Adapting ISO/ IEC 27001 Information Security

Management Standard to SMEs

Ndegeya Ramadhan

Uwase Rose

Information Security, master's level (120 credits)

2022

Luleå University of Technology

Department of Computer Science, Electrical and Space Engineering

1
 ACKNOWLEDGEMENT

This thesis resulted from the efforts of a variety of persons from different kinds of
backgrounds, and most of them had a significant impact. First of all we would like to thank
Luleå University of Technology and its staff for organizing this program and making it
possible for us to be part of it. Moreover, we would like to thank our supervisor Dr.
Abdolrasoul Habibipour, for the provind guidance support when it was required. Case study
organizations during the data collecting process deserve our appreciation and admiration,
because they made it possible for us to conduct interviews with their employees. Lastly,
many thanks to our family members for their encouragement and sharing their support
during the studies.

2
 ABSTRACT

Information security management standards play an essential role when it comes to

enabling organizations to manage information security controls of various operations. There
are a number of standards and guidelines that can be implemented to support such activity.
Somehow this is where SMEs and IT non security professionals began to face challenges to
select and implement the meaningful standard. Evidence shows that if Small and Medium
Enterprises (SMEs) fail to implement security standards effectively there is a high possibility
that SMEs will not be able to manage their Information Security Systems (ISMSs) effectively.
However, implementation of information security standards is not an easy task. Since the
majority of the standards especially ISO 27001 provides the requirements on what is
required but not how to implement them.

In this research we are going to discuss in depth the role of ISO/IEC 27001 to SMEs as well
as suggest relevant frameworks which will be useful to any kind of SMEs during the
implementation of ISO 27001. This research is a complete useful package for SMEs since it
provides a clear understanding of information security management standards domain, as
well as what it means when authorities and audit requirements express requirement
standards, guideline standards, and sector specific industry standards.

Since some of the organization and business professionals are familiar with quality control
standards for other industrial processes such as manufacturing and customer services, this
research will prove that information security standards have almost the same goals of
demonstrating in a methodical and certifiable manner that an organization conforms to
industry best practices and procedures. This research has been demonstrated by utilizing a
Design Science Research (DSR) methodology. DSR seeks for knowledge from real-life
problems or opportunities that have significant practical relevance. Therefore, during the
data collection and analysis two organizations that are operating within a travel industry
were involved.

Keywords: Information Security standards, Confidentiality, Data, Integrity, Systems, SMEs,

ISMSs.

3
Table of Contents

1. INTRODUCTION…………………………………………………………………………………. 8
1.1 Problem Description……………………………………………………………………….10
1.2 Motivation………………………………………………………………………………….. 11
1.3 Research questions………………………………………………………………………. 12
1.4 Structure of Thesis………………………………………………………………………..13

2. THEORETICAL BACKGROUND……………………………………………………………... 14
2.1 Confidentiality……………………………………………………………………………...14
2.2 Integrity…………………………………………………………………………………….14
2.3 Availability………………………………………………………………………………… 15
2.4 Information Security……………………………………………………………………… 15
2.5 Framework………………………………………………………………………………… 15
2.6 International Standards…………………………………………………………………. 16

3. LITERATURE REVIEW………………………………………………………………………… 17
3.1 Literature Review Process………………………………………………………………...17
3.2. The role of Information Security Standards in SMEs…………………………………. 20
3.3 Challenges of Implementing Security Standard……………………………………….. 21
3.4 Overview of Information Security Standards…………………………………………… 22
3.5 ISO/IEC 27000 family of standards……………………………………………………… 24
3.6 The context of ISO 27001 requirements for SMEs……………………………………. 26
3.7 Implementing ISO/IEC 27001 in Software Development Environment……………… 27
3.8 Benefits of the ISO/IEC 27001 Compliant Information Security Program…………… 28
3.9 ISO 27001 Certification…………………………………………………………………… 30
3.10 Evaluating the effectiveness of ISO 27001……………………………………………. 32
3.11 Information Security Assessment Based on ISO 27001…………………………….. 34
3.12 Literature Review Summary…………………………………………………………….. 36

4
4. RESEARCH METHODOLOGY………………………………………………………………. 39
4.1 Qualitative Research Overview………………………………………………………….. 39
4.2 Data Collection…………………………………………………………………………….. 41
4.3 Interview Questions Overview…………………………………………………………….42
4.4 Selection and Limitation…………………………………………………………………... 43
4.5 Data Analysis……………………………………………………………………………… 43
4.6 Ethics of the study…………………………………………………………………………. 45

5. MANUAL DEMOGRAPHIC ANALYSIS……………………………………………………… 46

5.1 Measures…………………………………………………………………………………… 46
5.2 Attitude……………………………………………………………………………………… 47
5.3 The perception of security and privacy…………………………………………………. 47

6. DISCUSSION……………………………………………………………………………………. 49

7. CONCLUSIONS………………………………………………………………………………… 52
7.1 Revisiting Research Purpose And Research Questions……………………………… 52
7.2 Research contribution…………………………………………………………………… 53
7.3 Reflection…………………………………………………………………………………… 58
7.4 Research Limitation and Future Work……………………………………………………60

REFERENCES……………………………………………………………………………………...62

Appendix 1: Interview questions to SMEs Owners and employees………………………….. 72

Appendix 2: Interview Response………………………………………………………………….. 73

5
LIST OF TABLES

Table 1: Most Widespread Used Security Standards

Table 2: Positions and Work Experiences of Interviewees
Table 3: The overall results of the semantic analysis process

LIST OF FIGURES

Figure 1: Thesis structure

Figure 2: Threats, Vulnerabilities and Risk

Figure 3: ISO/IEC 27000 Family of Standards

Figure 4: ISO 27001 Model Adapted from ISO/IEC

Figure 5: Framework for Adapting ISO/IEC 27001v to SMEs

6
SYMBOLS AND ABBREVIATION

SME: Small and Medium Enterprises SQL: Structure Query Language

ISMS: Information Security Management OECD: Organization of Economic and

System Co-operation and Development

CIA: Confidentiality, Integrity, and TCSEC: Trust computer System Evaluation

Availability criteria

ISO/IEC: International Standards ITSEC: Information Technology Security

Organization / International Electro technical Evaluation Criteria
Commission
ENISA: European Union Agency for
BSI: British Standards Institutions Network and Information Security

DDoS: Distributed Denial of Service EBIOS: Expression des Besoins et

Identification des objectifs de sécurité
IT: Information Technology
ISF: Information security Framework
GDPR: General Data Protection Regulation
ITIF: Information Technology Infrastructure
HIPAA: Health Insurance Portability and
Library
Accountability Act
SSE-CMM: System Security Engineering-
PCI DSS: Payment Card Industry Data
Capability Maturity Model
Security Standard
CLUSIF: Club de la Sécurité de l'
NIST: National Institute Standards
Information Francais(French information
Technology
Security Club)
COBIT: Control Objectives for Information
CASEC: Cyber world Awareness and
and Related Technology
Security Enhancement Structure
ACM: Association of Computing Machinery
CAS: Center For Advanced Security
IEEE: Institute of Electrical and Electronics Studies
Engineers

DBLP: Digital Bibliography and Library

Project

7
 1. INTRODUCTION

The purpose of this research is to enable Small and Medium Enterprises (SMEs) to
understand in depth the specifically best practice of adapting ISO/IEC 27001
information security management standard. The interrelationship between information
systems and SMEs is growing rapidly therefore, it made information security to be no
longer a domestic issue. In this era of technology, SMEs have become interconnected
in one way or another, in that sense if one SME gets affected with information security
issues it can certainly cause issues to other stakeholders (Theodoros et al., 2011).
There are few challenges involved between this relationship such as lack of knowledge
toward the standards to the SMEs owners, lack of useful framework to use during the
implementation of security standards for the security professionals, and lack of
compliance.

Lately research shows that Information systems ISMSs are often at high risk of being
exposed to vulnerabilities and threats. As a result this compromises the major three
components of information security such as Confidentiality, Integrity, and Availability
(CIA) (Ojalainen, 2020). This field was explored because the topic has tremendous
benefits from enabling different kinds of SMEs to understand what are the requirements
and procedures to follow when it comes to implementing ISO/IEC 27001 standard.
Therefore, the process began by discussing the background and the concept of
information security and standards in general, second is the area where authors
expressed the motivation behind this topic as well as outlined the relationship between
information security and international information security standards as well as
describing the problem.(Siponen, 2006.)

Information security standards can play an essential role in the process of handling and
managing security management as long as they are implemented effectively. Research
shows that rules that apply to all parties within a business setting are uniform.
Therefore, it's recommended that security measures and controls across various
businesses must be uniform as well (Wong et al., 2022). iISO 27001 can assist to
determine whether processes or procedural controls, such as account management and
application access control are in place or are being effectively maintained. According to

8
Ključnikov, (2019) managing accounts is a common activity in business operation, and it
involves a wide range of responsibilities such as keeping track of various accounts,
confirming management procedures, and allocating administrative roles (Barlette,
2008). At several stages of the account management process, security controls and
documentation of the created accounts are performed including confirming the identity
of the user and ensuring that the right degree of access has been permitted (Antunes,
2021). Under the umbrella of individual security requirements, all of the following
security concerns may be addressed (Altamimi, 2022). Users who log in to applications
in an industrial environment must have access privileges recorded and the login
process protected at all times. The fundamental objective of this product security
standard, which is applicable to both commercial and industrial documents, is data and
information integrity (Ahmad, 2013).

Security of data and the knowledge that a back-up is in place are important motivators
in an industrial context in enabling SMEs to understand what are the requirements and
procedures to follow when it comes to implementing ISO/IEC 27001 standard (Mayer,
2009). Best practices for information security management systems are included in the
documentation of information security standards. The daily operations of the majority of
businesses are facilitated by the use of information technology. In order to demonstrate
their commitment to information security best practices, SMEs adhere to ISO 27001
standards (Soliman, 2022). It is essential that information security standards be
developed in order to guarantee that information technology is being used and used in
accordance with local and international regulations. Standard organizations are crucial
because they ensure that companies' information systems and security standards are
adhered to, as well as the implementation of proper security policies. Companies of all
sizes are obligated to establish and deploy security measures to restrict the use of their
information systems and networks (Nagata et al., 2022).

The advantage of cloud computing is the use of a global network of computers to store,
retrieve, and analyze data instead of depending on a single server. Security standard
plays an important role in cloud computing since it provides best practices to enterprises
when it comes to secure sensitive data on the cloud in the event of a disaster. There are

9
several threats to cloud computing security, including persons who should not have had
access to cloud based data, credentials stolen, and data to be manipulated and
misrepresented (Reeves, 2021). An attack from inside the organization poses another
security concern. Strong evidence shows that there is only a minimum percentage of all
attacks that are carried out by insiders (Gordas, 2014). Cloud-based services are used
by employees of SMEs who are non authorized to modify data in the cloud. Securing
sensitive data is becoming more difficult in today's digital era (Pan, 2021). Therefore,
this research will focus on the information security aspect to enable Small and Medium
Enterprises (SMEs) to understand in depth the best method of adapting information
security management standards to their operations.

1.1 Problem Description

Information security can be defined as the protection of information and systems from
unauthorized access, modification, use, description, disclosure in order to protect the
integrity, confidentiality, and availability of systems and data (Gordas, 2014). The careful
implementation of information control is vital to protecting a SMEs information assets, its
reputation, personnel, legal position, as well as other tangible or intangible assets. The
incapacity of an organization to choose and implement proper security guidelines,
policy, and procedures is likely to have a serious impact on the company’s mission
regarding security standards and procedures that are well-chosen to protect assets.
Research done by Sikman et al., (2019) shows that SMEs are facing extreme
challenges when it comes to adapting ISO/IEC 27001 in their operations. Therefore,
organizations become vulnerable in today's world of malicious code, system breaches
and insider as well outside threats (Jafar, 2014).

Publicized security vulnerabilities can have disastrous implications, particularly for a

company's revenue and reputation. That is why it is extremely important that sufficient
security safeguards are in place for both private and public-sectors to improve profit and
customer services (Khan, 2020). Evidence shows that understanding the company
mission and how each system contributes to that mission is crucial. Therefore, security
requirements implicit within a system must be well expressed in terms of security; the

10
system's duties and functions cannot be limited to a single organization. Because each
organization benefits from the system's security in an interorganizational system (Alexei,
2021). Edward et al., (2008) suggest that in order for an SMES to be effective in
electronic commerce each of the parties requires security procedures to secure their
resources. Given the foregoing, organizations require information security standards in
order to create information security control that fulfill an organization's requirements as
well as set security controls for commercial connection with other stakeholders.

1.2 Motivation
The motivation behind the selection of this particular topic is that evidence shows there
is a crucial relevant connection between security standards and the information security
domain (Nazareth, 2015). By nature security standards are implemented for the
purpose of helping organizations to effectively counter the increase of sophisticated and
varied scope of information security vulnerabilities and threats. In order for an
organization to be accepted or certified to operate in whichever industry they operate,
they are required to prove that they are capable of operating in an ethical manner
including the way data is being processed and implementing reasonable security
management systems ISMS (Hedström, 2011). Therefore, in order for the organizations
to meet such requirements of standards they require guidelines and framework which
will guide them during the implementation process.

