Introduction of a Tool-Based Continuous Information Security Management System: An Exploratory Case Study

Abstract

Tighter regulatory demands and higher customer expectations regarding the protection of information force enterprises to systematically ensure confidentiality, integrity and availability of stored information and processing facilities. Information Security Management Systems (ISMSs) are used to address these challenges. Recent studies show that the majority of companies plans to establish at least basic information security management to prepare for future developments. Larger enterprises have already embraced ISMSs, whereas small and medium-sized enterprises (SMEs) are catching up and require support in defining, introducing and operating them. We developed ADAMANT, an SME-friendly tool that supports continuous information security management incorporating stakeholders of different domains. In this paper, we evaluated our approach to introduce an ISMS in SMEs using an introductory information security training. The evaluation shows that our tool improves critical information security management tasks. Furthermore, integrating ADAMANT in customized security trainings allows companies to directly use training results to implement an ISMS.