AN INVESTIGATION OF ISO/IEC 27001 ADOPTION IN SOUTH AFRICA Submitted in partial fulfilment of the requirements for the degree of MASTER OF SCIENCE At RHODES UNIVERSITY By CHRISTO COETZER JANUARY 2015 1 Abstract The research objective of this study is to investigate the low adoption of the ISO/IEC 27001 standard in South African organisations. This study does not differentiate between the ISO/IEC 27001:2005 and ISO/IEC 27001:2013 versions, as the focus is on adoption of the ISO/IEC 27001 standard. A survey-based research design was selected as the data collection method. The research instruments used in this study include a web-based questionnaire and in-person interviews with the participants. Based on the findings of this research, the organisations that participated in this study have an understanding of the ISO/IEC 27001 standard; however, fewer than a quarter of these have fully adopted the ISO/IEC 27001 standard. Furthermore, the main business objectives for organisations that have adopted the ISO/IEC 27001 standard were to ensure legal and regulatory compliance, and to fulfil client requirements. An Information Security Management System management guide based on the ISO/IEC 27001 Plan-Do-Check-Act model is developed to help organisations interested in the standard move towards ISO/IEC 27001 compliance. Keywords: ISO/IEC 27001; ISMS; information security; risk management; information security framework 2 Declaration I, Christo Coetzer, hereby declare that  The work in this dissertation is my own work.  All sources used or referred to have been identified and documented.  This dissertation has not previously been submitted in full or partial fulfilment of the requirements for an equivalent or higher qualification at any other recognised educational institute.  This dissertation has not previously been published. C.COETZER 3 ACM Computing Classification System Classification Thesis classification under the ACM Computing Classification System1 (2012 version, valid through 2014): General and reference: Document types Security and privacy: Formal methods and theory of security Security and privacy: Human and societal aspects of security and privacy 1 http://www.acm.org/about/class/2012/ 4 Acknowledgement I would like to thank my supervisor, Dr Karen Bradshaw, who assisted me in the completion of this dissertation. Her knowledge, guidance, and support played a major role throughout this exercise. I also would like to thank the participants who committed time to participate in the research survey. I especially want to thank my wife, and family members for their support and patience while I was busy with the completion of this dissertation. Without their support, I would not have been able to complete this task. 5 Table of Contents Chapter 1: Introduction ..................................................................................................................... 13 1.1 Context of the Study ............................................................................................................. 14 1.2 Problem Statement ................................................................................................................ 15 1.3 Methodology ......................................................................................................................... 16 1.4 Limitations of the Study ........................................................................................................ 16 1.5 Assumptions .......................................................................................................................... 16 1.6 Significance ........................................................................................................................... 17 1.7 Summary ............................................................................................................................... 17 Chapter 2: Background Concepts ..................................................................................................... 19 2.1 Corporate Governance .......................................................................................................... 19 2.2 Information Technology Governance ................................................................................... 21 2.3 Information Security Governance ......................................................................................... 24 2.4 Information Security Risk Assessment ................................................................................. 30 2.5 Information Security Management: Compliance vs. Operation............................................ 31 2.6 Information Security Compliance and Frameworks ............................................................. 34 2.7 Summary ............................................................................................................................... 36 Chapter 3: Information Security Standard ...................................................................................... 37 3.1 History and Timeline of the ISO Information Security Standards ........................................ 37 3.2 Overview of ISO/IEC 27001................................................................................................. 39 3.3 ISO/IEC 27001 ISMS Processes ........................................................................................... 45 3.3.1 ISMS Risk Management Process .......................................................................................... 46 3.3.2 ISMS Measurement, Monitor and Review Processes............................................................ 47 3.3.3 ISMS Improvement Process .................................................................................................. 48 3.4 ISO/IEC 27001 ISMS Implementation ................................................................................. 48 3.4.1 Senior Management Approval ............................................................................................... 49 3.4.2 ISMS Scope ........................................................................................................................... 50 3.4.3 ISMS Statement of Applicability .......................................................................................... 51 3.4.4 ISMS Documentation ............................................................................................................ 52 3.5 Overview of ISO/IEC 27002................................................................................................. 