As it was outlined in the abstract and introduction part, previous research which was
done by (Jafar, 2014) shows that organizations, specifically SMEs are facing various
challenges when it comes to understanding what kind of information security standard is
suitable to their SMEs as well as how to implement specific standards to their
operations. The reason behind that is because the amount of information security
standards out there is tremendous and most of the standards do not provide specific
information regarding how an organization can manage its ISMS, instead standards are
justifying what are the requirements of ISMSs (Alqatawna, 2014). Since the majority of
SMEs are ready to implement information security standards, the challenging part is
how to implement them and enable SMEs to achieve compliance. This is what

11
motivated authors to explore this field and suggest a framework that will be used by
SMEs during the implementation of ISO/IEC 27001.

1.3 Research questions

This chapter defines research questions which examine the outcome of thesis interest.
Therefore, the questions below are being formulated based on what are frequent issues
that SMEs face when implementing the ISO 27001 standard. Implementing research
questions will somehow be one of the options that can directly involve SMEs in the
process of defining the conclusion. Since the implementation of standards is a dynamic
process that requires extensive research. Therefore, this study will also focus on
discovering how the objective as well as examine the struggle that stand up between
the requirements of ISO 27001 standard and day-to-day business operations and
employees emotiatial as well as SME executes processes and changes in security
procedures. Since the study aim is to figure out these aspects, a qualitative research
method is acceptable in responding to the primary research questions.

1. What are the best practices to follow during the adoption of information security standards?

2. How do employees cope with ISO 27001 standards in Small and Medium Enterprises?

12
1.4 Structure of Thesis
Thesis approach began with the introduction and defining the research aim, motivation,
defining research questions, outlining key concepts, and outlining research
methodology. Furthermore, the entire research includes four steps as shown in figure
number 1 below which presents the structure of our thesis.

Figure 1: Thesis structure

Step one is the area where the problem was to identify the research field, step two was
to conduct research study through literature review and refining research questions as
well as data collection planning. Step three is where the data analysis is being
conducted in order to observe new knowledge. Step four is where authors provide a
contribution to the research by providing a framework which can be used by SMEs
during the implementation of ISO 27001 standard.

13
 2. THEORETICAL BACKGROUND

This chapter discusses theoretical aspects that are relevant to the implementation of
Information Security in the context of ISO 27001 security standard. Initial observations
from Honan, (2010) suggests that in order to have a better understanding of the
information security domain it is necessary to consider the discussion of relevant
concepts of information security such as confidentiality integrity, security framework, and
standards.

2.1 Confidentiality

A better definition of the term confidentiality is provided by the National Research

Council where it is defined as the concept of keeping information from being disclosed
by unauthorized individuals or ensuring that the information is available for the
appropriate person only. A further definition of confidentiality has been given by Jason
(Andress, 2011) who outlined that the concept of confidentiality can be compromised in
different ways such as during the information sharing and attacks to use the
vulnerabilities of security systems to inject malwares.

2.2 Integrity

Integrity is a degree in which the ability to prevent data/information from being

manipulated or changed in an authorized manner (Andress, 2011). A summary of the
findings was identified by Jason Andress shows that a lack of implementing information
security systems can result in compromise integrity not due to the access of
unauthorized persons only, the data can be compromised due to undesirable changes,
deletion, or portions of data by an authorized person as well. Therefore, it is extremely
important to comply with ISO 27001 which provides an accurate guidance towards the
management of security systems.

14
2.3 Availability

Availability is a key factor when it comes to maintaining the ability of data access when
required and only to those who have the appropriate permission. It was outlining that a
loss of availability might lead the data breaks elsewhere in the chain which allow an
SME gain an access to the data (Honan, 2010). This type of an error might lead to
various issues such as power outage, operating systems breakdown, network attacks
and other related issues.

2.4 Information Security

The Information Security domain can be described as a backbone when it comes to the
concept of protecting data in any form. Research shows that it is one of the growing
areas and various organizations specifically in the area of education are doing their best
to adapt security concepts in their existing course programs as well as formulating new
ones. Michael E goes further by explaining that the enabling of IT concepts into various
business operations such as information storage and transportation has brought out
many challenges and made businesses become vulnerable from both sides, inside and
outside the organization (Edward, 2008).

2.5 Framework

Frameworks can be described as a series of well documented processes which

provides depth knowledge regarding policy and procedures while managing information
security controls. Information security management incorporates various practices such
as perimeter protection, application encryption methods, and disaster recovery. The
existence of compliance regulations such as General Data Protection Regulation
(GDPR), For USA based organizations Health Insurance Portability and Accountability
Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS) have
forced organizations to start managing their IT security following general frameworks.
Security professionals are benefiting from frameworks when it comes to preparing for
compliance and many more IT audits, defining and prioritizing required tasks while
managing organization's security (Kirvan, 2019).

15
In the short term, frameworks are the backbone that supports IT professionals to define
the requirements that are set by standard regulations. Organizations have the capability
of designing the framework which suits their needs, it can be industry based specific
requirements or various other regulatory compliance milestones. It often depends on
what kind of information security problems it intended to solve. A framework must be
designed in the continuous lifecycle process which includes four key stages such as;
Identifying and documenting cybersecurity goals, Setting guidelines that are designed to
achieve cybersecurity goals, Implementing cybersecurity processes, and monitoring.
Reflecting on the proposed framework research questions, the framework will
effectively enable proper guidelines on implementing information security management
standards efficiently as well as ensuring employees responsibilities towards
understanding the role of standard and the compliance of security measures and
controls.

2.6 International Standards

Same as framework, international security standard is a set of well documented series
which provides depth knowledge on how to manage information security systems. The
series includes various processes such as establishment, implementation, oparets,
monitoring, review, as well as maintenance. Standard also presents a set requirement
that any product or system must achieve. The most recognizable standards in the
information security domain are the ISO/IEC 27000 Series of standards, NIST Special
Publication Series 800-171, OCTAVE, PCI DSS, and COBIT (Tofan, 2011). In
conclusion, these are safeguards put in place to make sure digital information remains
private, secure, and easy to access. It is necessary to keep data safe and secure in
order to do so. Customers, employees, and the goods and services they supply are just
a few examples of what companies monitor. Data security affects every facet of an
organization's everyday operations. Like the methods and technology utilized by
enterprises themselves, threats to information security are always developing. If a
company does not recognize and handle possible threats to data security, its capacity to
secure its information is in jeopardy. It is essential to have a full understanding of
possible risks and organizational practices in order to implement an effective
information security system.

16
 3. LITERATURE REVIEW

The literature review process and search procedure is the area where the authors have
identified relevant articles and books which discuss in depth the concept regarding the
implementation of ISO 27001 information security standards in the current literature.
Here is where the authors reviews, analyzes and incorporates into the study what
previous researchers have discovered in the Information Security Standards domain.

3.1 Literature Review Process

There has been a lot of attention devoted to security breaches and regulatory
transgressions. Behavioral model of information security has been used in the analysis.
Existing frameworks based on investigations are utilized to ensure adherence to data
security regulations (Setyawan, 2021). A variety of academic taxonomies are used to
categorize information security practice. Data security might be harmed directly or
indirectly as a result of compliance breaches, thus they must be addressed carefully.
According to recent research, using psychological methods and processes may help
employees adhere to workplace safety regulations (Churchman, 2017). Moreover,
according to a study on civil disobedience (2021), noncompliance is less harmful than
following the rules. Compliance with IT security policies has been extensively studied.

Psychological considerations have an important role in data preservation. Academics

often employ a variety of psychological theories, including the theory of protective
motivation, the theory of planned behavior, and the theory of reasoned action, to
investigate information security (Culot, 2021). This study also examines whether or not
employees are loyal to company’s policies and adhere to safety regulations. One
approach to assessing the safety of computer networks is to conduct a literature study
of relevant material. Behavioral theory and information security research are critical
components of this field's study (i.e., deterrence, protection motivation, planned
behavior, and others). Research on information system deterrence has examined this
topic. Moreover, the deterrence theory was used to analyze 35 studies in total. A total of
60 indicators influencing compliance or non-compliance were discovered after analyzing

17
29 relevant articles. Compliance and disobedience were not defined in their most basic
terms (Lopes, 2019). A thorough investigation of the factors that influence compliance
or non-compliance with information security rules was conducted for the first time. This
is the first time that literature assessments have incorporated both theory and its
components. In order to establish a strategy for altering behavior, this research included
several ideas and elements.

This study also analyzes and evaluates studies on the application of such laws, such as
ISO 27001, in order to determine whether they are in compliance or not. Since this
study was conducted, academics have studied the elements and attitudes that influence
compliance or noncompliance. According to the study's authors, this research might aid
academics and IT administrators in better understanding what causes noncompliance
and how ISO 27001 security standards are enforced (Velasco et al., 2018).

The research includes non-scientific papers such as governmental related publications

where the team will try to understand the requirements from government perspective
when it comes to the certification process, official websites of standards organizations
where we will gain the knowledge towards standards specifications (Achmadi, 2018).
The reason for allowing a limited number of non-Scientifics papers is because authors
would like to benefit from the latest publications of standard owners websites as well as
government requirements because often there are no scientific publication resources
where authors can get such information.

As shown in the figure number 2 below, a systematic Literature review is a method of

examining and defining existing literature in order to identify gaps in existing research
work and suggest future research work (Churchman, 2017). Most researchers such
clinicians and industrialists recommend conducting systematic literature review to stay
updated to new research work. In addition, before conducting systematic Literature
review we conduct a review of existing research to find gaps in existing related research
(Eldabi, 2007).

18
 Figure 2: Systematic literature review. (Eldabi, 2007)

Authors have used google searching engines for searching resources, the data
searching begins by filtering relevant keywords which for this case is the implementation
of ISO 27001 to SMEs. After finding useful articles we sampled them and evaluated
their relevance by reviewing the abstract and introduction. Articles about the proposed
study are downloaded from renowned data libraries, which are chosen based on the
availability of data related to the study topic and the reputation of the library. Four data
libraries have been selected which are journals, unpublished research, government
report (non-scientific paper) and books.

Articles were filtered using a variety of criteria: Year of publication, article type, subject,
language, and open source availability. Individual articles were reviewed for relevance
in terms of abstracts and content. The filtration process aided in the identification of
existing literature.For the review, we established a set of search parameters and
keywords. Using a set of keywords such as Information Security Management
Standard, ISO 27001, and Small and Medium enterprise, Implementation. The literature
is selected from ACM Digital Library (1), IEEE (13) Web of Science (1), Wiley

19
InterScience (1), DBLP (1), , Google Scholar (7), Springer Link (1), Science Direct (2),
and Elsevier (4) organization publication (1).

Inclusive criteria

● Articles published from 2005-2022

● Access free articles

● Subjects related to the study topic

● Articles from selected libraries only

● English Language only

Exclusive criteria

● Contents which are not in English

● Repeated contents removed

● Articles published before 2005 are not considered

3.2. The role of Information Security Standards in SMEs

Threats, vulnerabilities, and risk seem to be confusing concepts for SMEs somehow.
Strong evidence shows that if an organization fails to comply with the implementation of
security standards and guidelines efficiently it will result in unstable Security
Management Systems ISMS (Mahajan; 2021). It is well known that security threats can
range from insider threats to sophisticated persistent attacks that can bring a company
to its knees. Therefore, it is extremely important in-house security professionals to have
an effective method which will enable them to be aware and prepare them to respond
toward threats which might lead an SME to face negative impact by various
vulnerabilities and threats which might be caused by ransomware, phishing,
malvertising, DDoS, Sql injection, brute force attack, and Drive-by Downloads.
Cybersecurity attacks can be combated with sophisticated technologies, but this isn't

20
enough, it is highly recommended that organizations might guarantee that their
operations process policies and employee behavior limit or mitigate these risks.

Figure 2: Threats, Vulnerabilities and Risk (Mahjan, 2021)

Standards and guidelines approaches are introduced as straightforward tools that can
be used as a guidance toward best practices in information security management
systems. An information security management system is a set of policies and
procedures that systematically cross an entire organization to manage security and
risk-information security. See figure 2 which presents the concepts of threats,
vulnerability and risk. In order to protect an SME against security threats, security
controls must follow well known and proper information security standards (Roy, 2020).
Thereby, authors have selected ISO 27001 standard which can be adapted to any kind
of SME, moreover the team is planning to include a framework which can be used
during the implementation of this particular standard.

