Sie sind auf Seite 1von 14

Far East Journal of Psychology and Business Vol. 9 No.

3 Dec 2012

EFFECTIVENESS OF ISO 27001, AS AN INFORMATION SECURITY


MANAGEMENT SYSTEM: AN ANALYTICAL STUDY OF FINANCIAL
ASPECTS.
Dr N K Sharma
Faculty, Department of EAFM
University of Rajasthan, Jaipur, India

Prabir Kumar Dash


Research Scholar, Department of EAFM
University of Rajasthan, Jaipur, India
Email: member@aima.in

ABSTRACT

Effectiveness of ISO 27001 as an information security system is a measure of the expectation


satisfaction level based on the organizational expectations prior to implementation of ISO
27001 and the actual results obtained after certification. Thus, effectiveness focuses on how
well objectives have been achieved rather than how well processes have been followed. The
effectiveness of ISO 27001 is in preventing or minimizing the exposure to information
security incidents in the real world. In a scenario where there has been so much investment in
adopting the framework and subsequent certification resulting in high levels of stakeholder
assurance, the focus is to identifying the areas where it is effective. But more importantly, it
also focus on the areas where there are gaps, leading to information security risks and/or an
incident even in a situation where the framework is adhered to and certification against it
exists. Companies that have ISO 27001 certification and audits gain an improved risk based
approach to information security management through an ongoing process of risk assessment
and risk mitigation, which helps them to adequately prioritize the implementation of
countermeasures, and strengthen their security posture through the ISO rigorous testing.
Organizations are then able to demonstrate that they have well internal controls over financial
processes, and, more importantly, they can help mitigate information security risks by
operating under one system rather than two. This approach can complement the Plan, Do,
Check, Act (PDCA) process, which is a widely accepted system to drive continual
improvement. The analysis results support organizations and security managers at identifying
systems they can use to achieve greater efficiency in the information security management
process.

Keywords: Information Security, Information Security Management, Information Security


Management System (ISMS), ISO 27001 Standards.
Paper Type: Research Paper

INTRODUCTION

Information Security

The primary concern in today‟s e-world is the protection of information and critical data. The
Need for Information Security is according to the different categories of impact level of
information. Given the immense value of information to the organization, securing
information assets through a system of information security is of very importance. The nature
42
Far East Research Centre www.fareastjournals.com

of information assets, which contributes to its strengths, also leads to some its weaknesses.
The necessity for information security can be studied according to the different categories of
impact level of an information security incident: individual, organizational and national. As
an individual level, the most common incident is that of identity theft; wherein the perpetrator
gains access to unique identity characteristics of a person in order to assume that identity.

After this first step, the individual whose identity has been compromised would be primarily
liable for all activities carried out by the perpetrator under the assumed identity, until the true
facts of the case are discovered. The second case at the individual level could be one of
divulging confidential personal data to interested customers, who could further the data for
illegal or unethical purposes.

For organizations, there can be three categories of consequences of information security


incidents: operational, legal and reputation.

 Operational consequences have an immediate impact. They could be in the nature of loss
of crucial information assets, impacting the business in terms of decreased profitability
and / or revenue. For instance, the loss of a design document for a new product can set an
organization back by a considerable period of time. If sensitive information such as
industrial and trade secrets, intellectual property rights and findings of research activity
finds its way to a competitor, the competitive position of the organization can be
compromised, which can take substantial resources to recover.

 Legal consequences have an impact over a period of time. They could result due to the
contraventions of regulatory and statutory requirements and / or due to the breach of
contractual agreements. In case of a breach of contract, the impact would be loss of
business and revenue and threat to future business. An example could be sub-contracting
a part of the contracted work (involving sharing of information) without taking due
clearance from all stakeholders concerned. The impact can be much more serious if the
rules of land (i.e. statutory and regulatory requirements) are contravened. For example, in
most of the developed countries, divulging sensitive personal information about an
individual without the individual‟s prior consent can attract severe punitive measures,
which could come close to threatening the very existence of the organization responsible
for the safekeeping for the information.

 Reputation consequences can stick with an organization for a lifetime. They would get in
the way of the future growth of the organization. This category of consequences have a
high negative impact on employee morale and motivation and hence productivity.

