Information Security Standards: Adoption Drivers (Invited Paper)

What drives organisations to seek accreditation? The case of BS 7799-2:2002
  • Jean-Noel Ezingeard
  • David Birchall
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 193)


ISO/IEC 17799 is a standard governing Information Security Management. Formalised in the 1990s, it has not seen the take up of accreditations that could be expected from looking at accreditation figures for other standards such as the ISO 9000 series. This paper examines why this may be the case by investigating what has driven the accreditation under the standard in 18 UK companies, representing a fifth of companies accredited at the time of the research. An initial literature review suggests that adoption could be driven by external pressures, or simply an objective of improving operational performance and competitive performance. It points to the need to investigate the influence of Regulators and Legislators, Competitors, Trading Partners and Internal Stakeholders on the decision to seek accreditation.

An inductive analysis of the reasons behind adoption of accreditation and its subsequent benefits suggests that competitive advantage is the primary driver of adoption for many of the companies we interviewed. We also find that an important driver of adoption is that the standard enabled organisations to access best practice in Information Security Management thereby facilitating external relationships and communication with internal stakeholders. Contrary to the accepted orthodoxy and what could be expected from the literature, increased regulation and the need to comply with codes of practice are not seen as significant drivers for companies in our sample.

Key words

Information Security Adoption ISO/IEC 17799 ISO/IEC 27001 BS 7799 Best practice 


  1. Anderson, S. W., Daly, J. D. & Johnson, M. F. (1999) Why firms seek ISO 9000 certification: Regulatory compliance or competitive advantage. Production and Operations Management, 8(1), 28–43.CrossRefGoogle Scholar
  2. Angell, I. O. (1990) Systems Thinking about Information Systems and Strategies. Journal of Information Technology, 5(3), 168–74.CrossRefGoogle Scholar
  3. Armstrong, J., Rhys-Jones, M. & Rathmell, A. (2002) Corporate Governance & Information Assurance-What Every Director Must Know. Information Assurance Advisory Council, Cambridge-UK.Google Scholar
  4. Barnard, L. & von Solms, R. (1998) The evaluation and certification of information security against BS 7799. Information Management & Computer Security, 6(2), 72–77.Google Scholar
  5. Baskerville, R. & Siponen, M. (2002) An information security meta-policy for emergent organizations. Logistics Information Management, 15(5/6), 337–46.CrossRefGoogle Scholar
  6. Brooks, W. J., Warren, M. J. & Hutchinson, W. (2002) A security evaluation criteria. Logistics Information Management, 15(5/6), 377–84.CrossRefGoogle Scholar
  7. BSI (2002) BS 7799-2:2002 Information security management systems-Specification with guidance for use. British Standards Institution.Google Scholar
  8. BSI (2005) Frequently Asked Questions for BS 7799-2:2005, British Standards Institution. visited on 31/08/2005Google Scholar
  9. Ciborra, C. (2004) Digital Technologies and the Duality of Risk. Discussion Paper-Centre for Analysis of Risk and Regulation, London School of Economics, (27).Google Scholar
  10. Clemons, E. K. & Row, M. C. (1991) Sustaining IT advantage: The role of Structural Differences. MIS Quarterly, 15(3), 275–92.CrossRefGoogle Scholar
  11. Dehning, B. & Stratopoulos, T. (2003) Determinants of a sustainable competitive advantage due to an IT-enabled strategy. The Journal of Strategic Information Systems, 12(1), 7–28.CrossRefGoogle Scholar
  12. DTI (2004) Information Security Breaches Survey. Department of Trade and Industry / PriceWaterhouseCoopers, London.Google Scholar
  13. Feeny, D. F. & Ives, B. (1990) In Search of Sustainability: Reaping Long-term advantage from Investments in Information Technology. Journal of Management Information Systems, 7(1), 27–46.Google Scholar
  14. Fulford, H. & Doherty, N. F. (2003) The application of information security policies in large UK-based organizations: an exploratory investigation. Information Management and Computer Security, 11(3), 106–14.CrossRefGoogle Scholar