55 3.6 Benefits of ISO/IEC 27001 ................................................................................................... 57 3.7 Challenges of ISO/IEC 27001............................................................................................... 58 3.8 Summary ............................................................................................................................... 59 Chapter 4: Research Methodology .................................................................................................... 60 6 4.1 Research Design .................................................................................................................... 60 4.1.1 Web-based Questionnaire ...................................................................................................... 62 4.1.2 Interviews .............................................................................................................................. 63 4.2 Research Methods ................................................................................................................. 63 4.2.1 Research Instruments ............................................................................................................. 64 4.2.1.1 Web-Based Questionnaires ....................................................................................... 64 4.2.1.2 In-person Interviews ................................................................................................. 66 4.2.2 Reliability and Validity ......................................................................................................... 66 4.2.3 Data ....................................................................................................................................... 67 4.2.4 Analysis ................................................................................................................................. 68 4.3 Limitations of the Method..................................................................................................... 69 4.4 Ethical Considerations .......................................................................................................... 70 4.5 Summary ............................................................................................................................... 71 Chapter 5: Survey Findings and Analysis ........................................................................................ 72 5.1 Overview of the Survey and its Analysis .............................................................................. 72 5.2 Demographic Data ................................................................................................................ 73 5.3 Findings and Analysis of Perceived Usefulness ................................................................... 74 5.4 Findings and Analysis of Attitude towards Use .................................................................... 75 5.5 Findings and Analysis of Social Norms ................................................................................ 76 5.5.1 Research Findings ................................................................................................................. 76 5.5.2 Analysis ................................................................................................................................. 77 5.6 Findings and Analysis of Performance Expectancy .............................................................. 79 5.6.1 Research Findings ................................................................................................................. 79 5.6.2 Analysis ................................................................................................................................. 79 5.7 Findings and Analysis of Information Security Governance ................................................ 80 5.7.1 Research Findings ................................................................................................................. 80 5.7.2 Analysis ................................................................................................................................. 82 5.8 Findings and Analysis of Information Security Risk Management ...................................... 85 5.8.1 Research Findings ................................................................................................................. 85 5.8.2 Analysis ................................................................................................................................. 88 5.9 Findings and Analysis of Organisation’s View of ISO/IEC 27001 ...................................... 89 5.9.1 Research Findings ................................................................................................................. 89 5.9.2 Analysis ................................................................................................................................. 91 5.10 Findings and Analysis of ISO/IEC 27001 Adoption............................................................. 93 5.10.1 Research Findings ................................................................................................................. 93 7 5.10.2 Analysis ............................................................................................................................... 100 5.11 Summary ............................................................................................................................. 106 Chapter 6: Discussion of Survey Results ........................................................................................ 107 6.1 Perceived Usefulness .......................................................................................................... 107 6.2 Attitude Toward Use ........................................................................................................... 107 6.3 Social Norms ....................................................................................................................... 107 6.4 Performance Expectance ..................................................................................................... 108 6.5 Information Security Governance ....................................................................................... 108 6.6 Information Security Risk Management ............................................................................. 108 6.7 Organisation’s View of ISO/IEC 27001 ............................................................................. 