ISO 27001

ISO/IEC 27001 "Information technology - Security techniques - Information security


management system - Requirements" is a standard issued in November 2005 as ISO/IEC
27001:2005. The ISO 27001 standard was preceded by the British standard BS 7799 issued in
1995 by the British Standard Institute (BSI). The Department of Trade and Industry (DTI) in
the UK wrote the British standard BS 7799. BS 7799 was written as a document that focuses
on the development and implementation of an information security management system
(ISMS). It was developed as a "Code of practice" for guidance to organizations and did not
have the scheme that could allow a third party certification. Eventually a second part of BS
7799 emerged in 1999, BS 7799 part 2. This standard had the form of a specification and was
43
Far East Journal of Psychology and Business Vol. 9 No. 3 Dec 2012

titled "Specification of Information Security Management Systems". The original standard


became a single-part standard BS 7799 part 1 titled as "Information Technology - Code of
Practice for Information Security Management.

Purpose of the ISO 27001 Standard

The ISO 27001 standard aims to provide an approach for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving an Information Security
Management System (ISMS). The standard has been in earlier versions foremost focusing on
the protection of the confidentiality, integrity and availability of the information, but in the
newer versions and in the current standard there is also focus on information from a business
perspective, "Information security is the protection of information from a wide range of
threats in order to ensure business continuity, minimize risk, maximize return on investments
and business opportunities". The information itself can be written, spoken, electronic or
visual.

Content of the ISO 27001 Standard

The standard encompasses 11 control objectives and a total of 39 controls within of the
standard. The ISO 27001 standard is in fact more or less intended to be used with the ISO
27002 standard.

A key issue is that ISO 27001 is a management standard, not a security standard. It provides
a framework for the management of security within an organization, but does not provide a
'Gold Standard' for security, which, if implemented, ensures the security of an organization.
ISO 27001 takes a risk assessment based approach. An information security risk assessment
is to identify the security requirements of the organization, and to then identify the security
controls needed to bring that risk within an acceptable level for the organization. Once the
security controls have been identified, ISO 27001 defines processes to ensure that these
controls are implemented and are effective and these controls continue to meet the
organization's security needs.

ISO 27001 gives a best practice management framework for implementing and maintaining
security. It also gives a baseline against which to work - either to show compliance or for
external certification against the standard. Need to decide on a risk method and implement a
risk assessment, select security controls and ensure that these are adequate to meet the
security needs of organization. This requires information risk management and security
expertise to implement. ISO 27001 does not tell how to do this, but rather provides a
framework within which to do it. In conjunction with ISO 27002 (ISO 17799) it provides
guidance on the controls that should consider. However, it does not provide detailed guidance
for organization, the information that handle, and the systems that. Again, security expertise
is required both to implement an information security risk assessment and to define the
required security controls.

Objectives of the Research

 To identify challenges in implementing and post implementation of ISO 27001 standard.


 To study the Financial & Material Impacts after and before implementation of ISO 27001
standard.
44
Far East Research Centre www.fareastjournals.com

 To identify the threats in certifying against the ISO 27001 standard in preventing the
occurrence of information security incidents having a material and financial impact on the
operation of an organization.

Hypothesis

H1: ISO 27001 is an effective protective system against information security incidents having
critical consequences.

H2: Implementing ISO 27001 in an organization delivers substantial financial growth and
benefits to the business operations of the organization.

RESEARCH METHODOLOGY

Research methodology is the attempt to validate the rationality behind the selected research
design and provide justification of why it is appropriate in solving the selected research
problem. It is the process of the research that produces knowledge. This gives the information
about method critique, sampling strategy, choice of topic, research process, data collection
and source, sampling strategy, data analysis and framework of methodology. The population
would be the total number of ISO 27001 certified organizations.

Currently, there is 7840 ISO 27001 certified organizations worldwide. Of these, 545 are
based in India. The sampling frame would be the number of ISO 27001 certified
organizations in the NCR in India. Out of these 545 organizations 38 are selected for
quantitative data collection and out of these 38, the top 15 organizations on the basis of their
response to first questionnaire.