3.3 Challenges of Implementing Security Standard

Current research shows that information/data is the most valuable asset when it comes
to supporting various operations within SMEs, and information security standards have
a positive effect when it comes to protecting information/data. Alqatawna, J. (2014)
goes further by stating that previous security standards are lacking the overall guidance

21
toward other important factors such as cultural and legal perspective, as well as
management that jeopardize the security of SMEs. Hanna Chuchman expressed her
thoughts regarding how employees face issues when an SME implements ISO 27001
because most of them are not security professionals and these standards are designed
specifically for security professionals. According to her, it is very important for a
dedicated human resource manager (HR) to clearly understand the benefits which
come with the information security standard in SME (Churchman, 2017). Furthermore,
it has been pointed out that the best method of ensuring information security in SMEs
must be based on applying management principles which will enable further
comprehensive methods (Zuccato, 2006). This distinction is further exemplified in
studies by using existing standards such as;

● Information Security Management Standards such as ISO/IEC 27001

● NIST publications based Security Management best practices

● Information security guidelines provided by OECD

3.4 Overview of Information Security Standards

Von Solms claimed that the first attempts to publicize information security standards
occurred in the 1990s, with the publication of orange and white books by TCSEC in the
United States and ITSEC in Europe, respectively. Four waves of information security
standards succeeded one another after two decades (Von, 2006). During the first wave,
information security was considered as a technical issue only. The second wave
considered the managerial dimension. The third, or “institutional wave” emphasized
standardization, best practices, certification, and information security culture; this wave
also addressed the need for information security measurement and monitoring. The
fourth wave embraced governance of information security

The evolution of information security standards over the four waves resulted in over a
dozen standards of varying degrees of complexity. Each of the wave “representations”
after reviewing five ISMS overview studies, refer to table number 1 below as a starting

22
point, conducting a secondary literature search for standards referred to by at least
three of the five sources. Some standards discovered only provide technical measures,
whereas others provide comprehensive governance frameworks. The major standards
that exist worldwide today are listed in the table below.

Table 1: Most Widespread Used Security Standards (ENISA, et al., 2006)

The research based on the table above was conducted by ENISA, is an acronym for
the European and Network and information security agency which was established in
2004. They published a 167-page report in 2006 that covered 13 standards, methods,
and tools. The methods under consideration were chosen by ENISA’s ad-hoc working
group which is composed of IS security experts from eight EU member states. CLUSIF
(2005) is a French club for the security of information systems for medium to large
organizations. The research went through twenty six global standards and methods and
they examined the scope of eight security methods in comparison to ISO/IEC 17799

23
(ISO/IEC 27002). The scholars conducted the two studies listed above and is a member
of the Luxembourg-based CASES (Cyberworld Awareness and Security Enhancement
Structure). He Studied 16 of the most popular in his report.

Figure 3: ISO/IEC 27000 Family of Standards (Adapted from Ogcio. 2021)

3.5 ISO/IEC 27000 family of standards

For the better understanding of ISO 27001 the team began by reviewing the ISO family
of standard, the research shows that an ISO/IEC 27000 is an international standard
which outlines an overview and vocabulary of Information Security Management
Systems. The scope of standard is to structure the subject of ISMS family of standards
such as ISO/IEC 27001, ISO/IEC 27003, ISO/IEC 27003, ISO/IEC 27004, and ISO/IEC
27005 as well as summarizing terms and definitions. The history of this particular

24
standard began 2009 and the follow up editions were published in 2012, 2014, 2016.
The current edition as well known as the fifth edition of this standard was published in
2018 and it was a minor revision from the previous 2016 edition with a segment on
abbreviation as well as rationalization regarding metrics related clarifications about the
rewrite of ISO/IEC 27004 standard.

However, the fellow standard known as ISO/IEC 27001 has previously gone through
following generations, the first generation was introduced 1992 with scope of managing
code of practice regarding information security, second generation was introduced 1995
with the former name British Standards Institutions (BSI) or BS7799,and third
generation came later 2000 with official name International Organization for
Standardization and the International Electro technical Commission ISO/IEC 17799 its
scope was to center all expertise regarding the handling standardization matters with
the respect various aspects of ISMS standards as well as managing information security
issues related to the protest of information. ISO mentioned the scope intended to cover
the development of ISMS standardization as well as guidelines as following;

● To insure the development and maintenance of the ISO/IEC 27000 standards

family.
● Requirements identification for the future development of ISMS standards as
well as guidelines.
● Continuously maintenance
● Ensuring the collaboration between organizations as committees who are
dealing with requirements and guidelines for ISMS.

Research shows that the ISO/IEC family of standards consists inte-related standards as
well as guidelines where some of them are already published and some are under
development. See figure number one below for further explanations (IsecT, 2021).
Moreover, the inte-related standards and guidelines categorize various structural
components where the main focus is to describe the requirements of ISMS

First component is the parent standard which clarifies the vocabulary standards, here is
where management gets the introduction to the ISO family of standards, second is
about the requirements standards, third refers to the guideline standards, fourth is

25
specific-sector based guideline standards, and the fifth component is about
controls-specific guidelines.

3.6 The context of ISO 27001 requirements for SMEs

Further discussion regarding the requirements of ISO 27001 which was introduced in
2013 defines the context of the organization. Moreover, Kosutic describes that since the
introduction of this particular revision, the context of SMEs has brought confusion due to
the standard being vague regarding what kind of information security to be considered
when it comes to enabling an SME to achieve its objectives. In order to cover this topic
well it is necessary to define the organizational context with the respect of ISO 31000
which provides the risk management guidelines.

It is now understood that the context of any organization is categorized in two forms:
internal and external issues. “For internal context: you could consider organizational
structure, roles and responsibilities, business strategy and objectives, capabilities and
resources, organizational culture, information systems and processes, and contractual
relationships (Kosutic 2020). For external context: the most important are interested
parties and their requirements; but, you can also consider political, economic, cultural,
technological, and competitive environments, as well as the trends that could have an
impact on your company.”

It was claimed that it is extremely important for an organization to have a better

understanding toward context for ISO 27001, because it the one that enables
organizations to have a clear understanding of specific and relevant negative and
positive issues for information security, defining the aim of the ISMS, as well as
allocating organization’s resources e.g., ligning information security toward strategic
direction when it comes to answer questions whether an SME ISMS should focus on
protecting its assets or cooperating governance (Leal, 2022).

26
3.7 Implementing ISO/IEC 27001 in Software Development Environment

As shown in the figure below, the focusing of the ISO/IEC 27OO1 standard is to
maintain the four figures such as DO, PLAN, ACT, and CHECK, and the internally
benefits are; To form the baseline that enables the secured method while exchanging
information and protecting the confidentiality of data based on the sensitivity, risk
management and hence low chance of incidents as well as minimizing the recovery
costs after responding the incidence, as well as improving the information security
structure within the organization. Alqatawna, J. (2014). A number of factors define that
ISO/IEC is a worldwide known security standard that focuses on establishing,
maintaining, operating, reviewing, and improving security management systems. See
the figure number 4 below that presents the model of ISO 27001.

Figure 4: ISO 27001 Model (Adapted from ISO/IEC, 2005)

The standard was developed by the International Organization for Standardization and
International Electro technical Commission (ISO/IEC). It was defined that a compliance
with this particular standard defines that an organization has a responsibility regarding
the implementation and maintenance of ISMS (Alqatawna, 2014). Additionally, the
majority of standards does not include any specific method which enables organizations
to manage ISMS, however they define the requirements towards the ISMS. The
provided requirements are complicated when it comes to defining the input-output
model, because most of the ISMS process’s output refers to another process

27
(Alqatawna, 2014). The standard explain various security controls domains as well as
the objectives involved such as:

a) The management of security policies

b) Information security management

c) Maintaining security to human resource

d) Security toward physical environment

e) Information systems accusations as well as development and maintenance

f) Compliance towards security and related domains

g) Management of communication and operations from inside and outside

the organization

3.8 Benefits of the ISO/IEC 27001 Compliant Information Security Program

Information Security Management System standards are laid forth in international

standard ISO/IEC 27001 (ISMS). Operational tasks are part of the Information Security
Management System (Aktas, 2020). An ISMS is a framework for identifying, analyzing,
and mitigating the risks associated with processes, IT systems, and the people who
work inside them. As a result, new security threats, implications for enterprises, and
vulnerabilities may be better anticipated. As opposed to PCI-DSS, a more dynamic
risk-based approach is conceivable. Companies of any size or sector are subject to this
regulation. ISO 27001:2005 has six main components: Classification of assets, labeling
of assets, monitoring of assets, and registration of users are all aspects of asset
management (Chałubińska, 2022). Password management, a clean work environment,
operating system and program control, and network security are some of the other
areas of competence. A full set of information security measures must be implemented,
as well as extra risk management strategies including risk transfer and avoidance

28
mandated by SO/IEC 27001. An inclusive management approach may be used to
ensure that management's information security criteria are met on a regular basis.

A successful information security program relies on management support as well as a

clear understanding of the company's security goals and obligations. Organizational
security, asset management, people security, physical and environmental security are
just a few of the numerous considerations that must be taken into account (Imran,
2022). In addition, communication and operations management, access control, system
development, and compliance and business continuity management are all part of ISO
27001 standards. It is essential that management begin at the highest levels and work
their way down to the lowest, before implementing a top-to-bottom security program
strategy. Management does not encourage or lead a security program built from the
ground up (Butler, 2022). A strategy that only relies on technological advances will be
incomplete, ineffective, and doomed to failure. In this way, the company's assets are
safeguarded by personnel who are also in charge of monitoring the program, thanks to
the top-down strategy.

To prevent unauthorized access to sensitive data and information, advanced security

measures are necessary. Controlling information security is the primary goal of adopting
ISO/IEC 27001. In order for a company to meet the standards of the ISO/IEC 27001
standard, it must be formally examined and certified as compliant. As a result, the
company gains an edge in the market and builds a positive public image as one that
takes data security very seriously indeed. Compliance with contractual and regulatory
standards for information security may be necessary for the company (Carvalho, 2019).
Clients' intellectual property and personal information may be safeguarded by using this
technology. A worldwide standard for ISMS gap analysis is crucial for the protection of
significant information assets. The implementation of an ISMS may lead to accreditation
for the company. All enterprises must conform to ISO/IEC 27001, the worldwide
standard for information security management systems. The outcome is a streamlined
approach to identifying, analyzing, and combating all information risks related with
processes, IT systems, and people for companies with strict information security
procedures.

29
3.9 ISO 27001 Certification

Corporations must abide by a number of laws and regulations when it comes to

protecting customer data privacy. New data protection requirements have emerged as a
result of restrictions placed on how firms may use customer data. Because my firm has
satisfied the standards of ISO 27001, I have acquired certification. As a result of its
certification in 2018, the business has had access to many new prospects (Rodionova,
2020). Businesses may use the certification to better assess the risks to the privacy and
security of their customers' data. Using a platform like this one may help strengthen the
relationship between companies and their customers.

There are worldwide standards for data security, such as ISO 27001. There are a total
of 14 restrictions in this rule. These procedures have a significant impact on workplace
data security and protection. Information security policy, human resources, asset
management, and access control are all part of this collection of rules and controls
(Renvall, 2018). Companies must be able to incorporate them into their present systems
in order to be successful with them. As a result, businesses must know how to get the
most bang for their buck. Consequently

For a number of reasons, accreditation may be beneficial to a company. To get an edge

in the market, it is more likely that corporations would come up with novel approaches.
Many factors affect a company's ability to compete in today's marketplace. First, it acts
as proof that the underlying companies are adhering to established security
requirements. A competitive advantage may be gained by avoiding the mistakes and
weaknesses that lead to data breaches. In the event that their data is compromised,
firms who have been certified might escape financial fines. There are a multitude of
negative consequences for a company in the event of a data breach. When it comes to
financial losses, data breaches cost companies 6.4% more in 2018. Businesses may
risk larger fines in the future because of their disdain for privacy regulations. Businesses
may avoid fines for data breaches by adhering to established rules (Mirtsch, 2021).

Accreditation may help the company's reputation to be maintained or even to be

enhanced. Damage to a brand's reputation is often inevitable after a data breach or

30
similar occurrence. Customers and other stakeholders, including investors, shun
companies with a history of data breaches. Having a bad reputation might hurt your
chances of doing business. For this reason, it is more difficult for companies with a bad
reputation to attract investors. If a company's reputation is damaged by a data security
breach, it is imperative that the issue be handled quickly. In this way, companies may
show their commitment to data security by becoming certified (Longras, 2020).

A more efficient organizational structure and a stronger emphasis on information

security might be advantageous to the company. You may be sure that organizations
are using the most effective interventions to align their critical operations, roles, and
duties with their strategic objectives if they have an official certification. Certification is a
good choice if you're seeking for structure and a specific emphasis on information
security (Livshitz, 2020). That's why a company's long-term growth and development
depends on keeping excellent relations with authorities. Conclusion

Businesses need to know the financial impact of their security management choices. A
vast variety of rules and regulations protect the privacy of individuals' personal
information and data. In the workplace, it is critical to address ethical and legal issues
about safeguarding customer data. When it comes to protecting your personal
information, there are several options. An example of a rule that protects enterprises'
privacy is the General Data Protection Rule (GDPR). The ISO 27001 accreditation may
assist companies avoid financial fines and damages in the event of a data breach.
Companies are less likely to have a bad public image because of the rise in data
breaches. It is imperative that organizations devise the most effective strategies to
ensure maximum compliance (Humphreys, 2018). Because of its importance in creating
and maintaining data security, businesses should pay attention to this certification.

