The effects of ISO 27001 certification : An interview study investigating what changes have small to medium-sized organizations in Sweden experienced after an ISO 27001 certification

Todström, Sebastian

January 2024

With the increasing digitalization of society, where threats of data breaches and information leaks are growing exponentially, the importance of a structured and effective management of information security has become increasingly apparent. This realization has contributed to organizations prioritizing efforts to ensure the secure management of information, making information security management systems (ISMS) a prominent component among organizations. With the increased demand for this, ISO 27001 certification has emerged as a key strategy for organizations to increase information security. Given the lack of research on this certificate, especially inthe Swedish context, this study aims to investigate what effects small to medium-sized organizations experience after an ISO 27001 certification. Using a qualitative research method, eleven semi-structured interviews were conducted where the results were discussed and compared with previous research in the field. The results indicate that organization experiences a lot of improvements after the ISO 27001 certification, which are both internal and external improvements. The findings show that organizations experience efficiency improvements, improved security and risk management, business benefits, and better customer relations. In addition, the findings also indicate that the certificate is fulfilling its purpose and that organizations are satisfied with the end result and choose to recertify.

Information security

ISMS

ISO 27001

certification

Information Systems, Social aspects

Kyberbezpečnost v průmyslu / Cybersecurity in the engineering industry

Jemelíková, Kristýna

January 2021

The master’s thesis deals with the management of cyber security in a manufacturing company. The theoretical part contains concepts and knowledge of cyber security and discusses the current requirements of legislation and standards of the ISO/IEC 27000 series. In practical part are proposed measures to increase cyber security and information security based on the theoretical background and analysis of current state in the selected company.

基於內容管理系統的資訊安全標準導入輔助系統 / A Content Management System Based Assistant for Implementing ISO Information Security Standard

彭應武, Peng, Ying-Wu

Unknown Date

隨著資訊科技日益普及，近年來資安事件仍層出不窮。行政院國家資通安全會報於94年5月，訂定「政府機關(構)資訊安全責任等級分級作業實施計畫」，針對各種資訊安全的潛在威脅，提出以建立管理機制並配合技術支援服務的方式，期能有效防護資訊資產，提昇資訊安全。其中管理面的具體措施為建構「資訊安全管理系統」（ISMS, Information Security Management System），並規範列屬資安責任等級為A或B級之機關，應在規定之期限內通過由第三方(third party)公正機構驗證符合資訊安全國際標準。根據行政院科技顧問組針對A、B級機關在2008年進行資安責任等級應辦事項調查顯示，B級機關在資安認證達成率只有43%，可見通過資安認證有其困難性。 本研究依據已通過資安認證的機關的經驗分享文獻，分析歸納導入ISMS所可能遭遇的主要問題，從而主張可以採用內容管理系統(CMS, Content Management System)的平台來協助組織導入ISMS。Drupal是一套結構簡單且具高擴展性模組化的開放源碼內容管理系統，不僅容易在其平台上建立客製化的應用系統，且有大量的社群可提供技術支援，故本研採用Drupal建置輔助系統，方便組織在導入符合國際標準的ISMS(如ISO 27001)時，可以集中管理各類相關資訊，評定資產價值，計算風險值，並提供組織申請ISO驗證時作為部份佐證資料的集中管理。 / As information technology is widely used in our daily work and life, incidents of information security also occurs from time to time. In May of 2005, the National Information & Communication Security Taskforce of R.O.C. instituted “The operational plan for classifying the information security duty grade of the government agencies”. The plan demands government agencies to establish technological support services along with management mechanisms for all potential security threats to provide effective information security management. In addition, all agencies whose security grade belongs to the A or B levels must pass the third party certification for ISO Information Security Standard within a specific deadline. However, as shown in the investigation report released by the government technology advisors in 2008, the achievement rate for information security certification on grade B government agencies is only 43%. Therefore, it is perceived that there are some difficulties in passing the information security certification This thesis analyzes and summarizes the main difficulties that organizations may encounter when establishing an ISMS by following the international IS standard ISO 27001. The analysis results show that document management is a key issue. Therefore, we claim that a content management platform is a good foundation to build an assistant for an organization to establish its ISMS. To demonstrate our proposal, we choose the open source content management platform, Drupal, to set up such an assistant. By fully utilizing the simpler yet extensible structures provided Drupal, we build up an assistant system that facilitates an organization to manage all related documents centrally, to assess asset values and calculate risk values by following the ISO 27001 information security international standard. These facilities will give the organization a very strong evidence of employing a centralized information security management system when applying for ISO certification