109 6.8 ISO/IEC 27001 Adoption.................................................................................................... 109 6.9 The Way Forward for Adoption of ISO/IEC 27001 in South Africa .................................. 110 6.9.1 Advantages of Compliance .................................................................................................. 110 6.9.2 Disadvantages of Not Being Compliant .............................................................................. 111 6.9.3 Steps to Follow in Order to Become Compliant .................................................................. 112 6.10 Summary ............................................................................................................................. 116 Chapter 7: Conclusion and Future Work ....................................................................................... 118 7.1 Conclusion .......................................................................................................................... 118 7.2 Summary of Contributions .................................................................................................. 120 7.3 Suggestions for Further Research ....................................................................................... 121 References .......................................................................................................................................... 123 Appendix A – Web based Questionnaire ........................................................................................ 131 Appendix B – In-Person Questionnaire .......................................................................................... 145 8 List of Tables Table 1: ISO/IEC 27001:2013 clauses .................................................................................................. 41 Table 2: Plan-Do-Check-Act model [Table 2 from (Saint-Germain 2005)] ......................................... 43 Table 3: ISO/IEC 27001 objectives in organisations [Table 3 from (Saint-Germain 2005)] ............... 45 Table 4: ISO 27001 implementation steps ............................................................................................ 49 Table 5: ISO/IEC 27001:2013 mandatory documents and records....................................................... 54 Table 6: Demographic breakdown ........................................................................................................ 74 List of Figures Figure 1: IT in parallel with information security [Figure 1 in (Poore 2006)] ...................................... 26 Figure 2: IT in agreement with information security [Figure 2 in (Poore 2006)] ................................. 27 Figure 3: Complex structure for information security governance [Figure 3 in (Poore 2006)] ............ 28 Figure 4: ISO 27000 development timeline [Figure 4 from (ISECT 2014)] ........................................ 39 Figure 5: ISO 27000 series related to ISMS [Figure from (ISO)] ........................................................ 40 Figure 6: ISO 27001 control areas [Figure 6 in (Saint-Germain 2005)] ............................................... 42 Figure 7: ISMS cycle [Figure 7 from (ISO/IEC 27001 2005)] ............................................................. 44 Figure 8: ISMS documentation [Figure 8 in (Saint-Germain 2005)] .................................................... 53 Figure 9: Global distribution of ISO/IEC 2700 in 2012 [Figure 9 from (ISO 2012)] ........................... 57 Figure 10: Elements that should be in place before establishing an ISMS ........................................... 76 Figure 11: Responsible for adopting ISO/IEC 27001 in an organisation ............................................. 77 Figure 12: Organisations with an information security policy .............................................................. 82 Figure 13: Organisation’s risk register .................................................................................................. 87 Figure 14: Organisations information security awareness plan ............................................................ 88 Figure 15: Management systems in place at each organisation ............................................................ 90 Figure 16: Industries ISO/IEC 27001 has been designed for as per responses ..................................... 91 Figure 17: Adoption of ISO/IEC 27001 ................................................................................................ 94 Figure 18: ISMS scope document ......................................................................................................... 95 Figure 19: Barriers to ensure information security ............................................................................... 97 Figure 20: Challenges to adopt ISO/IEC 27001 ................................................................................... 98 Figure 21: Timescale to implement ISO/IEC 27001............................................................................. 99 Figure 22: Objectives for adopting ISO/IEC 27001 ........................................................................... 100 9 Glossary The following definitions of terms and abbreviations are used in this dissertation, and are related to the terms and definitions of the ISO/IEC 27001 standard (ISO/IEC 27001 2005): Accreditation - Process by which an authorized organisation officially recognizes the authority of a certification body to evaluate, certify and register an organisation’s ISMS with regard to published standards. Adopt - Implementation of the ISO/IEC 27001 standard and registered for certification Align – Implementation of only portions of the ISO/IEC 27001 standard for internal organisational use Asset – Any tangible or intangible object that has value to the organisation Availability – To be accessible and usable upon demand BS - British Standard BSI - British Standards Institute Certification – The authoritative act of documenting compliance with agreed requirements COBIT - Control Objectives for Information and related Technology Compliance - An assessment to verify whether a system that has been implemented complies with a standard Confidential – Only accessible to authorised entities Control - A means of managing risk in the form of policies, procedures, or guidelines Information – Meaningful data Information security – Preservation of information confidentiality, integrity and availability according to the information security triad 10