Implementing the ISO/IEC 17799 standard in practice - findings from small and medium sized software organisations

Abstract

The ISO/IEC 17799 standard is commonly viewed as a necessary element in information security management. However, there is no empirical evidence of the usefulness of the standard in practice. This paper analyses the implementation experiences of four organisations that have implemented the ISO/IEC 17799 standard. Through semi-structured interviews, the results of the study suggest that the implementation of the standard has increased the understanding of information security in all personnel groups and the understanding of security has broadened from the technical aspects to corporate security. As downsides of implementing the ISO/IEC 17799 standard, the difficulties in deploying the standard, and the readability of the standard were criticised. The standard was also criticised because it does not directly affect the quality of the end product or service; it only has an indirect effect owing to the improved information security practices.