3.10 Evaluating the effectiveness of ISO 27001

In order to protect SMEs and their assets from cyber and physical attacks, management
is required to establish an Information Security Management System (ISMS) to ensure
the security of all information-related activities and operations (ISMS). The ISMS is in

31
charge of overseeing the company's rules, processes, and standards. The goals,
objectives, activities, size, structure, and specialized security requirements of a
business all have an impact on the creation and execution of an ISMS (Kitsios,
2022). In light of its many applications, ISMS should be included into a larger
management framework. The establishment of this security management system
necessitates consideration of market trust and corporate governance. In 1995, the
British Standards Institution and the United Kingdom established the Code of Conduct
for Information Security. After several revisions, the BS7799-1 code of practice and the
corresponding certification requirements (both BS7799-1) were split out in 1999. It was
released in 2000 by the International Organization for Standardization (ISO) as a guide
to the best practices for data security. As a result, IT security is a problem for
businesses (Soliman, 2022).

This standard covers the creation, implementation, maintenance, and enhancement of

an information security management system (ISMS). Most non-compliances may be
traced back to clauses 4-10 of ISO 27001:2013. Because requirements are written in
such a way that they may be, they can be implemented in a number of ways. For
example, risk assessment no longer necessitates the preparation of an asset inventory.
Changes have been made to Clauses 4-10 of the revised ISO 27001:2005 edition
(Sabillon, 2022). In order to put in place an ISMS, 8–10 outline the necessary steps.
When it comes to risk management, Clause 4 provides an overview of the plan and its
consequences. There are no overlaps since ISO 27001:2013 defines just one
requirement for each criteria. It doesn't matter which of the clauses is executed first.
Because of this, the newer version of ISO 27001:2013 has a stronger practical value.
Risk and opportunity management has taken its position in terms of vocabulary and
concepts as a result. Worldwide leadership has been coined in its place concision in the
terminology is a huge benefit. This new normal no longer follows the PDCA cycle
(Ramírez, 2022).

An integrated management system may be created by combining three standards.

However, ISO 27001:2013, unlike ISO 27002:2005, which includes normative
references, includes language and definitions (Wang, 2022). Using ISO 31000:2009, the

32
standard requires an inspection of both the building's interior and outside. In order to
meet ISO 31000 compliance, enterprises are no longer required to be specific about
their assets, risks, and vulnerabilities as they formerly were (Kong, 2022). All applicable
controls and processes must be reviewed in line with ISO 27001:20013’s Annex A. ISO
27001:2013 Annex A indicates that controls must be adopted as the treatment
advances, and this should be taken into consideration when deciding on risk treatment
options (Klisenko, 2022).

Additionally, this research explores ways to keep businesses safe from well-known
threats. ISO 27001:2013 is a more adaptable approach to risk assessment than other
approaches since it does not need the identification of potential risks. The Statement of
Applicability describes the information security management objectives and methods
(SOA). Later revisions of ISO 27001:2013 focused more on objectives, monitoring, and
assessing performance (Metwally, 2022). However, if an ISMS has been certified, this
rule does not apply. Many EU based organizations fail to review their information
security efficacy standards’ effectiveness and efficiency are being hammered home to a
new level of intensity. The implementation criteria for connected controls are the same
as ISO 27002:2013. Roles and responsibilities in information security of ISO 27001 may
be accomplished by establishing information security rules and asset ownership, two
enabling controls. Before new controls can be added to the existing version, they must
be designed and tested for efficiency and usefulness. For example, in the case of
document control, no changes may be necessary. Thus, management system
objectives must be reevaluated (Altamimi, 2022). The new standard intends to cover all
of the main functions and levels. It takes a lot of time and effort to implement a new
standard.

3.11 Information Security Assessment Based on ISO 27001

The comprehensive review of ISO/IEC 27001 has been aided by academic research
during the past 15 years. Government incentives and market needs are driving the
demand for ISO/IEC 27001 certification, in my opinion |( Maingak, 2018). Because they
were created broadly and allow for a variety of techniques and levels of internalization,

33
the laws pose a number of implementation issues. The benefits of ISO/IEC 27001
accreditation have not been shown. It's surprising that more empirical study on ISO/IEC
27001 hasn't been done, given how well accepted it is. The lack of cross-fertilization
within academic fields is a major contributor to this problem.

Value creation in today's business environment is on the dissemination of information

both inside and outside of the company. Intellectual property and data may now migrate
freely across firms thanks to new types of inter-organizational cooperation. As these
encounters develop in size and breadth, the ISS needs to deal with new challenges. As
supply chains become more digital, there is an increased risk of intellectual property
theft. Through the internet and IT firms, tens of thousands of service providers and
customers connect (Arafat, 2018). Any third-party ISS, according to platform
orchestrators, may be ensured. Data storage and processing must be outsourced for
cloud-based solutions.

While the International Space Station is a problem that impacts a number of companies,
it's impossible to focus on just one. In order to solve this "wicked problem," many
long-held beliefs will have to be challenged. This is a significant finding in light of the
current epidemic of COVID-19. Work from home, increased usage of online services
and platforms, and more activity in customer-facing networks are just a few of the
effects of social distance on businesses. Contact-tracing technology, intended to limit
the dissemination of biometric and personal information, has raised many eyebrows
among privacy advocates. Many experts feel that digitization is becoming more
necessary despite the fact that storms continue to sweep over the world. The ISS
requirements seem to be at variance with the standard's increasing complexity and
systemic nature due to their lack of technical depth (Zaini, 2020).

Two features of the research seem to be of special importance in this regard. ISO/IEC
27001 may use both standard and nonstandard activities to provide a more holistic
approach. Certification of the ISO/IEC 27001 may be gained for several reasons,
including a stronger public image and improved stakeholder relations, as well as a
necessity by major organizations to ensure that all of its suppliers are certified (Lopes,

34
2019). The fact that so little has been spoken about this raises serious alarm bells.
Inter-organizational implications of ISO/IEC 27001 have only been studied from the
perspective of institutions, rather than technical studies that identify methods.

Our understanding of the ISO/IEC 27001 standard involves a change in viewpoint from
"the component" to a more holistic one. Because of this, and with the support of major
digital players, the next section will focus on developing a series of research routes to
solve these challenges (Sun, 2020).Our analysis concludes with a list of research
opportunities that answer the growing need for more theoretically focused research.
According to studies, a variety of approaches have been shown to be effective in the
examination of voluntary standards, such as ISO/IEC 27001.Research on ISO/IEC
27001 is feasible, but we feel that future studies should look at its role within ISS
protocols and acknowledge that ISS extends beyond the company's boundaries.

It is a four-quadrant study curriculum, according to social systems theory. A clear and

easy analytical framework was supplied to academics from a broad variety of fields by
this school of thinking. Methodologically rearranging research issues may drive scientific
exploration while also providing new insights to the business sector (Casola, 2019). As
the system adjusts to changes in its environment, all of the system's components
interact and work together to accomplish a shared goal. Interdisciplinary research is
feasible because of this. There are several options available.

As the commercial, technological, and regulatory landscapes rapidly evolve, so must

organizational structures and processes. Developing industry standards and
coordinating industry responses are two examples of methods in which firms might work
together to find answers. For cross-organizational initiatives to succeed, their leaders
must have previous experience working across companies and be enthusiastic about
the subject area. Research on companies that use internal ISS processes rather than
standards should consider these elements in light of contemporary technology and
business strategy (Maarop, 2021). Standards and implementation strategies may be
analyzed in a similar manner to the way standards are disseminated. They develop
ever-changing systems by interacting with one other and the environment.

35
Moreover, ISO/IEC 27001 provides an advantage to Central Authentication Services
(CAS) since it limits the freedom of individual network agents in order to maximize
system efficiency (Henttinen, 2018). Potential performance trade-offs might be
evaluated by the Center for Advanced Security Studies (CAS), such as a diminished
ability to pick suppliers. Whether or how ISO/IEC 27001 facilitates or hinders network
reconfiguration in response to external environmental changes, such as pandemics,
may be investigated. Aside from ISS technologies, it is feasible to analyze how they
propagate throughout other network domains, such as platform operators versus
ecosystem members and the supply networks of manufacturing organizations (Bouzian,
2022). Using a novel technique, we hope to shed new light on the ISO/IEC 27001
knowledge gaps. Complex technical, social, and political challenges necessitate
interdisciplinary perspectives in order to reflect the numerous parties involved.
Management and organizational science can learn a lot from ISS research. As
technology progresses, researchers in a wide range of subjects may find social systems
thinking to be a beneficial stepping stone.

3.12 Literature Review Summary

It is possible to build, implement, maintain, as well as enhance a real-world information

security management system by following the International Standard ISO 27001.
Information security must be treated as a strategic issue by organizations (Proença,
2018). There are a number of challenges that businesses of all sizes and structures
face while formulating and implementing an effective information security management
system, because of these concerns all of these variables will evolve with time, as is to
be anticipated. In order to protect an organization's assets and sensitive data, a secure
information management system (ISMS) is necessary. We have learned from literature
review that the establishment of effective information security management systems
necessitates the inclusion of security considerations. Scalability of information security
management systems is required to various organizations. One way to tell whether a
company can't fulfill its own or third-party information security standards is to use this
International Standard as a benchmark.

36
According to Wanyomi, (2020) throughout the years, best practices for corporate
governance have gotten more explicit and well-delineated, since the development of
computer organizations have been able to manage data that is critical to their long-term
existence (Wanyonyi, 2020). Corporate boards and companies alike are growing more
worried about the role of technology in corporate governance as a consequence of this
shift.Both new dangers and the expansion of existing regulatory and legislative
requirements have contributed to a growing public awareness of the necessity of data
security. People throughout the world who use or have access to (mainly) electronic
information may be affected by security issues.

You cannot stop these threats from propagating on the internet. Natural catastrophes,
cybercrime, and employee dishonesty and theft are all potential threats to data. Over
the last fifteen years, the number of laws and regulations controlling data and
information security has grown significantly (Tissir, 2021). Businesses' financial and
operational health is protected by certain constraints, while personal information is
secured under other requirements. Before participating in any significant commercial
activity, companies must have an information security management strategy in
place.The general public views data security and privacy as mostly technological
matters. Most computer security specialists agree that only other computer security
experts are qualified to handle sensitive data and protect computers from cyber threats.
In order to defend oneself against the risks you're most concerned about, there are
trade-offs between security and adaptability. Instead of doing things the other way
around, computer security experts in this industry should focus on figuring out how to
design and implement solutions based on the risk assessments of the end users they
are serving (Hamdi, 2019).

These judgments should not be made by the IT department. The board of directors and
management's actions should be reflected in an Information Security Management
System (ISMS). Non-technical persons may take charge of ISMS activities. This tactic
might go horribly wrong in a number of circumstances. When it comes to projects like
these, leaders that have a significant influence on the firm are typically in charge.

37
Privacy and security of personal information has long been a concern. Personal and
commercial data management concerns must be addressed immediately (Chopra,
2020). It is advisable to use the ISO 27001 framework for this problem. In order to
improve data security, ISO 27001 audits and certifications are widely acknowledged as
a helpful tool.

38
 4. RESEARCH METHODOLOGY

This chapter describes the overall methodology of our thesis. As it was stated in the
introduction, the purpose of this study is to explore the challenge and characteristics of
implementing Information Security Management standard ISO 27001 to SMEs. The
main objective of this particular methodology is to provide answers while identifying a
suitable method to use while defining common challenges that are faced by different
kinds of SMEs through literature review.

4.1 Qualitative Research Overview

Research methodology is a kind of study that aims to explore new data in order to draw
fresh conclusions about a subject. In order for this strategy to work, all of the factors and
other prerequisites for a successful research project must be taken into account.
However, it is possible that other characteristics may be discovered throughout the
course of research and testing. The inclusion of these so-called "extraneous elements"
is critical since they might have an impact on the study's findings (Roy, 2020). The aim
of this study is to enable the comprehension in implementation of information security
management standard ISO 27001 which can help to solve potential challenges from the
SMEs perspective and ensure protection to its assets and suitability to its employees.
Therefore, to answer the research questions authors are intended to use qualitative
research methodology to support the collection of valuable qualitative empirical data
through interviews.

Authors have selected this particular method because the method has various benefits
such as enabling the appropriate use of critical as well as interpretive perspectives, and
it is the most cost-effective method. Moreover, a qualitative approach will provide an
advantage of gathering vast amounts of data from small sample sizes. Furthermore,
the method will help us understand SMEs security culture as well as incorporate
employees' experience toward ISO 27001. The small and medium enterprises are not
going to be chosen randomly, the team is going to specifically select accurate SMEs for
the study case. However, there are critical doubts regarding how SMEs will collaborate
during this study due to some of them having critical policies.