The Sampling unit and the element would be the head of the security function; head of IT and
head of Finance in each of the ISO-27001 certified organizations in the NCR. The confidence
interval approach is used to determine the sample size. Probability sampling technique
(simple random sampling technique) is used to determine the elements to who the survey
questionnaire would be administered.

A pilot study on the questionnaire was carried out to adapt them to the local context. The
sources of information used in this study comprises of both primary and secondary data. It is
not only research strategy that determines quantitative or qualitative nature of research but it
is combination of research strategy, research objectives and data collection techniques.

Data collection

Primary data is one that is “originated by researcher for the specific purpose of addressing the
problem at hand”. Interviews were conducted in order to get primary data. The interviews
were not structured to a great extent because our main goal was to carry out the questions
with the interviewees, which could result in more discussions regarding the subject.
Therefore, we conducted semi-structured interviews. The aim of the interview was to get
valuable information related to the topic of the thesis and research questions.

Secondary data was our second source of information. Secondary data is defined as
“collection of data that already exists”. In order to develop conceptual framework and

45
Far East Journal of Psychology and Business Vol. 9 No. 3 Dec 2012

methodology, various sources of information such as; articles, books, journals, online
databases etc have utilized.

Data Analysis

The analysis of data is done using ANOVA technique and for calculations SPSS software is
used. The analysis of variance (ANOVA) is a flexible statistical procedure that can be used
when the researcher wishes to compare differences between more than two means. Two
different ANOVA models are described in this handout: the simple one-way ANOVA and the
two-way factorial ANOVA. The one-way ANOVA is analogous to the t-test except that more
than two means can be tested for differences simultaneously.

The chi-square goodness of fit test and test for independence are available on SPSS. Chi-
square is useful for analyzing whether a frequency distribution for a categorical or nominal
variable is consistent with expectations (a goodness of fit test), or whether two categorical or
nominal variables are related or associated with each other (a test for independence). In chi-
square, the interest is in the frequency with which individuals fall in the category or
combination of categories.

An information security management system (ISMS) is necessary because the threats to the
availability, integrity and confidentiality of the organization‟s information are great, and
always increasing. Any prudent householder whose house was built on the shores of a tidal
river would, when facing the risk of floods, take urgent steps to improve the defences of the
house against the water. It would clearly be insufficient just to block up the front gate,
because the water would get in everywhere and anywhere it could. In fact, the only prudent
action would be to block every single possible channel through which floodwaters might
enter and then to try to build the walls even higher, in case the floods were even worse than
expected.

It is with the threats to organizational information. All organizations possess information, or


data, that is either critical or sensitive. Information is widely regarded as the lifeblood of
modern business.

ISO 27001 is in the nature of a non-prescriptive framework as it is technology and vendor


neutral standard, which provides to the organization and all its stakeholders a level of
confidence regarding its information security, measures. The fact that it offers the option of
certification through as independent audit has the advantage of providing information
regarding an assured level of information security. It is due to these as well as the reasons
stated earlier, that ISO 27001 has become the de facto global standard for information
security management. As per recent data, 7940 organizations worldwide are ISO 27001
certified.

The diagram in figure 1 below illustrates the most effective outcomes seen by the
organizations after their implementation of the ISO 27001 standard.

46
Far East Research Centre www.fareastjournals.com

FIGURE - 1: OUTCOMES OF ADOPTING ISO 27001 STANDARD

Just as we asked participants about what challenges and obstacles they faced during the
implementation of ISO 27001, we also asked them about their success factors and the lessons
that they had learned. The eight organizations stated that coherent planning from the
inception to completion of the project, a sufficient budget, and their employees‟ positive
attitude toward the project were the most helpful factors to achieve their goals of
implementing the standard.

Outstanding project management skills, top management‟s involvement and contributions,


compatibility with existed policies and procedures, employee awareness of the importance of
security, and the contribution of existing auditing functions came as secondary success
factors, sequentially. Figure 2 below illustrates the participants‟ responses about the success
factors that they observed.

FIGURE - 2: SUCCESS FACTORS IN IMPLEMENTING ISO 27001 STANDARDS

47
Far East Journal of Psychology and Business Vol. 9 No. 3 Dec 2012

Even though all of the participants indicated their satisfaction with the way they implemented
the ISO 27001 standard, we asked them what they would do differently if they were to
implement the standard over again.