  15. Gossels, J. (2003) Making Sensible Investments in Security. Financial Executive, 19(9), 46.Google Scholar
  16. Griffiths, G. H. & Finlay, P. N. (2004) IS-enabled sustainable competitive advantage in financial services, retailing and manufacturing. Journal of Strategic Information Systems., 13,29–59.CrossRefGoogle Scholar
  17. Groves, S. (2003) The unlikely heroes of cyber security. Information Management Journal, 37(3), 34–40.MathSciNetGoogle Scholar
  18. Guler, I., Guillén, M. F. & Macpherson, J. M. (2002) Global Competition, Institutions, and the Diffusion of Organizational Practices: The International Spread of ISO 9000 Quality Certificates. Administrative Science Quarterly, 47, 207–32.CrossRefGoogle Scholar
  19. ISO (2000) ISO/IEC 17799:2000 Code of practice for information security management. ISO, Geneva.Google Scholar
  20. ISO (2003) The ISO Survey of ISO 9001:2000 and ISO 14001 Certificates. International Standards Organisation.Google Scholar
  21. Ives, B. & Learmonth, G. P. (1984) The Information System as a competitive weapon. Communications of the ACM, 27(12), 1193–201.CrossRefGoogle Scholar
  22. Kearvell-White, B. (1996) National (UK) Computer Security Survey 1996. Information Management & Computer Security, 4(3), 3–17.CrossRefGoogle Scholar
  23. Kenning, M. J. (2001) Security Management Standard-ISO 17799/BS 7799. BT Technology Journal; London, 19(3), 132.CrossRefGoogle Scholar
  24. Kotulic, A. G. & Clark, J. G. (2004) Why there aren’t more information security research studies. Information & Management, 41(5), 597–607.CrossRefGoogle Scholar
  25. Lee, A. S. (1999) Researching MIS. IN CURRIE, W. & GALLIERS, R. (Eds.) Rethinking management information systems: an interdisciplinary perspective. Oxford, Oxford University Press.Google Scholar
  26. Li, H., King, G., Ross, M. & Staples, G. (2000) BS7799: A Suitable Model for Information Security Management. Americas Conference on Information Systems.Google Scholar
  27. Mata, F. J., Fuerst, W. L. & Barney, J. B. (1995) Information technology and sustained competitive advantage: A resource-based analysis. MIS Quarterly, 19(4), 487–505.CrossRefGoogle Scholar
  28. McAdams, A. C. (2004) Security And Risk Management: A Fundamental Business Issue. Information Management Journal, 38(4), 36–44.Google Scholar
  29. Miles, M. B. & Huberman, A. M. (1994) Qualitative data analysis: an expanded sourcebook, Thousand Oaks, Calif; London, Sage.Google Scholar
  30. Pattinson, M. R. (2003) Compliance with an Information Security Management Standard: A New Approach. Ninth Americas Conference on Information Systems, Tampa.Google Scholar
  31. Renn, O. (1998) Three decades of risk research: accomplishments and new challenges. Journal of Risk Research, 1(1), 49–71.CrossRefGoogle Scholar
  32. Turnbull, N. (1999) Internal Control: Guidance for Directors on the Combined Code: The Turnbull Report. The Institute of Chartered Accountants in England & Wales, London.Google Scholar
  33. Velayudham, C, Shoemaker, D. & Drommi, A. (2004) A Standard Methodology for Embedding Security Functionality Within Formal Specifications of Requirements. Americas Conference on Information Systems, New York, August 2004.Google Scholar
  34. Venkatesh, V., Morris, M. G., Davis, G. B. & Davis, F. D. (2003) User acceptance of information technology: Toward a unified view. MIS Quarterly, 27(3), 425–78.Google Scholar
  35. von Solms, B. (2005) Information Security governance: COBIT or ISO 17799 or both? Computers & Security, 24, 99–104.CrossRefGoogle Scholar
  36. von Solms, B. & von Solms, R. (2001) Incremental Information Security Certification. Computers & Security, 20(4), 308–10.CrossRefGoogle Scholar
  37. von Solms, R. (1998) Information security management (3): the Code of Practice for Information Security Management (BS 7799). Information Management & Computer Security, 6(5), 224.CrossRefGoogle Scholar
  38. Waloff, I. (2002) Speech by at “7799 Goes Global” conference. (text available at, September 5Google Scholar
  39. Walsham, G. (1993) Interpreting information systems in organizations, Chichester, Wiley.Google Scholar

Copyright information

© International Federation for Information Processing 2005

Authors and Affiliations

  • Jean-Noel Ezingeard
    • 1
  • David Birchall
    • 1
  1. 1.Henley Management College, GreenlandHenley-on-ThamesUK

Personalised recommendations