Juhani Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland




The authors of this paper, a business practitioner and long-standing participator in the standardization work and an information security researcher, are concerned about the information security standards and their beneficial usage. Pros and cons of the general international standardization apply to the Information Security (IS) and Information Security Management (ISM) standardization, too.

Emphasis of the paper is in the standardization within the committee ISO/IEC JTC1/SC27 and in its management standardization. This standardization has under consideration dozens of different subject items that are not clearly consistent with each other. There is a need for coherent “family planning” within the work of the committee in order to avoid confusion and failures in using the standards. ISM standards have also complicated links with other management standards.

Principles, concepts and definitions are not considered consistently in the ISM standards. IS relates to the characteristics of products and ISM to the general management of organizations. ISM standards use the business management models of PDCA (Plan-Do-Check-Act) and process management but that is made superficially. Standards do not make clear relationships between ISM and Information Security Assurance (ISA).

A real crisis in the ISM standardization is that it has no solutions for modern business environments that emphasize speed, changes, agility, and complexity.

Radical changes and improvements in the international ISM standardization are not expected. That sets requirements to the awareness, skills, creativity, and courage in organizations applying these standards. The authors will reveal problems from the standards’ user’s point of view and present experienced solutions that could be applied for the needs of business management in any kinds of organizations.
IS and ISM standardization as a part of the comprehensive international standardization

Information Security (IS) and Information Security Management (ISM) standardization is a part of the general international standardization. Therefore, general concepts, principles, and aims as well as pros and cons of the standardization apply to this standardization, too.

The following general standardized definitions apply to the concepts of standardization and standard [1]:
- Standardization: An activity giving solutions for repetitive application, to problems essentially in the spheres of science, technology and economics, aimed at the achievement of the optimum degree of order in a given context. Generally, the activity consists of the processes of formulating, issuing and implementing standards.
- Standard: A technical specification or other document available to the public, drawn up with the cooperation and consensus or general approval of all interests affected by it, based on the consolidated results of science, technology and experience, aimed at the promotion of optimum community benefits and approved by a standardization body. 

There are international, regional, national, business branch and company standards. There are three standardization organizations for the general international standards: International Standardization Organization (ISO), International Electrotechnical Commission (IEC), and International Telecommunication Union (ITU). All these organizations have standardization also in the field of IS. General standards are voluntary but they may become obligatory in certain contexts through reference to the standards in contracts, regulations, etc.

Standards consider both product characteristics and managerial, operational or technical methodological issues, e.g. codes of practices, approaches, methods, procedures, etc. Both product-related and methodological issues are relevant also in the IS and ISM standardization.

All standardization aims to bring with it benefits to all kinds of organizations. Those benefits include:
- Improved performance and quality of products (goods and services)
- Decreased operational costs
- Facilitation to better communication between humans and organizations

Nevertheless, rather often people are not completely happy about the achievements in standardization. Typically this is originated in misunderstandings of the standards and their nature relating to purpose, contents, language and phraseology, application, and bindingness of the standards.

However, there are also a lot of opportunities achievable by the use of standards. In order to be able to apply the standards in the most beneficial way we should understand the issue. Problems related to understanding and applying standards are often caused by the nature of standardization efforts and process.

The core feature of standardization process is a consensus approach. Everyone involved in the activity has possibility to voice his or her opinion and all opinions should also be taken into account.

International standardization has its benefits:
- Broad acceptance and distribution of the texts
- Extensive expertise in preparing and commenting the standards
- Global commitment and recognition
- No restrictions – at least in principle – for innovative implementation
and drawbacks:
- There is very uneven and unbalanced groups of voluntary people participating actively the standardization work, and the management of the work is weak: “The mob has many heads but no brains.”
- Only communally interesting issues are accepted to the final standard texts.
- Only trivial means to implement the standard clauses may be considered in the standards, or as is typical in requirements standards there is – and not should be – guidance for implementation.
- Handling of the issues in the standard text is superficial.
- Standardization process is very slow compared with typical industrial development activities.
- Standard publications and participating in standardization – long meetings all over the world – are expensive.

The most important consensus practices in the standardization include: (a) Someone’s proposal is accepted although not necessarily understood similarly by different people; (b) A text is edited together (or by opposites) in order to get consensus; (c) “Competing” alternatives are included in the standard although they may be contradictory and therefore confusing; and (d) Disputed issues are not mentioned at all in the standard. Users of standards should be aware of these facts. Possible problems caused by deficiencies in creating standards should be avoided when implementing them. Organizations must supplement the missing issues and rectify the inaccuracies and ambiguities.
It is hard to really understand the standards without participating their preparation. Otto von Bismarck’s view "People who appreciate laws and sausages have never seen how they are produced” can be expanded also to the international ISM standards.