Almost all of the participants agreed on four primary things that they would do differently,
starting with increasing the awareness of the benefits of an Information Security Management
System (ISMS), then ensuring staff involvement from the inception to completion of the
project, changing the risk assessment approach method, and finally reducing the reliance on
external resources. Figure 3 shows all of the options and responses according to reported
votes.

FIGURE - 3: SUGGESTIVE CHANGES TO THE IMPLEMENTATION OF ISO


27001 STANDARDS

Participants in our survey recognize this trend: 73% of respondents see an increasing level of
risk due to increased external threats. At the same time, however, only about a third of
respondents have updated their information security strategy in the past 12 months to respond
to these enhanced threats. In addition, 45% of organizations have also identified increased
threats within their own organizations.

It is perfectly possible to implement an ISO 27001-compliant information security


management system (ISMS) without adequately addressing information security. This can
either be 'designed in' to the ISMS by management accepting high risks (rare); or can arise
from inadequate risk assessment or poor selection or implementation of security controls
(common). Compliance or external certification to ISO 27001 does not mean are secure - it
means that are managing security in line with the standard, and to the level think is
appropriate to the organization. If risk assessment is flawed, don't have sufficient security and
risk assessment expertise, or do not have the management and organizational commitment to

48
Far East Research Centre www.fareastjournals.com

implement security then it is perfectly possible to be fully compliant with the standard, but be
insecure.

FIGURE - 4: PERCENTAGE OF RISK ENVIRONMENT

In the end, an organization only implements information security effectively if there is a


culture of understanding the value of information and protecting it. This requires visible
management commitment and individual ownership and responsibility, backed up with
effective security education and awareness. Without this, an ISO 27001 ISMS is unlikely to
be effective, and hence information is not appropriately protected.

ISO 27001 gives a best practice management framework for implementing and maintaining
security. It also gives a baseline against which to work - either to show compliance or for
external certification against the standard. However, compliance or external certification to
ISO 27001 does not mean are secure - it means that are managing security in line with the
standard, and to the level think is appropriate to the organization. If risk assessment is flawed,
don't have sufficient security and risk assessment expertise, or do not have the management
and organizational commitment to implement security then it is perfectly possible to be fully
compliant with the standard, but be insecure.

FINDINGS

It was not easy to find organizations to validate the proposed method. The organizations
allocated too little time to invest in this research, due to other priorities. Complying with
legislation and regulation was considered to be the top driver for information security within
all case study organizations. The business viewed information security as a Cost Center, the
traditional way to manage information security activities within all case study organizations.

The information security maturity level was low within all case study organizations. The
organization implemented information security mainly to comply with legislation.
Information security was delivered based on a supply strategy, and not based on a demand
strategy in all case study organizations. As a consequence, information security was often
used too heavily (costly) within the IT organization.

49
Far East Journal of Psychology and Business Vol. 9 No. 3 Dec 2012

All organizations made information security investments decisions in an economic-


independent way. Instead of conducting economic evaluations to justify the selected
information mitigation solutions, within the case study organizations solutions were selected
based on expert judgment and intuition. A lack of relevant content within all case study
organizations resulted in the fact that not all steps of the method could be done. For example,
relevant past experience, statistical data and results of earlier inspections were lacking in
these organizations. It was difficult to assess the cost-effectiveness of the mitigation solutions
due to unavailability of the relevant content. So, it was hard to evaluate information security
from an economic perspective.
All studies of organizations indicated that the proposed method was clear and complete. The
method's steps were clear en logical. In addition, the method resulted in a better focus,
analysis and argumentation. The method could be implemented and it could increase the
organization's understanding of the economic evaluation of information security. However,
organizations should meet some conditions to use the method and to evaluate information
security from an economic perspective.

Implementing ISO 27001 is the right way forward to ensure the security of an
organization. Implementing ISO 27001 requires careful thought, planning, and coordination
to ensure a smooth control adoption. The decision of when and how to implement the
standard may be influenced by a number of factors, including different business objectives,
existing levels of IT maturity and compliance efforts, user acceptability and awareness,
customer requirements or contractual obligations, and the ability of the organization to adapt
to change and adhere to internal processes.