39
Interviews will focus on the aspects of a topic that interest the Information Security
Management Standard to SMEs most. The framework will follow the content of the
questions. The purpose of conducting interviews is because authors seek to expand the
research's validity and ensure the research outcomes are accurate to SMEs reflecting
information security research. Evidence shows that, when conducting semi-structured
interviews for research purposes, it is critical to understand that the interview serves as
a systematic method of data collection with the goal of obtaining the most reliable
information possible. Therefore, authors are planning to employ a semi-structured
interview format. A semi-structured interview will be used as a theme because it clearly
focuses on specific themes rather than being organized around specific questions
(Hirsjärvi et al., 2001). Semi-structured interviews will be carried out by recording and
transcribing them. Therefore, questionnaires with a limited number of open-ended
questions will be adapted in order to avoid overwhelming interviewees. Interviewees for
this study will be gathered through a contact person in the target SME employees who
worked or has been working within the SME during the implementation of ISO 27001
standard.

Transcribing the interview records will be used to analyze the collected data and audio
recording will be transcribed. Following transcribing, the authors will review the text for a
better understanding of the content. Furthermore, authors will collaborate to identify
meaning-bearing units (sentences and/or phrases) that are relevant to the study's
purpose. In turn, the meaningful units will be condensed or shortened without changing
the message. Following that, the authors will assign codes to the condensed sentence
units based on categories and subcategories. In order to reflect the essence of the
message and, eventually, form a theme, original data will be backed up because it is
extremely recommended to preserve and protect original data.

After the data collection, analysis process there will be a follow-up stage where thematic
analysis techniques will be used. A thematic analysis is a technique that helps to
uncover patterns of themes in an interview (Thomas et al., 2008). Thereby, this
particular technique will enable the team to familiarize and uncover the collected data
effectively, then generate codes to the data which will help to identify patterns among

40
the asked questions. After that a review and refinement of the themes will be done to
extract similarities and differences between the themes and finally produce a report.

4.2 Data Collection

Data collection process of this thesis includes 3 phases such as gathering, analyzing,
and summarizing. According to Roys, data collecting should adhere to a predetermined
strategy and policy. Each research has a unique data gathering method. However, all of
these methods are necessary if you want to be certain that the research is accurate and
complete (Roy, 2020). Before settling on a technique, it is essential to think of the
study's overall focus. This will provide direct observation in terms of document review
from databases, focus groups, and interactive interviews are just a few examples of this
strategy in research design (Darke et al., 1998). Since interview is one of the most
essential aspects when it comes to collecting empirical data using the qualitative
approach of the case study, in this study interviews are being used as a primary source
for the data collection method. Qualitative approaches will be used to collect empirical
data. Surveys such as face-to-face interviews and questionnaires are included in this
category.

Interviews will provide better understanding of case study from a different perspective
reflecting research questions. Moreover, these questions are designed in the sense of
leading authors to have a clear understanding toward what kind of challenges SMEs are
facing when adapting information security management standards. The interviews were
conducted over a phone and the estimated timeline was to last at least around one hour
and half. Before each interview could begin, the interviewees were asked to clarify the
position they hold at the organization and the number of years of experience they have.
This was made to make sure that the data collected are from individuals having different
backgrounds.

41
Table 2: Positions and Work Experiences of Interviewees

Interviewees Position Experience in years

I1 Tech Lead 4

I2 Software DEV 3

I3 DB Administrator 5

I4 Software DEV 3

I5 Human Resource Manager 5

I6 Human Resource Manager 3

I7 Marketing 6

I8 CEO 1

I9 Sales Assistant 2

I10 Co-founder 10

I11 Co-owner 8

I12 IT help desk 2

I13 HR Assistant 2

I14 Operations Manager 4

I15 Sales Manager 3

4.3 Interview Questions Overview

The interview questions are designed to answer three main objectives. such as what
are the general challenges SMEs are facing during the implementation of ISO/IEC

42
27001, what are the obstacles employees are facing when it comes to comply with
security standards, and what is the current situation toward security controls in SMEs.
There will be two types of inquiries: factual and emotional 12 questions per each
interviewee, we are targeting to interview 15 employees inclusive owners of the SMEs
organization. The interview questions and interview responses are presented to
Appendix 1 and Appendix 2.

4.4 Selection and Limitation

The interview was not a random selection of interviewees. Instead it was based on
things like position, age, experience and knowledge they have reflecting on the thesis
topic (Adapting ISO 27001 Information Security Managements Standard to SMEs). The
selection targets were travel companies as those companies are related to Adoption of
ISO 27001 information security Managements standard. We are looking at those people
over 18 years-old because they are permitted to work by law. Interview took place on
the phone.

4.5 Data Analysis

In this chapter authors demonstrate a data analysis referring to the collected empirical
data through interviews. The interviews were conducted on 8th of March and 9th of
March, as shown above interview questions were designed in the manner of letting
interviewees speak freely while expressing their thoughts toward the implementation as
well as the impact of ISO/IEC 27001 into SME operations. Authors were unable to
conduct interviews with standards implementers because the majority of them were
outsourced when SMEs were implementing standards. However, the interviews were
conducted successfully with SMEs owners as well as employees.

The purpose of having a good combination of interviewees is because authors wanted

to have a broader overview toward the understanding of information security
management standards from different areas of an SME. The major obstacles that raised
during the data collection process was the availability of SMEs owners as well as the
implementers of information security management standards. However, we manage to

43
overcome these issues by asking the IT team to over check the possibilities of reviewing
the documentation that was provided by standard implementers as well as consultants
and they manage to do that.

Tabel 3: An Overview Results of the Analysis

The documentation was translated by the IT team to us in the sense that we could at
least understand the findings regarding challenges that SMEs are going through when it
comes to adapting ISO 27001 into operations. After successfully conducting the
interviews the following step was to conduct a thematic analysis from the gathered
answers. All the answers were analyzed and coded effectively as well as examining
them in order to identify patterns. The patterns among the answers were identified in an
effective manner and a reasonable theme was created accordingly, refer to appendix 2
where the response was outlined. After creating themes and group dimensions we
conducted an overall analysis where groups were grouped into three dimensions such

44
as people, technologies involved, and process. The purpose behind this is because
authors aimed to specify group domains as shown on table above.

4.6 Ethics of the study

During the data collection, the five rules of professional ethical conduct in research were
observed. These are: Voluntary participation, informed consent, no harm, confidentiality
& anonymity, and privacy (De Vaus, 2002).

-Voluntary participation

Interviewees in this study were not by any means forced to participate. They all
participated willingly. None of the people participating in the research were coerced and
the researchers did not put participants in a situation where they might be at risk due to
their participation.

-Informed consent

Since the interviews were recorded, the interviewees were first made aware of it and
then asked first if they agreed before proceeding.

-No harm

During the interviews, no person has been hurt either physically or emotionally in the
process of collecting the required information.

-Confidentiality and anonymity

According to the law of public access to official records, the data we gathered as a team
remain confidential and anonymous, no third party could reach it. The unique data we
collected included telephone numbers, experiences, and names.

- Privacy

Because we use the telephone to contact while collecting data we decided to delete
the phone numbers and the records after finishing everything so that no one will contact
interviewers again or use their records in another way.

45
 5. MANUAL DEMOGRAPHIC ANALYSIS

Prior to delving into the specifics of each inquiry type, we look at attribute relationships.
Majority of respondents (40%) expressed their viewpoints regarding the impact of the
ISO 27001 certification to the SMEs and its relevance. The network security engineer
during the interview explained: “When it comes to security, the ISO 27001 helps us in
providing management direction and the support for information security regarding the
requirements of the business and the relevant laws and regulations. The human
resource manager went on to say how the certification helps to ensure that employees,
contractors and third parties are informed about security threats, and are equipped with
the knowledge and tools needed to maintain proper security posture and reduce the
risks of human error.

Regarding the necessity of the ISO 27001, the sales officer explained their view in the
following way: “For a person involved in sales, I see that the certification plays an
important role because it reassures the customers that the company maintains a high
level of security and then in return the sales increases, so I see it as a good added
value to the company”

5.1 Measures
Fifteen interviews (15) were conducted where five interviewees were from the IT
department, three were human resources managers, two co-founders and director
manager CEO, and four of them belonged to the operations, marketing and sales
department. The purpose of having a good combination of interviewees is because
authors wanted to have a broader overview toward the understanding of information
security management standards from different areas of an SME. The major obstacles
that raised during the data collection process was the availability of SMEs owners as
well as the implementers of information security management standards. However, we
manage to overcome these issues by asking the IT team to overcheck the possibilities
of reviewing the documentation that was provided by standard implementers as well as
consultants and they manage to do that.

46
5.2 Attitude

After carrying out the interview we discovered that SME owners and employers were
already acquainted with the systems and IoT devices and were more willing to adopt
ISO 27001 since they see the potential benefit of it. Since everyone is connected to the
system by lack of BYOD strategy. Lee (2020) discussed further that mistrust in the
ISO/IEC 27001 Information Security Management Standard is cited as a major reason
for not adopting the standard where personal devices are not connected to
organizational networks without authorization. Present and future SMEs owners are
actually worried about privacy in their organizations if everyone can easily be connected
to the network where hackers can take advantage, it was found by (Lee, 2020), user
vulnerability was the most critical reason for not adhering to the standard. AdoptIng the
ISO/IEC 27001 Information Security Management Standard in small and medium-sized
organizations (SMEs) it was found to be the far most challenging.

5.3 The perception of security and privacy

With respect to the role of SME owners we were able to receive answers from three
interviewees such as one CEO, and two CO-founders. We have learned that there is a
big gap of understanding the concept of information security management standard to
the entire top management team, as well as it has been a surprise to them when they
were introduced to ISO 27001 at the first time. Due to these challenges both SMEs
owners have the feeling that they were forced to hire an information security consultant
who helped them to understand in depth the importance of security standards to their
company. It was claimed that consumers will not use systems they do not believe in,
and this is supported by their research (Wanyonyi, 2020).

Furthermore, it was discussed by (Vincent, 2017) and (Wong, 2022) conquered, privacy
concerns are a factor in the SMEs domain's resistance to Information Security
Management Standard adoption. Since then they were able to understand the role of it
however, since they are a small company they claimed that they don’t have any
information security professionals in house, they are relying on the IT team to handle all
security related activities. Therefore IT teams as employees have the feeling that they
might be overwhelmed with the workload because there are a lot of other IT related

47
activities that depend on them. The positive side of what we learned is that, when it
comes to protect company assets towards cyber-attacks, the IT team has implemented
different types of security measures such as each employee's computer has trustful
antimalware tools which detects and prevents employees from installing malicious
software to systems, different kind of firewalls, and the IT team makes sure that are they
stay update and aware of the trends in the cybersecurity domain.

From other employees' perspectives, we were able to identify that some of the
employees, especially IT professionals, have knowledge toward the ISO 27001
standard. They were capable of defining the impacts of ISO 27001 when it comes to
keeping proper information security system management (ISMS). This is a positive sign,
because it demonstrates that the IT team follows the best practices to protect SMEs
assets. However, there is a gap to fill in, for example employees were given training
regarding the awareness of cybersecurity only once and incase of the newcomer
employee another whoever employee is responsible to share his/her knowledge. Lack
of motivation toward the compliance of security policies is another relevant finding.
When it comes to compliance with security policies, employees are mainly motivated by
the pride of doing their jobs like professionals, the fear of being the source of a breach
or the sanctions that can be imposed on them if they fail to comply with the policies.
This is against the ISO 27001 standard recommendation.

48
 6. DISCUSSION
The risk of data leaking has increased as firms have become increasingly dependent on
technology in the workplace. It is possible to decrease risks and prevent security
breaches with an effective Information Security Management System (ISMS) .
Companies may now ensure appropriate data protection by aligning their IT operations
and procedures with information security management standards framework (Gillies,
2011). ISO 27001 accreditation demonstrates to the public that a company's information
security management system is systematic, which improves the company's public
image. When it comes to the sensitive subject of data security, which is often brought up
in court, having an ISO 27001 certification can prove that an organization complies with
international security standards well and other stakeholders can trust them. Moreover,
to illustrate a company's security measures, the certificate might be displayed. Literature
review outlines that the majority of security standards have been accepted by a vast
number of organizations within Europe and Asia. Furthermore, various organizations
have a high chance to gain ISO 27001 certifications as a result of the growing relevance
of information security compliance for IT service providers.

The ISO 27001 standard is widely used for the purpose of improving information
security practices, and research shows that more than 80% of all users worldwide have
accepted the ISO 27001 standard tremendously. However the main remaining
challenge to be the standard does not exclusively provide guidance on how it should be
implemented. An easy-to-use standard is acknowledged in this instance. Executives,
suppliers, employees, government authorities, and even consumers are all affected by
it. Although some firms have their own standards in place, ISO 27001 has become the
industry standard for compliance. Compliance with ISO 27001 is a requirement for
every organization, whether it is a financial institution or a government agency.

