Information security Management toolkit for ISO/IEC 27001 standard, case of small-to-medium sized enterprises (SMEs)

Abstract

Information security has become an important aspect in today’s business environment, where all operations are technology centered. Over the years lots of effort has been put to ensure that organizations manage information security in a standardized manner. There are several frameworks and standards such as COBIT, ITIL and ISO/IEC 27001 that have been proposed for this purpose. In this work the focus was on ISO/IEC 27001 which is an international standard that provides specification for an Information Security Management System (ISMS). The standard is designed to assist large and small enterprises to manage their information security processes in line with international best practice. Small and Medium-sized Enterprises (SMEs) usually find it difficult to comprehensively implement the prescriptive requirements of the standard. This study proposes a toolkit approach in helping SMEs implement the requirements of the standard. It proposes and develops an ISO/IEC 27001 information security toolkit as a prototype for guiding organizations in implementing information security controls. Apart from toolkit design and implementation, the study also assesses the toolkit and its usability. Results indicated that majority of SMEs would embrace the toolkit and that it can be of great importance in guiding them implement controls of the standard. Furthermore, the study found out that with further enhancement of the toolkit features, to incorporate all aspects of ISO 27001 standard, the toolkit can be used for both large enterprises and small enterprises in implementing the standard requirements.