International IS and ISM standards and standardization activities

Emphasis of this paper is in the standardization within the international standardization committee ISO/IEC JTC1/SC27 (IT security techniques) and particularly in its management standardization. ISO/IEC JTC 1 SC 27 is a subcommittee of the joint ISO/IEC technical committee ISO/IEC JTC 1 (Information technology). Its scope of work is standardization of generic methods and techniques for information security and its management. This includes (figure 1) [2]:
- Identification of generic requirements for IT system security services
- Development of security techniques and mechanisms
- Development of security guidelines (e.g., interpretative documents, risk analysis)
- Development of management support documentation and standards (e.g., terminology and security evaluation criteria)
Figure 1. Working groups of the committee ISO/IEC JTC1/SC 27 [2]

The title of the committee does not reflect the whole area of the work in the committee. E.g. the ISM has in practice a much broader scope than IT security techniques.
Basic standards for ISM of the family include three standards:
- ISO/IEC 27000 Information security management systems - Overview and vocabulary [3]
- ISO/IEC 27001 Information security management systems requirements [4]
- ISO/IEC 27002 Code of practice for information security management [5]
These standards are the most recognized reference documents for professional approach of ISM world-widely. These standards also emphasize business-integration of ISM. These three standards should be understood as a composite package. However, many users take them only as separate documents because roles of the individual standards and the package entirety are difficult to recognize.
In addition to the basic set of standards, there are many other standards in the family including [2]:
- ISO/IEC 27003 Information security management system implementation guidance
- ISO/IEC 27004 Information security management measurement
- ISO/IEC 27005 Information security risk management
- ISO/IEC 27006:2007 Requirements for bodies providing audit and certification of information security management systems
- ISO/IEC 27007 Information security management systems – Auditor guidelines
- ISO/IEC 27011 Information security management guidelines for telecommunications organizations.

The ISO/IEC 27000 family of standards is continually under consideration in the standardization committee by revising the existing standards and creating new ones, and now at least until the standard ISO/IEC 27059. Current activities of the ISO/IEC JTC1/SC27 are divided into five working groups (WG) (figure 1).
All the working areas of the committee are practical topics to be applied in organizations. However, many texts are rather complicated or theoretical and not easily adoptable into organizational business cases. Particularly difficult is to recognize the entirety of whole IS and ISM standardization.
As a whole today committee ISO/IEC JTC1/SC27 has under consideration dozens of different subject items. There is a serious need to a “family planning” for the whole standards structure of the committee in order to avoid confusion and failures in the use of the standards. The user should clearly understand the whole set of the standards series and the position and role of its individual standards.

There are also other international standards not prepared by ISO/IEC JTC 1 SC 27 that are considered as parts of the ISM family of standards. One example is ISO 27799 Health informatics - Information security management in health using ISO/IEC 27002 [6].

OECD's guidance document [7] for the security of information systems and networks towards a culture of security is referred in the standard ISO/IEC 27001 but the relationships of those two documents are not made clear in details. OECD document is a general guidance document and ISO/IEC 27001 is aimed for requirements.
There are lots of other "competing" international standards and de-facto standards considering information security. These have many same or similar elements but there is not necessarily consistency e.g. in terminology and structure of realization. E.g. information technology and service references that are related to information security aspects include ISO/IEC 20000 [8], ITIL [9], COBIT [10], Sarbanes-Oxley Act [11], Basel ll [12], FISMA [13], HIPAA [14], GLBA [15], NIST [16], etc.
It should also be taken into account that ISM standards have complicated links with many other management standards issued by other standardization bodies. That is also important to know when applying both ISM and the other standards. ISM standardization cannot be isolated from these other management standards. Through liaison activities different standardization committees have tried to achieve compatibility but this has not taken place very successfully. E.g. ISO/IEC JTC 1 SC 27 has applied same methodology that has been used in the well-known and much used ISO 9000 standard series [17] for the quality of management. However, the result is very questionable. In fact, there should be much closer relationship between ISO/IEC 27000 and ISO 9000 standardization. Naturally in organizational cases ISO 9000 should be applied in ISO/IEC 27000 applications because ISM should be understood as a part of good management, and also ISO 9000 applications should take into account IS issues.

IS and ISM standards and business benefits. Business-integrated ISM

The use of standards has been justified by achieved monetary benefits. At a national level, these general effect have been estimated even as one percent of gross national product [18]. What might be the benefit out of ISM standards?

IS is one of organizations' managerially interested issues because it is significant and in many cases even crucial issue from the business success point of view. In this sense ISM is fully analogous to many other highly specialized key areas for managing organizations to competitive business performance and success. These areas include management of finance, human resource, quality of products, innovation, environmental protection, social responsibility, business ethics, etc. In all these areas it is useful for organizations to use established and recognized management approaches and practices. Therefore there are also available for all these areas recognized standards that have been prepared by various standardization bodies. Organizations must work simultaneously with all these significant issues.
IS particularly relates to many characteristics of products (goods and services) of all organizations and ISM to the general management of organizations and their business processes. The product aspects are considered in the existing IS and ISM standards very weakly.

