Information Security at ACT Evaluation ofISO/IEC 27000

Abstract: Inform ation and com m unications technology (ICT) is at the forefront of the current w ave of technological developm ent. This developm ent of ICT has resulted in new inform ation security related threats. Ithastherefore becom e a crucialneed fororganizationsto protecttheirinform ation and to m anage their ICT security. To addressthisneed forICT security,a family ofinternational standardscalledISO/IEC27000isunderdevelopm ent.Thestandardspublished to this date are ISO/IEC 27001:2005, a process approach for inform ation security m anagem ent, and ISO/IEC 17799:2005, a collection of practices for inform ation securitym anagem ent.ISO/IEC27001:2005isthestandardusedfor certifications. ThethesisisconductedfortheSpanish companyACTSystems,whichhascore com petenciesin inform ation m anagem entand ICT solutions. ACT System shas received som e indications that there is a grow ing dem and am ongst custom ers for im proved ICT security, and the com pany believes that they m ay gain com petitive advantage by having their ICT security certified. ISO/IEC 27000 is a relatively new standard addressing the issue ofICT security,and ACT System s considers it as an interesting alternative. They w ant to know if the processes andcontrolsrecommendedbythestandardcanhelpthem toimprovetheirICT security.Iftheydo,acertification willbeconsidered.Ifnot,othermeasures have to be considered to im prove the com pany‘s ICT security. For an im plem entation to generate benefits,itisalso fundam entalthatthe standard is in line w ith ACT System s‘ technology strategy. The purpose of this m aster thesis is to evaluate if ACT System s is eligible to becom e certified w ith ISO/IEC 27001:2005, presupposed that there is a custom erdem and. The thesis focuses on three principle investigations. The first pillar is a comparison with bestpracticeon an organizationallevel,representedbythe theory ofthe Sm artOrganization presented by Matheson and Matheson (1998). Bestpracticeon an organizationallevelistheprocessesthatshouldbein usein theorganization.Thesecondpillarisacom parison with bestpracticeon an ICT security specific level. The best practice is represented by the results from a benchm arking study m ade principally on the Sw edish m arket. The third pillar is a com parison w ith ACT System s‘ technology strategy,w ith the purpose to evaluateifthisissupported by ISO/IEC 27000. Theanalysisofthetechnology strategy is based on theories presented by Dodgson (2000). The thesis also contains com prehensive sum m aries of the standards ISO/IEC 27001:2005 and ISO/IEC17799:2005,aswellasashorterpresentationofACTSystem s. The conclusions are that ISO/IEC 27000 represents best practice both at an organizational and ICT security specific level. It also supports ACT System s‘ technology strategy. ThismeansthatACT Systems‘internalprocesseswillbe supported in the best possible w ay. On the other hand, ISO/IEC 27000 is sparselym entionedin thecurrentdebateandisunlikelytogiveanysustainable com petitive advantage. The m ost im portant recom m endation for further studies is to conduct a customeranalysis.Thisisthemostimportantrecommendation becauseeverythingACTSystemsdoes,itdoesforitscustomers.Themain purposewith this study w ould be to determ ine the probability of ISO/IEC 27000 becom ing a threshold capability.