FIGURE - 5: COMPARISON WITH OTHER STANDARDS

After analyzing and concluding the research, some recommendations are presented in this
chapter for different organizations, which can be used to avoid Operational risks and improve
the current system of information security. In order to decrease the probability of operational
risks and to enhance information security, it is recommended that any information that users
consider sensitive or vulnerable should be encrypted. The passwords should be kept secured
and user accounts should not be shared. Authorized users should be responsible for the
security of their passwords and accounts. User and system level passwords should be changed
frequently.

For the sake of maintaining privacy and confidentiality, installing desktop sharing tools and
software on any of the company resources should not be allowed. Only necessary and
licensed software and applications should be installed on the machines. Unwanted and
unauthorized software should be removed from the machine. The user should follow a formal
50
Far East Research Centre www.fareastjournals.com

procedure if there is a requirement of new software, which is not on the approved list of
software maintained by the company.

Every workstation should be equipped with the best available antivirus software and the virus
definition files should be kept updated at all times. Every workstation should be kept updated
with the latest operating system patches and updates. Employees must be careful when e-mail
attachments are received from unknown senders, which may contain viruses, e-mail bombs,
or Trojan horse code.

The P-D-C-A (Plan-Do-Check-Act) cycle in the context of an ISM, wherein the different
stages are identified as:

 Plan- Establish the ISMS


 Do – Implement and operate the ISMS
 Check – Monitor and review the ISMS
 Act – Maintain and improve the ISMS

Whether the mere presence of information security standards is good enough to ensure
information security, or whether a wider perspective is needed. Key factors for the success of
information security are senior management commitment and the spread of awareness across
the organization. Information security has a cultural dimension also. Depending on the
cultural context, a particular security information requirement may or may not be carried out
in the right spirit.

Information security management system - the „guts‟ of the standard, based on the Plan-Do-
Check-Act cycle where Plan = define requirements, assess risks, decide which controls are
applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS;
Act = maintain and continuously improve the ISMS. Also specifies certain specific
documents that are required and must be controlled, and states that records must be generated
and controlled to prove the operation of the ISMS (e.g. certification audit purposes).
Management responsibility - management must demonstrate their commitment to the ISMS,
principally by allocating adequate resources to implement and operate it. Internal ISMS
audits - the organization must conduct periodic internal audits to ensure the ISMS incorporate
adequate controls, which operate effectively.

Management review of the ISMS - management must review the suitability, adequacy and
effectiveness of the ISMS at least once a year, assessing opportunities for improvement and
the need for changes. ISMS improvements - the organization must continually improve the
ISMS by assessing and where necessary making changes to ensure its suitability and
effectiveness, addressing nonconformance (noncompliance) and where possible preventing
recurrent issues.

Complying with legislation and regulation was considered to be the top driver for information
security within all the organizations participated in this study. The business viewed
information security as a Cost Center; the traditional way to manage information security
activities within all organizations participated in this survey. The information security
maturity level was low within all the organizations participated in this study. The
organization implemented information security mainly to comply with legislation.
Information security was delivered based on a supply strategy, and not based on a demand
strategy in all case study organizations.
51
Far East Journal of Psychology and Business Vol. 9 No. 3 Dec 2012

As a consequence, information security was often used too heavily (costly) within the IT
organization. All the participated organizations made information security investments
decisions in an economic-independent way. Instead of conducting economic evaluations to
justify the selected information mitigation solutions, within the participated organizations
solutions were selected based on expert judgment and intuition. A lack of relevant content
within all organizations resulted in the fact that not all steps of the method could be done. For
example, relevant past experience, statistical data and results of earlier inspections were
lacking in these organizations. It was difficult to assess the cost-effectiveness of the
mitigation solutions due to unavailability of the relevant content. So, it was hard to evaluate
information security from an economic perspective.

All the studies indicated that the proposed method was clear and complete. The method's
steps were clear en logical. In addition, the method resulted in a better focus, analysis and
argumentation. The method could be implemented and it could increase the organization's
understanding of the economic evaluation of information security. However, organizations
should meet some conditions to use the method and to evaluate information security from an
economic perspective.

