Food Composition and Analysis, 15(6), 749-757. von Solms, B., & von Solms, R. (2005). From information security to... Business security. Computers & Security, 24, 271-

273. Weick, K. E. (1989). Theory construction as disciplined imagination. Academy of Management Review, 14(4), 516-531. Whitelaw, K. (2004). ISO 14001 environmental systems handbook (Second ed.). Oxford, UK / Burlington, MA, USA:

Butterworth Heinemann. Wüllenweber, K., & Weitzel, T. (2007). An empirical exploration of how process standardization reduces outsourcing

risks, The 40th annual Hawaii International Conference on System Sciences (HICSS). Hawaii.