Analysis of ISO 27001 Compliance in Tonga Organisations Information Security
Moala, Siumafua I Telavivi
MetadataShow full metadata
Information security is a critical issue today. According to Cisco (2019), the increasingly popular services such as “e-commerce, mobile payments, cloud computing, Big Data and analytics, IoT, AI, machine learning, and social media”, all increase cyber risks for users and businesses (p.16). Further compounding, the seriousness of information security threats is the increasing number of exploitable vulnerabilities found in most systems today. According to Katos et al. (2019), there were 2377 exploitable vulnerabilities or 8.65% of the total vulnerabilities identified in the study, that were found in mobile communication systems in 2018 and half of 2019. Vulnerabilities are found in systems in all business sectors, including critical sectors like energy, financial, and health. That is the challenge that many organisations faced today; how to effectively protect their information assets given the information security threats they are facing. From the Tonga organisations’ perspective, information security became critical after the launching of the submarine cable in 2013. The submarine cable brought unprecedented change to the ICT services risk profile. The submarine cable not only lowers the cost of ICT services dramatically but also facilitates the launching of the 3G and 4G services in the country. While affordable ICT services mean more people and organisations take advantage of the services, unfortunately, the majority lack awareness of the information security threats that come with those technologies. Therefore, the majority are unprepared to protect their systems and the confidentiality, integrity and availability of their information. Accordingly, this study aims to investigate the question “Is the holistic approach provided by ISO 27001 the best approach for Tonga organisations, given their unique organisational factors and threat environment, to establish effective information security?” In light of findings by recent information security studies, this study theorises that implementing ISO 27001 is the best approach (compared to ad-hoc approaches) for Tonga organisations to improve their information security and to protect their information against known and unknown information security threats. The most direct method to answer the research question is to compare the information security of organisations who have implemented ISO 27001, against those who have not. However, time limitation and the lack of organisations in Tonga who have implemented ISO 27001 prevented the researcher from doing the direct approach to the study. Instead, the study theorises that the main research question can be answered by addressing a second question; “What are the impacts of implementing ISO 27001 on Tonga organisations’ information security management and information security?” Answering the first by answering the second question is viable because according to the findings in chapter 4, Tonga organisations by default are using ad-hoc approaches for their information security that is run by their IT departments and with a purely technological focus. Therefore, analysing the impacts of implementing ISO 27001, by default, compares holistic approaches (ISO 27001) against ad-hoc approaches (Tonga organisations’ information security) to determine the best method. Not only that, but analysing the impacts of implementing ISO 27001 on Tonga organisations’ information security also includes analysing organisational factors, such as, resources availability, and the effect on Tonga organisations’ ability to implement ISO 27001, thereby providing a comprehensive answer to the main study question. Analysing the impacts of implementing ISO 27001 calls for a gap analysis of Tonga organisations’ information security, against ISO 27001 requirements. The study provided the ISO 27001:2013 and the Appendix controls to a group of experts for feedback. The IT security experts from different organisations in Tonga compared the documentation to the state of their organisations’ information security. The collected data were then quantitatively analysed using SPSS (version 27) to retrieve statistics about each organisations’ information security metrics. After quantitatively analysing the data then it was coded and qualitatively analysed using NVivo (release 1.0). The qualitative analysis aimed to identify information security-related rich concepts which could provide context to the previously retrieved statistics. The gap analysis compared the outcomes of the quantitative and qualitative analysis against ISO 27001 requirements. The main focus is on how each approach (i.e. Tonga organisations’ ad-hoc approaches versus ISO 27001 holistic approach) addresses different dimensions and Critical Success Factor(s) (CSF) of information security to minimise information risks to organisations’ information assets. Moreover, the study established 14 hypotheses based on the research questions above and findings from recent information security studies reviewed in chapter 2, to guide the gap analysis. The study uses the outcome of the gap analysis (identified gaps) to test its hypotheses regarding the impacts (i.e. gaps) in implementing ISO 27001 in Tonga organisations’ information security. Consequently, several findings emerged. Firstly, the study affirmed that implementing ISO 27001 will have significant positive impacts on the ability of Tonga organisations to address dimensions and CSFs of information security. The study reaches that conclusion because it identified substantial gaps between Tonga organisations’ information security and ISO 27001 requirements. This means, implementing ISO 27001 will have significant positive impacts on Tonga organisations’ ability to manage their information security effectively. Secondly, the study affirmed that implementing ISO 27001 will have significant positive impacts on different characteristics of efficacious information security processes, and the Tonga organisations’ ability to establish comprehensive information security. The study reaches that conclusion after surmising that by implementing ISO 27001, Tonga organisations’ information security will be able to do positive things that their current ad-hoc approaches failed to do. These are 1. Address dimensions and CSF of information security to minimise risks to an organisations’ information assets. 2. Establish a continually improved information security system to keep up with changes to the organisations’ information assets and threats environment. 3. Align their information security processes with their business processes. This study contributes to research knowledge by providing an overview of findings by existing information security studies on information security and information security standards. Furthermore, it gives an overview of what information security looks like in organisations in small countries like Tonga. It also provides organisations with an overview of the benefits of implementing ISO 27001 on their information security. Specifically, employing systematic, holistic approaches, as provided by the ISO 27000 family of standards, is the best and most effectual way to address the ever-changing information security threats organisations face today. Finally, this study demonstrated the use of both quantitative and qualitative analysis to do a gap analysis of different organisations’ information security, which is a departure from the usual maturity models-based studies.