That's why the international standard for information security will be ISO 27001.
Businesses are acutely aware of the need of safeguarding the data they rely on to run
effectively. They want standards to be used as a benchmark for information security
governance. PCI-DSS, COBIT, PRINCE2, SOA, OPM3, BS7799, ITIL, COSO, and ISO
27001 are all examples of IT governance standards. There are a number of reasons

49
why some of these rules aren't fully implemented by companies. Most typically,
PCI-DSS and ISO 27001 standards are used. To date, a research of different
information security standards has shown that ISO 27001 is by far the most frequently
used standard when it comes to both strength and acceptability.

An organization's preparedness for information security requirements may be

determined using the ISO 27001 standard. ISO 27001 implementation is tough for most
firms. They have difficulties in determining the level of organizational readiness, the
creation of documentation, and other information security strategy situations (Zammani,
2016). People's desires and actions are revealed to be vastly different, according to the
research. Implementing ISO 27001 might raise both internal and external concerns. A
well-thought-out strategy for implementing ISO 27001 must be in place for a company to
be successful. Information security implementation will be hindered, and the company
will seem to be unprepared as a consequence of this issue.

It's possible that the resources needed to implement ISO 27001 will be more than
anticipated. Refinement is a deterministic procedure that may be performed anywhere
in the globe. An organization may have several information security safeguards in place,
but the absence of precise security controls gives the impression that the organization is
disjointed and disorganized. Putting in place some of the necessary precautions may be
difficult for the business. When firms are seeking to adopt the ISO 27001 standards,
they have difficulties in selecting information security standards with distinctive features.
Everyone has a responsibility to play in adopting the ISO 27001 standard. A technique
to evaluate a company's preparedness for implementing ISO 27001 is thus essential. It
is necessary to create a new framework for defining and assessing the ISO 27001 when
new algorithms and mathematical models are implemented.

In order to protect and secure the company's information, leadership at all levels must
know that it requires both inventiveness and zero tolerance. If a modest breach occurs,
executives should be prepared to adopt ISO 27001 so that the organization may better
comprehend and even assess its preparedness. In addition to the novelty approach, top
executives may utilize the ISO 27001 readiness level measurement formula to assess
how well-prepared their firms are. Directors will be able to assess the company's

50
readiness, monitor ISO 27001 implementation, and assess its correctness using this
plan. All stakeholders will be able to easily comprehend the ISO 27001 criteria. After
that, each organization's stakeholders do their own assessments of ISO 27001's
preparedness. This has led to a reliance on ISO 27001 standards to resolve queries,
impediments, and issues that senior management has had in understanding the
standard's vocabulary. As a further step, they will undertake an assessment of the
company's preparedness for the adoption of ISO 27001.

51
 7. CONCLUSIONS

From this chapter authors will begin to revisit research questions of this thesis as well
as presenting a contribution of this study. The following step is where we will outline
research limitations of this particular study, potential future work, along with the authors
perspectives towards this research.

7.1 Revisiting Research Purpose And Research Questions

The main objective of this study was to discuss in depth the role of ISO/IEC 27001 to
SMEs and the objective was to suggest a relevant framework which includes processes
to be followed by any kind of SMEs during the implementation of ISO 27001. This
research is a complete useful package for SMEs since it will provide a full picture when
it comes to understanding of information security management standards domain, as
well as what it means when requirements express International Standards, National
Standards, and Specific Industry Standards. Based on the founded results, ISO/IEC
play a magnificent role to protect SMEs from physical and cyberattack. However, there
is still a long way to go for SMEs to strengthen their information security management
systems by using ISO/IEC 27001. Because the knowledge gap towards the
understanding of Information Security Standards is extensive. Various research shows
an effective security management system begins with the selection of an acceptable
framework (Wong, 2022).

Both internal and external forces influence the level of operational preparedness and
resources available to a corporation. The ISO/IEC 27000 family protects an
organization's information resources. In spite of the fact that there are various different
information security management systems standards, ISO/IEC 27001 is often
considered the standard. Among the many things it helps firms monitor are intellectual
property, employee data security, and financial data security, among other
things.Another objective was to identify the characteristics of challenges that SMEs are
facing during the implementation of ISO 27001. The result shows that SMEs are the far
most victims who struggle to implement such standards, this due to various challenges

52
such as financial budget, and the difficulties to understand which standard provides
relevant guidelines. Furthermore, as shown in Table 1, the research identified two
major security management standards that are commonly used worldwide, ISO 27001
and NIST, these standards are sometimes confusing those who are indeed, because
they have similarities when it comes to providing security requirements. NIST is
standard free to use and is a self mechanism which means it can be implemented in the
way organization wants, while ISO27001 is a paid standard because it includes audits
and certification. ISO 27001 is commonly used around Europe and NIST is commonly
used in the United States of America. Since our research focus was to enable EU based
SMEs, ISO 27001 was taken into consideration. The final objective was to identify
issues that were faced by employees when it comes to complying with the implemented
information security management standard. It was found that employees fear becoming
the victims and source of the cyber attack, somehow this is one of the components that
motivates them to comply with security policies.

7.2 Research contribution

In order to get ISO 27001 certification, the organization's Master Security Policy must
contain a description of its cybersecurity strategy. An SME's relationship to the
organization's organizational structure must also be shown. ISO 27001 will help analyze
the current level of cybersecurity maturity and plan out a targeted strategy for reducing
risks (Velasco, 2018). Determine which technologies are suitable for each risk and what
is necessary to achieve financial savings.

ISO27001 is the most popular standard for ensuring the integrity, confidentiality, and
availability of information. The ISO 27001 standard includes enhanced evaluation,
monitoring, and continuous improvement measures. The new standard will be
especially helpful to small and medium-sized businesses. The design of the standard
ensures the safety and security of an organization's data. Enhanced dependability,
accessibility, and discretion all contribute to a better bottom line for businesses as a
result (Achmadi, 2018).

53
Since the implementation of ISO 27001, any company's commercial, technological, and
legal demands have all been addressed consistently throughout the years. ISO 27001
accreditation has helped many companies construct a more secure firewall and avoid
legal and regulatory challenges that are typically linked with information security. To
keep up with the ever-changing legal and contractual environments, companies are
better suited to do so. Continued ISO 27001 implementation also leads to increased
long-term accomplishments that pay handsomely inside a corporation. Obtaining ISO
27001 certification may help a lot of companies continue to grow and develop (Alexei,
2021). This will assist keep the company secure if there are any threats to its security.

As a result of ISO 27001's standardization, organizations now have an easier time

exchanging data. Organizations and enterprises must cooperate in order to
communicate effectively in order to achieve interoperability. Communication skills that
may be put to use as a result of SO 27001 can be developed and maintained by
studying connection needs (Alqatawna, 2014). Thus, all of management's risk policies
and procedures are now more robust. Despite the fact that this has been adopted by a
large number of businesses, the advantages much outweigh the drawbacks. As a result
of the widespread use of ISO 27001 as a global standard for data security and
management, the doomed company has flourished.

ISO 27001 is widely accepted as a best practices framework for building and sustaining
workplace security. It's a firm foundation for any business, in other words. Some clients
believe that the ISO 27001 standard should cover every part of their business in terms
of security. Among other things, it lays forth the basic rules for executing one's own
ideas. SOC 2 frameworks are referred to by security experts as "Service Organization

Controls" (SOC). Financial reporting may employ all three SOC report variations: SOC
1, SOC 2, and SOC 3. It's clear that each and every one of them is dedicated to
maintaining the greatest degree of data security for their clients. A large number of
clients benefit from the feeling of safety it provides (Altamimi, 2022). Consequently, this
is considered as an improved foundation for the administration of cloud data security
inside a specific company

54
 Figure 6: Framework for Adapting ISO/IEC 27001v to SMEs

Obtaining support from management: during the literature review, it was noticed that
it is not easy to convince top management to support any security related project, it was
identified that the majority of employees have total responsibility on any threats which
emerge during their line of duty. Therefore, the proposed framework suggests that it is
essential and obvious to include support from the top management because any project
requires a go ahead permission from top management. Managerial support must
include a wide range of aspects, such as financial support, open communication
between project team and management, including employees in decision making, and
offering explicit feedback on performance. (Manoj, 2020). Often it is not an easy task to
convince management to invest in such a project because of the costs. Therefore, you

55
must treat ISO/IEC 27001 compliance as an ongoing project and plan it well, in that
sense the management will have at least a clear picture of what is about to be done and
who is responsible as well as the costs involved.

Define the scope: On the response to the findings, we were able to find out that there
was no defined scope reflecting on the implementation of ISO 27001:2013 version. For
example the top management began implementing some of the security controls
randomly, and the majority of the internal employees, especially the IT team were not
involved in some process. The implementation force must be formed with different kinds
of stakeholders, this can be from external as well as internal, and they must know
exactly what kind of assets require protection. Dejan (2020) goes further by defining the
main purpose of defining the scope is to identify which information asset is required
protection; it doesn't matter whether this information asset is within the company
premises or to the cloud. ISO 27001:2013 requires an SME to take into account all
external and internal issues and be aware that you must include the description of ISMS
scope. This will enable audits to have a clear picture on how your organization handles
external and internal risks.

Design risk assessment and treatment process: the research suggested designing
of risk assessment and treatment process so as to define the scope. (Dejan, 2020)
claimed that this is one of the most complex tasks during the implementation of ISO/IEC
27001. Here is where an SME is required to clarify how risks will be captured and
handled as well as define the impact and likelihood of the risks (. Churchman, 2017).

Perform a risk assessment and treatment: this is a continuous process after

designing the risk assessment methodology, in this area an SME is required to
implement the assessment of the defined risks (Arnason, 2022). It is very important to
define Develop a security culture of the SME because it will provide a comprehensive
picture from external and internal vulnerabilities in that sense an SME will have a clear
picture of the ISO 27001 controls they require. After the previous step the following step
is to write the risk treatment plan (Hamdi, 2019).

56
Implement the required controls: the research also recommended implementing the
required controls (Calder, 2018). This includes all documentation and technology as
defined in the ISO 27001 standard. Do not skip or ignore any procedures because this
seems to be the case to most of the SMEs (Hannah, 2019).

Implement training and awareness programs: For best adoption of ISO27001

standard in SMEs, our research realized it is best for conducting training and awareness
programs to SMEs owners and employees. ISO/IEC 27001 highly recommends
implementing such security control in effective manners, because if an SME implements
security controls such policy it is important to train them and enable them to be aware in
case of changes (Humphreys, 2018). Moreover, an SME must design training programs
with relevant materials and run them continuously at least twice a year (Chopra, 2020).
This was exactly the case with the case of SMEs, they have an IT team who are
responsible for training other employees but the IT team had no idea how often the
training must be conducted.

Operate the ISMS;Our research found out SMEs do not operate on ISMS, in order to
make research successful, it is recommended there has to be ISMS operating. This
means that an organization must treat the ISO/IEC 27001 as a daily routine, if an SME
goal is to be certified, documenting records is one of the very important aspects
(Hannah, 2020) Research shows that ISO 27001 auditor’s value records and logs
because they believe that an SME can prove the completion of the required activity
(Edward, 2008). However, the documented record must enable SMEs to monitor
implemented controls works as expected.

Management review: Based on our findings we found out that management are lacking
knowledge toward Information security management therefore it was somehow a big
challenge for them to review. Consequently, we recommend hiring an information
security professional who will be responsible for conducting such a task and translate it
to top management. It is extremely important for the top management to stay updated
towards what is going on within the ISMSs (Culot, 2021). Therefore it is highly
recommended to implement relevant communication methods where internal and

57
external auditors will be submitting reports to the top management and wait for their
decision if required (Dioubate, 2022).

Monitoring and measuring the ISMS: In order for an SME to ensure that the security
concept is treated fairly it is extremely important to monitor and measure the ISMSs
accuracy. Here is where SMEs must keep an eye on it and it must be a continuous
process. This stage is where an SME will have clear results regarding what is
happening in company ISMS (Ogcio, 2021). For example what kind of incidents have
appeared and risk revels, what kind of action were taken as well as what is the current
situation. Our research identified that the majority of SMEs are not complying with such
processes. Therefore, if an SME fails to describe such control there are possibilities for
auditis to not accept the certification proposal, because an SME is not maintaining
ISO/IEC 27001 compliance.

7.3 Reflection

It is challenging for small organizations to implement the ISO 27001 standard because
of internal issues. The project's completion date is most likely to be pushed back due to
the inexperience of the team. Due to a lack of common experience, the introduction of
new standards is difficult to accomplish. Neither I nor anybody else here at the
organization is eager to create new security standards or refine the ones that already
exist. Firms were also hesitant to embrace the standard because of their lack of
knowledge about ISO 27001 Understanding ISO 27001 is the first step towards putting
it into practice.