內容管理系統

資訊安全管理系統

CMS

ISMS

ISO 27001

Drupal

Zhodnocení připravenosti podniku na zavedení ISO 27001 pomocí GAP analýzy / Evaluation of preparedness of a business for an implementation of ISO 27001 using Gap analysis

Zrcek, Tomáš

January 2016

The aim of the thesis is to evaluate the preparedness of an information security management system (ISMS) in a logistic company JASA s.r.o. for a certification by standard ISO/IEC 27001:2013. This enterprise oscillates between small and medium enterprise. It has already implemented the certificate on quality management ISO 9001:2008. For this reason, in the thesis there are presented advantages for a company that already has implemented one of ISO standards and decides to implement another. First of all, the present state of information security management system in Jasa s.r.o was compared to other businesses functioning in the Czech and European market. Then the company control environment was evaluated accordingly to the requirements of standard ISO/IEC 27001:2013. Furthermore, a scheme was created in order to evaluate specific controls based on the impact risk that could arise in case of ignoring the suggested recommendations. In the last part, the controls were evaluated accordingly to difficulty, so that the company can find cheap and fast solutions with adequate impact. The main contribution of the thesis is the evaluation of the approach to solve information security in one of many enterprises that are afraid or are starting to notice the increasing amount of security threats. This approach may be chosen by other companies that decide to go the similar way.

Návrh průmyslového řešení ISMS / Design of Industrial Solutions ISMS

Havlík, Michal

January 2017

Thesis deals with industrial solutions of ISMS mainly network infrastructure. First introduction into theoretical background of the thesis. Further analysis of the current situation in the company and its evaluation. Consequently, the design of solution done to meet the standards of ISO / IEC 27000.

Návrh zavedení programu budování bezpečnostního povědomí na gymnáziu / Proposal for the implementation of security awareness program at grammar school

Holásková, Marie

January 2018

The diploma thesis deals with the issue of building security awareness at grammar schools. The thesis can be divided into three main parts. The introductory part introduces the theoretical definition of basic concepts in the area of information security and a brief description of the legislative requirements to be followed in solving the work. The second part analyzes the current situation of selected grammar school, including risk analysis, HOS 8 analysis and SWOT analysis. In the practical part, the proposal to introduce a security awareness program adapted to the grammar school.

Budování bezpečnostního povědomí na základní škole / Increase of Security Awareness at the Primary School

Kolajová, Jana

January 2019

This diploma thesis is focused on the development of informational environment safety awareness at primary schools. The thesis consists of three main parts. The introduction explains the basic safety terms and briefly describe the legislative essentials necessary for this proposal. The second part consists of the analysis of the current situation at the school chosen for this research, including SLEPT analysis, Porter´s analysis, 7S analysis, and SWOT analysis. The practical part introduces the proposal of implementation of the program which is tailored to the requirements and needs of the primary school. The final part evaluates the pros and cons of the implemented solution.

Zavedení bezpečnostních opatření dle ISMS pro základní školu / Implementing of security measures according to ISMS for elementary school

Pexa, Marek

January 2019

The diploma thesis deals with introduction of security measures for primary and elementary school. The thesis is devided into three main parts. The first part deals with basic theoretical concepts of information security and legislative elements needed for understanding the issue. The second part desrcibes the current state for primary and elementary school. The last practical part includes proposal of security measures and recommendations.

Metodika zavedení síťové bezpečnosti v softwarové společnosti / Implementation Methodology of Network Security in the Software Company

Tomaga, Jakub

January 2013

This thesis deals with network security and its deployment in the real environment of the software company. The thesis describes information management framework with a specific concentration on computer networks. Network security policy is designed as well as network infrastructure modifications in order to increase the level of security. All parts of the solution are also analyzed from financial point of view.

Nasazení kontextového DLP systému v rámci zavádění ISMS / Deployment of the Context DLP System within ISMS Implementation

Imrich, Martin

January 2015

This diploma thesis focuses on a DLP implementation within a specific organization. The thesis contains current situation analysis and provides decision for choice of the most suitable DLP based on the analysis findings. Eventually describes a real implementation of the chosen DLP system within the organization.