Ranking the barriers of implementing Information Security Management System and Investigation of readiness rate of exploration management

Document Type : Research Paper


1 Assistant Prof., Payam Noor University, Iran

2 Associate Prof., Department of Business Administration & MBA, Payame Noor University, PO Box 19395-3697 Tehran, Iran

3 MSc. Student, Information Technology Management, Payam Noor University, Tehran, Iran

4 Ph.D. Candiate, University of Tehran, Iran


As information has the role of organization asset, its protection is the key to the survival of any organization. Information Security Management System (ISMS) defines protection of information in three specific concepts: information confidentiality, accuracy, and availability. Many failures in implementing ISMS rooted in organizational problems and lack of attention to the state of readiness of the organization before implementation. A descriptive design (method) was used to perform the study. Barriers to implementing ISMS were ranked based on analytical hierarchical process and organization’s readiness rate to implement ISMS was determined by questionnaire. The results indicate that the non-compliance of organizational structure with the ISMS requirements is the most important barrier and employee’s fear of difficulties of these processes is lowest important barrier. In addition, the readiness rate of exploration management in the ISMS implementation is lower than average.


Main Subjects

Abduljalil, S. & Abdulhamid, R. (2005 & 2007). ISMS Pilot Program Experiences: Benefits, Challenges & Recommendations. 2013, from http://cybersecurity. my/data/content_files/11/23.pdf.
Al-Awadi, M. & Renaud, K. (2007). Success factors in information security implementation in organizations. Paper presented at the IADIS International Conference e-Society 2007, Available in: http://www.dcs.gla.ac.uk /~karen/ Papers/sucessFactors2.pdf.
Bellone, J. (2008). A practiced approach to information security management system implementation. Information Management & Computer Security, 16 (1): 49-57.
Chau, J. (2005). Skimming the technical and legal aspects of BS7799 can give a false sense of security. Computer Fraud & Security, 9: 8-10.
Choi, N., Kim, D. & Goo, J. (2008). Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action. Information Management & Computer Security, 16 (5): 484-485.
Dhillon, G. (2001). Information security management: global challenges in the new millennium, IGI Global, DOI: 10.4018/978-1-878289-78-0.
Ernest-Jones, T. (2006). Pinning down a security policy for mobile data, Network Security, 2006 (6): 8-13.
Fomin, V., DeVries, H., Barlette, Y.  (2008). ISO/IEC 27001 Information systems security management standards: Exploring the reasons for low adoption. RSM Erasmus University, Netherland.
Honan, B. (2006). IT security-commoditized, badly Infosecurity Today, 3 (5): 41.
ISO/IEC 27001: 2013: Information technology — Security techniques — Information security management systems—Requirements, http://www.iso. org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534.
Kakkar, A., Punhani, R. & Madan, S. (2012). Implementation of ISMS and its Practical Shortcomings. International Refereed Research Journal ISSN 1839-6518,Vol. 02, No. 01, www.irj.iars.info.
Kazemi, M., Khajouei, H. & Nasrabadi, H. (2012). Evaluation of information security management system success factors: Case study of Municipal organization. African Journal of Business Management, 6(14): 4982-4989.
Khorasani Rad, A., Hossein Abadi, H. & Amirzadeh, R. (1996). Standard ISO / IEC 27001:2005. Partner company Tuff Iran (Member of TUV Nord), Tehran.
(in Persian)
Knapp, K. J., Marshall, T. E., Rainer, R. K. & Morrow, D. W. (2004). Top Ranked Information Security Issues: The 2004 International Information Systems Security Certification Consortium (ISC) Survey Results. Auburn University, Auburn, AL.
Kotonya, G. & Sommerville, I. (1998). Requirements Engineering Process and Techniques. Hardcover, ISBN: 978-0-471-97208-2, http://eu.wiley.com/ WileyCDA/WileyTitle/productCd-0471972088.html#instructor.
Kraemer, S.B. (2006). An adversarial viewpoint of human and organizational factors in computer and information security. A dissertation for the degree of Doctor Philosophy at the university of Wisconsin-Madison.
Kritzinger, E. & Smith, E. (2008). Information security management: An information security retrieval and awareness model for industry. Computers & Security, 27 (5): 224-231.
Ku, C., chang, Y., Yen, D. (2009). National information security policy and its implementation: A case study in Taiwan. Telecommunications Policy, 33 (7): 371-384.
Kwok, L. & Longley, D. (1999). Information security management and modeling. Information Management & Computer Security, 7 (1): 30-40.
Mivald, A. (2004). Computer network security, Translated by Seyyed Ahmad Safai, The first edition,  Daneshparvar, Tehran. (in Persian)
Mohseni, M. (2013). Has your organization compliance with ISMS? A case study in an Iranian Bank. arXiv preprint arXiv:1303.0468. from Http://arxiv.org/ ftp/arxiv/papers/1303/1303.0468.pdf.
Ryan, J. (2006). A comparison of information security trends between formal and informal environments. A Dissertation for the Degree of Doctor of Philosophy the Graduate, Faculty of Auburn University Alabama.
Sadr-Ameli, F., Tork Ladany, B. & Farahi, A. (2009). Challenges and succes factors for implementation of Information Security Management System (ISMS) in Iran a by hierarchical analysis method (AHP). Sixth International Conference on Management of Information and Communication Technology, Tehran, Institute of Management Technology, http://www.civilica.com/ Paper-ICTM06-ICTM06_142.html. (in Persian)
Siponen, M. & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management, 46 (5): 267-270.
Taheri, M. (2009). Provide a framework for the role of human factors in information systems security. MA thesis, Tarbiat Modarres University, Faculty of Humanities. (in Persian)
Vermeulen, C. & Von Solms, R. (2002). The information security management toolbox-taking the pain out of security management. Information management & computer security, 10 (3): 119-125.
Zuccato, A. (2007). Holistic security management framework applied in electronic commerce. Computer and Security, 26 (3): 256-265.