A wide range of variables were examined as a consequence of these problems. Starting

with the internal changes, the company's culture must be altered. If your organization
has a culture of openness and innovation, the ISO 27001 standard may be easier to
implement. Small and medium-sized organizations should place a high priority on risk
information/cybersecurity management. Future business planning must take into
account advancements in cyberspace as well as security issues. If a company has this
information, they may find it easier to implement the ISO 27001 security standard. Two
of the most critical characteristics of an organization's information security management

58
are confidentiality, integrity, and availability. Data security is a major problem for a large
number of enterprises and organizations. As a starting point, the ISO27001 standard is
an excellent tool since if it is implemented as it should, it can enable the improvement of
the compliance of GDPR, and the PCI DSS.

In order to increase market returns, ISO 27001 instills trust in existing customers and
other stakeholders while also attracting new ones. ISO 27001 accreditation
demonstrates to customers that the organization is concerned about their security and
serves as an effective strategy to maintain and attract new customers. With its ISO
27001 certification, the company's Information Security Management Plan may be
trusted by new customers and enterprises alike. It's easier to employ the most
successful methods and procedures if they're standardized. Organizations may use
operational components of ISO 27001 to help protect themselves against cyber-attacks.
Maintaining data backups and anti-virus software is essential for many IT systems.

When it comes to securing one's personal information, there has always been a danger.
The handling of personal and commercial data is one of the most serious challenges in
today's society. Using the ISO 27001 framework is the best way to deal with this issue.
Risk-based data management is something that ISO 27001 certified companies have
mastered. Despite the fact that ISO/IEC 27001 is a current and relevant certification
procedure, backward compatibility has always been an issue. Every company that
handles considerable amounts of sensitive data must have the ISO Framework in place.

The process of preparing this report went smoothly despites the ups and down when it
comes to understanding the concept of research methodologies and such. However, the
authors were able to structure the topic and carry on with the work. One of the major
issues we faced was to find case companies which we can use to conduct interviews.
However we were able to find travel agencies companies Holiday Chapter and
Step2Africa who volunteered. We have learned that International Information Security
Standards play a magnificent role when it comes to enabling organizations to manage
their information security systems in an effective and efficient manner. However some
organizations are facing challenges when it comes to implementing security standards
and guidelines.

59
Strong evidence shows that due to the lack of knowledge towards standard/guideline
and such experience was gained during the literature review and interviews. The
majority of employees didn’t have any idea why their company needs such a standard.
They went further by complaining that implementing such a project is cost effective.
However, during the interview discussion authors tried to mention and compare that,
imagine what kind of money if your company faces a data breach and authorities find
out it was your company's error? Moreover, have you ever tried to think what will be the
loss for your company in case of a DDoS attack or your travel portal going down for a
few days without service? We both learned ISO 27001 implementation is an extremely
important tool which will enable businesses to defend themselves toward cyber
criminals.

After going through the literature review, the team was able to understand why it is
complicated for non-infosec professionals to understand the concept of Information
Security Standards. Because the majority of these standards are designed for security
professionals. Therefore, it is a massive challenge for non-infosec professionals to cope
with it. As mentioned before, apart from choosing the particular subject as a part of a
thesis project, team members have personal interest in learning various standards in
depth. Therefore, after conducting this research we are confident to say that authors
have made the right decision and from now on authors are capable of providing a
consultation to organizations who are lacking knowledge aiming to adapt ISO 27001
standards.

7.4 Research Limitation and Future Work

This particular research was conducted within the European Union (EU) because our
focus was to benefit the GDPR requirements. Therefore, it is not recommended to use
the result of this research to any SME that operates outside the European zone. That
was the reason why authors focused the data collection process to be done within the
EU zone. The research is not limited to discussing the certification process only, it
discusses the area of information security management in general.

60
After going through the ISO 27001, authors noticed that in the modern era organizations
are focussing on combining different kinds or standards for example; in one case
organizations combined ISO 27001 which is basically the one that covers information
security management and ISO 22301 which covers business continuity. In that sense
the combination of these two standards will enable an organization to simplify the
process of handling the risk assessment toolkit. This is a new challenge to various
organizations, even those who have ISO 27001 certification already. Because in this
new era there will be two standards with different kinds of requirements that need to be
combined and make sense to an organization, including the knowledge and cost
involved. Luke Irwin outlined that combining these two standards can enable
organizations to mitigate risk effectively and respond to threats instantly. Therefore, in
the author's perspective this might be a potential future research which might be carried
out from this research.

61
 REFERENCES
1. Achmadi, D., Suryanto, Y., & Ramli, K. (2018, May). On developing information security
management system (isms) framework for iso 27001-based data center. In 2018
International Workshop on Big Data and Information Security (IWBIS) (pp. 149-157).
IEEE.

2. Aktas, T., Fiske, W. T., & Gong, G. Performance of Examinations used for Personnel
Certification Complying to ISO/IEC 17024 Standard Requirements By Osman Vural,
Ioannis Anastasopoulos, and David S. Nelson▪ Governance of Knowledge in
Management Systems Applications.

3. ALEXEI, A. (2021). Ensuring information security in public organizations in the Republic

of Moldova through the ISO 27001 standard.

4. Alliance (of information security consultants from across the world). (2009). The ISO
27000 Directory. Retrieved December 24, 2009, from ISO 27000 - ISO 27001 and ISO
27002 Standards: http://www.27000.org/index.htm

5. Alqatawna, J. (2014) The Challenge of Implementing Information Security Standards in

Small and Medium e-Business Enterprises. Journal of Software Engineering and
Applications, 7, 883-890. http://dx.doi.org/10.4236/jsea.2014.710079

6. Altamimi, S. (2022). Investigating and mitigating the role of neutralization techniques on

information security policies violation in healthcare organizations (Doctoral dissertation,
University of Glasgow).

7. Altamimi, S. (2022). Investigating and mitigating the role of neutralization techniques on

information security policies violation in healthcare organizations (Doctoral dissertation,
University of Glasgow).

8. Arafat, M. (2018, June). Information security management system challenges within a

cloud computing environment. In Proceedings of the 2nd International Conference on
Future Networks and Distributed Systems (pp. 1-6).

9. Arnason, S. T., & Willett, K. D. (2008). How to Achieve 27001 Certification: An Example
of Applied Compliance Management. Auerbach Publications.

62
10. BOUZIANI, M. M., MERBAH, M. M., TISKAR, M. M., ET-TAHIR, M. A., & CHAOUCH, M.
A. (2022). When can we talk about implementing an Information Security Management
System, according to ISO 27001?. Turkish Journal of Computer and Mathematics
Education (TURNCOAT), 13(2), 394-401.

11. Bowen, P., Hash, J., & Wilson, M. (2006, October). Information Security Handbook: A
Guide for Managers. Retrieved November 17, 2009, from Computer Security Resource
Center: http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf

12. Brian Honan (2010). ISO27001 in a Windows Environment: Accessed. 2021.

https://books.google.fi/books?id=GMcyZWviyvgC&pg=PA19&dq=key+concepts+of+infor
mation+security+standards&hl=en&sa=X&ved=2ahUKEwiG7v6Z1M_1AhWs-yoKHSmID
Q8Q6AF6BAgIEAI#v=onepage&q=key%20
concepts%20of%20information%20security%20standards&f=false

13. Butler Lamar, S. (2022). Managing Cyber Hygiene At A Higher Education Institution In
The United States.

14. Calder, A., & Watkins, S. (2008). IT Governance: A Manager’s Guide to Data Security
and ISO27001/ISO 27002. Kogan Page.

15. Carvalho, C., & Marques, E. (2019, June). Adapting ISO 27001 to a Public Institution. In
2019 14th Iberian Conference on Information Systems and Technologies (CISTI) (pp.
1-6). IEEE.

16. Casola, V., Catelli, R., & De Benedictis, A. (2019, June). A first step towards an
ISO-based information security domain ontology. In 2019 IEEE 28th International
Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises
(WETICE) (pp. 334-339). IEEE.

17. Chałubińska–Jentkiewicz, K. (2022). Cybersecurity as a Public Task in Administration.

Cybersecurity in Poland, 191.

18. Chopra, A., & Chaudhary, M. (2020). Implementing an Information Security Management
System. Apress, New York.

63
19. Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001
information security management standard: literature review and theory-based research
agenda. The TQM Journal.

20. Defense Signals Directorate . (2009). Australian Government Information Security

Manual. Retrieved December 12, 2009, from Australian Government - Department of
Defense Intelligence and Security: http://www.dsd.gov.au/library/infosec/ism.html

21. Dioubate, B. M., & Wan Daud, W. N. (2022). Implementation of Cyber Security Risk
Management Frameworks in Malaysian Higher Education Institutions. Global Journal of
Management And Business Research.

22. Dr. T, Eldabi, Dr. M, Jahangirian, Dr. A, Naseer. A survey of simulation techniques.
https://www.researchgate.net/publication/49402506_A_survey_of_simulation_techniques
_in_commerce_and_defence#pf2

23. Edward, H. 2008. Information security management standards. Accessed 2021.

https://doi.org/10.1016/j.istr.2008.10.010

24. Federal Office for Information Security (BSI), BSI Standard 100-1 Information Security
Management System, http://www.bsi.de/english/publications/bsi _st andards/index.htm
2008

25. Fomin VV., Vries H, “ISO/IEC 27001 Information System Security Management Standard
L Exploring the Reason for Low Adoption.” Proceedings of The third European
Conference on Management of Technology (EUROMOT). Nice. France. 2008

26. H. Churchman. 2017. How to gain employee buy-in when implementing cybersecurity.
https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-whe
n-implementing-cybersecurity-according-to-iso-27001/

27. Hamdi, Z., Norman, A. A., Molok, N. N. A., & Hassandoust, F. (2019, December). A
Comparative Review of ISMS Implementation Based on ISO 27000 Series in
Organizations of Different Business Sectors. In Journal of Physics: Conference Series
(Vol. 1339, No. 1, p. 012103). IOP Publishing.

64
28. Hannah, S. 2019. Literature review as a research methodology: Journal of Business
Research, Volume 104, 2019.
https://www.sciencedirect.com/science/article/pii/S0148296319304564

29. Henttinen, H. (2018). Improvement of Information Security Management System in

Media X Corporation.

30. Humphreys, E. (2018). The Future Landscape of ISMS Standards. Datenschutz und
Datensicherheit-DUD, 42(7), 421-423.

31. Imran, H., Salama, M., Turner, C., & Fattah, S. (2022, March). Cybersecurity Risk
Management Frameworks in the Oil and Gas Sector: A Systematic Literature Review. In
the Future of Information and Communication Conference (pp. 871-894). Springer,
Cham.

32. ISM3 Consortium. (2009). Information Security Management Maturity Model v2.3. Spain:
ISM3 Consortium.

33. ISO/IEC. (2009). Information technology — Security techniques — Information security

management systems — Overview and vocabulary. Geneva, Switzerland.

34. J. Andress. 2011. The Basics of Information Security Understanding. Accessed. 2022.
https://books.google.fi/books?id=9NI0AwAAQBAJ&pg=PA7&dq=cia+triad&hl=en&sa=X&
ved=2ahUKEwjXodG2mtz1AhUklosKHTyXA54Q6AF6BAgGEAI#v=onepage&q=cia%20t
riad&f=false

35. Jafar, A. 2014. The challenges of implementing Security Standards. Accessed. 2022:
https://www.researchgate.net/publication/266080655_The_Challenge_of_Implementing_
Information_Security_Standards_in_Small_and_Medium_e-Business_Enterprises

36. K.S.Manoj 2020. cybersecurity in industrial automation. Accessed 2022.

https://books.google.fi/books?id=h_8BEAAAQBAJ&pg=PT239&dq=obtaining+support+fr
om+management+iso+27001&hl=en&sa=X&ved=2ahUKEwi309Linrb3AhVypYsKHTyvB
2QQ6AF6BAgFEAI#v=onepage&q=obtaining%20support%20from%20management%20
iso%2027001&f=false

65
37. Kebande, V. R. (2022). Industrial Internet of Things (IIoT) Forensics: The forgotten
Concept in the Race Towards Industry 4.0. Forensic Science International: Reports,
100257.
38. Kirvan, Paul. 2019 “Security Frameworks and Standards Explained.” SearchSecurity.
https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Ch
oosing-the-right-one.

39. Kitsios, F., Chatzidimitriou, E., & Kamariotou, M. (2022). Developing a Risk Analysis
Strategy Framework for Impact Assessment in Information Security Management
Systems: A Case Study in the IT Consulting Industry. Sustainability, 14(3), 1269.

40. Klisenko, O., & Serral Asensio, E. (2022). Towards a Maturity Model for IoT Adoption by
B2C Companies. Applied Sciences, 12(3), 982.

41. Kong, X., & Cai, Z. (2022). An Information Security Method Based on Optimized
High-Fidelity Reversible Data Hiding. IEEE Transactions on Industrial Informatics.