The results support organizations and security managers at identifying systems they can use
to achieve greater efficiency in the information security management process.

RECOMMENDATIONS

Summarized, the research findings lead to the following recommendations to organizations,


wishing to proceed with the economic evaluation of information security:

1. Determine at which information security maturity level the organization wants to arrive,
and how that level can be reached. Metrics for information security should be defined,
measured, collected and communicated. Information security requires security
measurement in order to generate the feedback necessary.
2. Review the methods used within the organization to obtain the relevant content
Investigate how tooling can be used to record the relevant content. Organizations should
collect information security incidents data prior to and post implementation of the
security control, as well as the related business loss and cost data.
3. Involve business management in information security. Information security should not be
viewed as an IT issue only, but as an integral part of the organization. Business
management support may take the form of guidance during planning, participation during
design or involvement during deployment.
4. Reserve sufficient time to do economic judgments of information security and conduct
training sessions. Initiate an effort to establish training sessions for
employees/management on how to apply economics to information security investment
decisions.

Implementing ISO 27001 can take time and consume unforeseen resources, especially if
companies don't have an implementation plan early in the compliance process. To enhance
compliance efforts, internal auditors can help companies identify their primary business
objectives and implementation scope. Auditors should work with IT departments to
determine current compliance maturity levels and analyze the compliance process' return on
investment. A team of staff members or external consultants who have prior experience
52
Far East Research Centre www.fareastjournals.com

implementing the standard can conduct these steps. External consultants should work in
collaboration with an internal team of representatives from the company's major business
units. Below is a description of each recommendation.
Identify Business Objectives

Plans to adopt ISO 27001 must be supported by a concrete business analysis that involves
listing the primary business objectives and ensuring a consensus is reached with key
stakeholders. Business objectives can be derived from the company's mission, strategic plan,
and existing IT goals and may include:
 Ensuring effective risk management, such as identifying information assets and
conducting accurate risk assessments.
 Maintaining the company's competitive advantage, if the industry as a whole deals with
sensitive information.
 Preserving the organization's reputation and standing among industry leaders.
 Providing assurance to customers and partners about the organization‟s commitment to
protecting data.
 Increasing the company's revenue, profitability, and savings in areas where protective
controls operate well.

The standard also emphasizes compliance with contractual obligations, which might be
considered another key business objective. For instance, for an online banking division,
implementing the standard would provide customers and partner‟s greater assurance that risks
stemming from the use of information systems are managed properly.

CONCLUSIONS AND FUTURE WORK

Information security, and in particular the handling of personal information, has regularly
been in the headlines over the last few months. There have been notable incidents at HM
Revenue and Customs, the Ministry of Defence, Nationwide Building Society and Marks and
Spencer among others. These are all large organizations implementing information security
management systems at least compliant with, if not certified against, the international
standard for information security management, ISO 27001.

It is found that companies that have ISO 27001 audits and certification gain an improved risk
based approach to information security management through an ongoing process of risk
assessment and risk mitigation, which helps them to adequately prioritize the implementation
of countermeasures, and strengthen their security posture through the ISO rigorous testing.
Organizations are then able to demonstrate that they have good internal controls over
financial processes, and, more importantly, that they can help mitigate information security
risks by operating under one system rather than two. This approach can complement the Plan,
Do, Check, Act (PDCA) process, which is a widely accepted system to drive continual
improvement.

This is a big chance to get involved and influence the future direction of this well-respected
information security standard! Since ISO/IEC 27001 is an active certification standard,
major/structural changes is very difficult and even minor changes have to be justified in order
to retain “backwards compatibility” with the existing standard wherever possible.

In any business or organization in every industry, protecting sensitive, confidential data is a


top priority when it comes to information security. There are a number of laws, regulations,
53
Far East Journal of Psychology and Business Vol. 9 No. 3 Dec 2012

and standards that addresses concerns of this matter. But is complying with one law,
regulation, or standard mean that an organization is fully secure against all security attacks
against the organization? The logical answer would be…not necessarily. Many of the
regulations pertain to particular industries or types of data security so there is almost always a
chance that other parts of an information system are left vulnerable. The Payment Card
Industry is a good example of this, although mandated their own strict standards for those
establishments that deal with cardholder information, being compliant with only this standard
may not be enough to keep an entire system secure.

