ADOPTION OF THE INFORMATION SECURITY MANAGEMENT SYSTEM STANDARD ISO/IEC 27001: A STUDY AMONG GERMAN ORGANIZATIONS

Against the backdrop of numerous security breaches and cyber-attacks, organizations need to take measures to secure their data and information. However, the well-known management system standard ISO/IEC 27001 for information security has shown a lower adoption rate - in terms of annual ISO survey data - than was previously expected by scholars and practitioners. Through the lens of Rogers' diffusion of innovation theory, we consider the adoption of ISO/IEC 27001 as a 'preventive innovation' and aim to identify factors that help gain a better understanding of its adoption. Therefore, we conducted a survey among German organizations on the use and impact of management system standards, explicitly distinguishing between organizations that implement ISO/IEC 27001 and those that are additionally certified against this standard. This study provides insights and contributes to an advanced understanding of motives, impacts, barriers, and useful measures to increase adoption of ISO/IEC 27001. Our findings may be useful to organizations considering the adoption of this management system standard, to certification bodies providing certification services, and to policymakers seeking means to improve information security in organizations.