42. Livshitz, I. I., Lontsikh, P. A., Lontsikh, N. P., Golovina, E. Y., & Safonova, O. M. (2020,
September). The Effects of Cyber-security Risks on Added Value of Consulting Services
for IT-security Management Systems in Holding Companies. In 2020 International
Conference Quality Management, Transport and Information Security, Information
Technologies (IT&M M&S) (pp. 119-122). IEEE.

43. Longras, A., Pereira, T., Carneiro, P., & Pinto, P. (2018, September). On the track of
ISO/IEC 27001: 2013 implementation difficulties in Portuguese organizations. In 2018
International Conference on Intelligent Systems (IS) (pp. 886-890). IEEE.

44. Lopes, I. M., Guarda, T., & Oliveira, P. (2019). Implementation of ISO 27001 standards
as GDPR compliance facilitator. Journal of information systems engineering &
management, 4(2), 1-8.

45. Lopes, I. M., Guarda, T., & Oliveira, P. (2019, June). How ISO 27001 can help achieve
GDPR compliance. In 2019 14th Iberian Conference on Information Systems and
Technologies (CISTI) (pp. 1-6). IEEE.

46. Maarop, N., Zam, M. F. M., Samy, G. N., Manaf, A. A., Munshi, A., & Magalingam, P.
(2021, October). A Qualitative Insight of Success Factors of Information Security

66
 Management System. In 2021 7th International Conference on Research and Innovation
in Information Systems (ICRIIS) (pp. 1-6). IEEE.
47. Maingak, A. Z., Candiwan, C., & Harsono, L. D. (2018). Information Security Assessment
Using ISO/IEC 27001: 2013 Standard on Government Institution. Trikonomika, 17(1),
28-37.

48. Mayer N, “A Cluster Approach to Security Improvement According to ISO/IEC 27001. ''
Center de Recherche Public Henri Tudor. 29 av. John F Kennedy, L-1855 Luxembourg.

49. Metwally, E. A., Haikal, N. A., & Soliman, H. H. (2022). Detecting Semantic Social
Engineering Attack in the Context of Information Security. In Digital Transformation
Technology (pp. 43-65). Springer, Singapore.

50. Mirtsch, M., Blind, K., Koch, C., & Dudek, G. (2021). Information security management in
ICT and non-ICT sector companies: A preventive innovation perspective. computers &
security, 109, 102383.

51. Nagata, T., Ito, D., Nagata, M., Fujimoto, A., Ito, ROrigami, K., ... & Mori, K. (2021).
Anticipated health effects and proposed countermeasures following the immediate
introduction of telework in response to the spread of COVID-19: The findings of a rapid
health impact assessment in Japan. Journal of occupational health, 63(1), e12198.

52. National Research Council. 1991. Computers at Risk: Safe Computing in the Information
Age. Washington, DC: The National Academies Press.https://doi.org/10.17226/1581.

53. Ogcio. 2021. An Overview of ISO/IEC 27000 family Information Security Management
System Standards Accessed
2022:https://www.ogcio.gov.hk/en/our_work/information_cyber_security/collaboration/doc
/overview_of_iso_27000_family.pdf

54. Ortiz, M. B., & Karapetrovic, S. (2022). Developing Internet of Things-related ISO 10001
Hand Hygiene Privacy Codes in healthcare. The TQM Journal, (ahead-of-print).

55. Pan, Y., & Zhang, L. (2021). Roles of artificial intelligence in construction engineering
and management: A critical review and future trends. Automation in Construction, 122,
103517.

67
56. Frederikus, P., Bunawan, S. G., Gaol, F. L., Matsuo, T., & Nugroho, A. (2022). Standard
Analysis of Document Control as Information According to ISO 27001 2013 in PT XYZ.
In Pervasive Computing and Social Networking (pp. 721-732). Springer, Singapore.
57. Proença, D., & Borbinha, J. (2018, July). Information security management systems-a
maturity model based on ISO/IEC 27001. In the International Conference on Business
Information Systems (pp. 102-114). Springer, Cham.

58. Ramírez, M., Rodríguez Ariza, L., & Gómez Miranda, M. E. (2022). The Disclosures of
Information on Cybersecurity in Listed Companies in Latin America—Proposal for a
Cybersecurity Disclosure Index. Sustainability, 14(3), 1390.

59. Reeves, A., Delfabbro, P., & Calic, D. (2021). Encouraging employee engagement with
cybersecurity: How to tackle cyber fatigue. SAGE Open, 11(1), 21582440211000049.
60. Renvall, A. (2018). Improving cybersecurity through ISO/IEC 27001 information security
standard in the context of SMEs.

61. Rodionova, Z., & Utepbergenov, I. (2020). The concept of adaptive information security
management in digital organizations based on the analysis and monitoring of business
processes. Economic and Social Development: Book of Proceedings, 409-415.

62. Roy, P. P. (2020, February). A High-Level Comparison between the NIST CyberSecurity
Framework and the ISO 27001 Information Security Standard. In 2020 National
Conference on Emerging Trends on Sustainable Technology and Engineering
Applications (NCETSTEA) (pp. 1-3). IEEE.

63. Sabillon, R. (2022). The Cybersecurity Awareness Training Model (CATRAM). In

Research Anthology on Advancements in Cybersecurity Education (pp. 501-520). IGI
Global.

64. Setyawan, E., & Sukmana, F. (2021). Penilaian Standar Mutu Pada Aplikasi Tiket
Bioskop dengan ISO 27001 dan Fishbone Analisis. JTIM: Jurnal Teknologi Informasi
Dan Multimedia, 2(4), 214-222.

65. Shahida, K. H. U., & Humayun, M. (2022). 10 Security Management System (SMS).
Information Security Handbook, 177.

68
66. Šikman, Lílja, Tihomir Latinović, and Darko Paspalj. "ISO 27001-Information Systems
Security, development, trends, technical and economic challenges." Annals of the
Faculty of Engineering Hunedoara 17.4 (2019): 45-48.
67. Siponen, M. 2006. Information security standards focus on the existence process.
https://www.researchgate.net/publication/220422725_Information_security_standards_fo
cus_on_the_existence_of_process_not_its_content

68. Soliman, W., & Mohammadnazar, H. (2022). New Insights into the Justifiability of
Organizational Information Security Policy Noncompliance: A Case Study. In
Proceedings of the Annual Hawaii International Conference on System Sciences.
University of Hawai'i at Manoa.

69. Soliman, W., & Mohammadnazar, H. (2022). New Insights into the Justifiability of
Organizational Information Security Policy Noncompliance: A Case Study. In
Proceedings of the Annual Hawaii International Conference on System Sciences.
University of Hawai'i at Manoa.

70. Sun, Z., Zhang, J., Yang, H., & Li, J. (2020, June). Research on the Effectiveness
Analysis of Information Security Controls. In 2020 IEEE 4th Information Technology,
Networking, Electronic and Automation Control Conference (ITNEC) (Vol. 1, pp.
894-897). IEEE.

71. Thomas, J., Harden, A. Methods for the thematic synthesis of qualitative research in
systematic reviews. BMC Med Res Methodol 8, 45 (2008).
https://doi.org/10.1186/1471-2288-8-45

72. Tissir, N., El Kafhali, S., & Aboutabit, N. (2021). Cybersecurity management in cloud
computing: Semantic literature review and conceptual framework proposal. Journal of
Reliable Intelligent Environments, 7(2), 69-84.

73. Tofan, D. (2011). Information Security Standards. Accessed 2022.

https://www.researchgate.net/publication/279679417_Information_Security_Standards

74. Velasco, J., Ullauri, R., Pilicita, L., Jácome, B., Saa, P., & Moscoso-Zea, O. (2018,
November). Benefits of implementing an ISMS according to the ISO 27001 standard in
the ecuadorian manufacturing industry. In 2018 International Conference on Information
Systems and Computer Science (INCISCOS) (pp. 294-300). IEEE.

69
75. Vicent, H. 2017. The importance of access control guidelines. Accessed
https://www.researchgate.net/publication/312288471_General_Methods_for_Access_Co
ntrol_Policy_Verification_Application_Paper
76. Viegas, V., & Kuyucu, O. (2022). Security Metrics. In IT Security Controls (pp. 221-244).
Apress, Berkeley, CA.

77. Wang, N., Christen, M., Hunt, M., & Biller-Andorno, N. (2022). Supporting value
sensitivity in the humanitarian use of drones through an ethics assessment framework.
International Review of the Red Cross, 1-32.

78. Wanyonyi, V. (2020). Information security Management toolkit for ISO/IEC 27001
standard, case of small-to-medium sized enterprises (SMEs) (Doctoral dissertation,
University of Nairobi).

79. Whitman Michael E, and Herbert J. Mattord. Management of Information Security.

Cengage, (2019).
https://books.google.fi/books?id=naB0AgAAQBAJ&hl=fi&source=gbs_navlinks_

80. Wong, L. H., Hurbean, L., Davison, R. M., Ou, C. X., & Muntean, M. (2022). Working
around inadequate information systems in the workplace: An empirical study in
Romania. International Journal of Information Management, 64, 102471.

81. Zaini, M. K., Masrek, M. N., & Sani, M. K. J. A. (2020). The impact of information security
management practices on organizational agility. Information & Computer Security.

82. Ključnikov, A., Mura, L., & Sklenár, D. (2019). Information security management in
SMEs: factors of success. Entrepreneurship and Sustainability Issues, 6(4), 2081.

83. Barlette, Y., & Fomin, V. V. (2008, January). Exploring the suitability of IS security
management standards for SMEs. In Proceedings of the 41st Annual Hawaii
International Conference on System Sciences (HICSS 2008) (pp. 308-308). IEEE.

84. Antunes, M., Maximiano, M., Gomes, R., & Pinto, D. (2021). Information Security and
Cybersecurity Management: A Case Study with SMEs in Portugal. Journal of
Cybersecurity and Privacy, 1(2), 219-238.

85. Ng, Z. X., Ahmad, A., & Maynard, S. B. (2013). Information security management:
Factors that influence security investments in SMES.

70
86. Valdevit, T., Mayer, N., & Barafort, B. (2009, September). Tailoring ISO/IEC 27001 for
SMEs: a guide to implement an information security management system in small
settings. In the European Conference on Software Process Improvement (pp. 201-212).
Springer, Berlin, Heidelberg.

87. Yildirim, E. Y., Akalp, G., Aytac, S., & Bayram, N. (2011). Factors influencing information
security management in small-and medium-sized enterprises: A case study from Turkey.
International Journal of Information Management, 31(4), 360-365.

88. Gordas, V. (2014). Implementing information security management systems in SMEs

and ensuring effectiveness in its governance. Egham: University of London.

89. Khan, M. I., Tanwar, S., & Rana, A. (2020, December). The Need for Information
Security Management for SMEs. In 2020 9th International Conference System Modeling
and Advancement in Research Trends (SMART) (pp. 328-332). IEEE.

90. Theodoros, 2011, Dimitrios, Polemi. 2011. Collaborative System Offering Security
Management Service for SMEs.
https://link.springer.com/chapter/10.1007/978-3-642-33448-1_30

91. Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security
management. Information & Management, 52(1), 123-134.

92. Hedström, K., Kolkowska, E., Karlsson, F., & Allen, J. P. (2011). Value conflicts for
information security management. The Journal of Strategic Information Systems, 20(4),
373-384.
93. Gillies, A. (2011). Improving the quality of information security management systems with
ISO27000. The TQM Journal.

94. Tu, Z., & Yuan, Y. (2014). Critical success factors analysis on effective information
security management: A literature review.
95. Zammani, M., & Razali, R. (2016). An empirical study of information security
management success factors. Commitment, 5, 7.

71
 Appendix 1: Interview questions to SMEs Owners and employees

1. We are aware of the challenges involved when it comes to understanding

information security management standards, how would you describe your SME
approach toward information security management?
2. From your experience, what are the major complications an SME faces during
the implementation of ISO 27001 standard?
3. Regarding the security of the organization, why do you think being ISO 27001
certified will ensure that when you bring your own connected devices at work you
do not pose risks?
4. In your daily work at the organization, what would you say motivates you to align
yourselves with the security policies?
5. If you are asked your opinion, what kind of strategy is useful when it comes to
raising employees' awareness about cyberattacks? How does your company
comply with it?

6. When it comes to adapting the ISO 27001 standard in the organization, what
impact do you think it brings to the enterprise?
7. Why do you think being ISO 27001 certified will ensure that when you bring your
own connected devices at work you do not pose risks?
8. Sometimes the cost and effort of a full ISO 27001 certification is considered
expensive by the majority of SMEs. How would you ensure that the benefits of
the certification outweigh its cost and effort?
9. Through your personal experience what have you learned about the challenges
that most businesses are facing while adapting ISO 27001?
10. Do you have any plans to create an information security or data protection policy
in the next two years?
11. How would you describe your ideal risk management process ?
12. Which standard of business continuity management would you like to use in your
company?

72
Appendix 2: Interview Response

73
74
75
76
77
78