In today‟s technological society, organizations are becoming more and more dependent on
their information systems. Information is by and large the lifeline of the modern enterprise.
Information; organizations need to prove they are secure. If the proper steps are taken and
security can be proven, the extra reporting and inspections can facilitate the combination of
security and compliance programs to help control costs, keep systems and networks secure,
and sustain compliance. Security has become a crucial initiative of all businesses. With new
challenges and threats emerging almost daily, any breach to security can have a severe effect
on the function, reputation, or survival of the organization. Appropriate steps should be taken
to secure and protect information assets; it is no longer acceptable to just be compliant.
In the future research, based on the experiences, presented, a number of recommendations are
formulated. Above all, the fact that this research concerns a first study in this field of research
implies that further research has to be done to validate the conclusions and recommendations.
To extend the understanding obtained further, research is necessary in which a number of
aspects in this research area are studied more closely. During the research several areas of
attention were identified, that require additional research to increase understanding of the
economic evaluation of information security further.

 It is necessary to study in practice how to assess the true effectiveness of the proposed
mitigation solutions. It was difficult to assess the cost-effectiveness of the security
controls due to unavailability of the relevant content. Coming up with meaningful content
to estimate the cost-effectiveness of mitigation solutions was not a simple task. At the
time of performing the case studies, there were also no standardized methods for
determining the Risk Mitigation effectiveness of mitigation solutions expressed in a
value. The question here is: How do you take care that organizations recognize content,
record and analyze it in order to obtain realistic figures to evaluate information security
from an economical standpoint?
 A lack of relevant content within the case study organizations resulted in the fact that not
all steps could be done. One of these steps is the economic evaluation of the proposed
mitigation options. Further research would involve identifying whether the method leads
to more economically grounded investment decisions.
 Alignment is important to information security. It could be investigated how
developments and models in the area of Business-IT Alignment can be used for alignment
between the business and information security.
 The case study organizations did not have a higher maturity level than 1 or 2. It could be
investigated why organizations remained at these low levels of maturity and how they can
reach higher maturity levels. According to several researchers, software development in
India for instance is at a higher maturity level. It can be expected that information security
there be also at a higher level. The information security survey showed that the
integration of information security in the overall risk management function is on an
54
Far East Research Centre www.fareastjournals.com

increase amongst Indian organizations. The survey findings indicated that Indian
companies were increasingly using information security and risk management in a more
strategic role of addressing business objectives. The additional research could verify
whether this is the case, and how Dutch organizations can reach a higher maturity level.
 The term 'On-going Effectiveness Evaluation (OEE)' in this section refers to the ex-post
consideration of the information security investment level. Thus the activities carried out
to evaluate the effectiveness of the planned information security level (ex-ante) are
performed after the information security implementation has taken place. In general, the
researchers agreed that an important function of evaluation is to provide information for
decision-making. Further research would involve identifying what the content of the On-
going Effectiveness Evaluation should consist of.

REFERENCES

Alan Calder & Steve Watkins A Manager’s guide to data Security and ISO 27001 / 27002,
Kogan Page, 4th Edition, 2008, Replika Press Pvt Ltd, India ISBN 9780749452711.
Vinod Vasudevan, (2008) Application Security in the ISO27001 Environment, IT
Governance Publishing, Ely, UK.
R Paneerselvam, “Research Methodology”, 7th Edition, Printed by Jay Print Pack Limited,
New Delhi, ISBN 978-81-203-2452-7, 2009, PP. 34-60.
C R Kothari, “Research Methodology”, New Age International Limited, New Delhi, ISBN
978-81-224-2488-1, 2004,PP. 124-186.
Alan Calder, “A Business Guide to Information Security”, Kogan Page, London. 2005, PP.
10-150.
Fulmer, Kenneth, “ Business Continuity Planning: A step-by-step guide”, Rothstein
Associates, Brookfield, CT, 2005, PP. 45-78.

55