A fundamental prerequisite for a business-integrated ISM approach [19, 20] is to embed all ISM related activities seamlessly within normal business management activities. Business-separated ISM approach, e.g. creating a particular information security management system (ISMS), is artificial or even harmful from the business point of view. There is an inconsistency in the existing standards. Business integration is emphasized but at the same time an ISMS approach is required. A practical solution in applying the standards could be that ISMS is not understood as any distinct system but as a concept for a systematic approach (“systematicity”) realized by business-integration.

All recognized references and a lot of published professional literature references for ISM emphasize the importance of senior executives' commitment to ISM. Similar general managerial principles and methodology are used in all specialized management areas and ISM is not any exception. The challenge is that all these aspects should take place by business leaders simultaneously and coherently. A comprehensive business-integrated approach is needed for the ISM. E.g. ISM benefits should be considered within the overall business performance as a composite of [21]:
- Operational effectiveness and efficiency, including product and business process characteristics
- Customer-related performance
- Financial and market position related performance

Also ISM standards should strive for these benefits although this is not now easy to recognize explicitly. It is not enough only to fulfill some standards, minimum requirements, or average performance levels. Also IS and ISM realizations in organizations should aim at quality and excellence according to current and case-by-case organizational business situation and needs. ISM in practice should not only be reactive, including control, preservation, conservation or protection activities, but should be directed proactive ISM solutions. The proactive approach is a necessity for the business competitiveness and success. The existing ISM standards consider almost only control and protection themes.
Standards do not make clear linkages between ISM for organizations’ internal management needs and information security assurance (ISA) that aims to create and strengthen confidence among an organizations’ external stakeholders. ISA is chiefly a communication issue. Standards should be applied creatively in the both domains of ISM and ISA. For this standards ISO/IEC 27001 and ISO/IEC 27002 have the most essential role. Now their relative positions are not clear. One possibility is to apply the same approach as in ISO 9000 standards series [17] with the standards ISO 9001 and ISO 9004 as described in the figure 2. ISO/IEC 27002 should never be understood as a guidance for ISO/IEC 27001 clauses.

Figure 2. Justified positioning of the standards ISO/IEC 27001 and ISO/IEC 27002. ISM is defined by ISO/IEC 27002 and ISA by ISO/IEC 27001. ISO/IEC 27001 is a part of ISO/IEC 27002. ISA should be adjusted according to the specific business case and its requirements. The both are based consistently on guiding ISM principles.

There are studies and observations [22] from small and big companies, governmental offices and universities that demonstrate that most people - including business leaders - in organizations are quite familiar with the fundamental and basic principles of the IS, recognize their importance and even may be motivated. That is obviously due to a lot of general and organization-dedicated information security information and education for increasing awareness and skills of IS. However, senior executives in those organizations:
- Are not really interested in IS in their own management practice and don't understand or recognize their managing role for IS.
- Have only a superficial understanding of IS and ISM.
- Lack the necessary skills for managing their organization with regard to IS.
- Easily delegate their responsible duties to external consultants or even outsource the whole issue.

There are many reasons why business leaders are not adequately involved, committed, and effectively contributing to IS:
- Basic professional IS concepts are difficult, complicated and strange to practical business people.
- Organizational overall IS performance depends on many detailed aspects in a complicated way.
- ISM requires specific knowledge and skills. The organizational IS is a fuzzy concept. One should have consistent methodologies to evaluate its current status, to project targets for the future performance, and to improve continually the performance.
- Standards and guidance materials for ISM are complicated and confusing, and difficult to realize and apply consistently within normal business management practices. Extensive and multifaceted general management literature, and management education, e.g. MBA programmes, don't clarify IS as a management issue and don't explicitly promote the issue.
- IS is a multidisciplinary issue and difficult to cope with simple managerial practices. E.g. it is very difficult to get effective links between business-managerial and technical solutions of the IS.
- Communication between business leaders and IS (and other related) experts is ineffective and uncreative in general and within organizations.
- Business leaders are very busy, subjective, authoritative, and holistic generalists and very different from IS experts.
- External third party audits and certifications undermine business leaders' active responsibility.
- Business information is greatly based on tacit (implicit) knowledge, and management of the security of tacit knowledge is a sophisticated issue.

It is necessary that the ISM standardization would respond seriously to these challenges. Now the situation is not satisfactory in standards.

Guiding ISM principles, concepts, terms, and definitions

Guiding ISM principles or as sometimes expressed core ISM values and concepts [17, 21] are the foundation for a decisive ISM realization and standardization. They are beliefs and behaviors of business-integrated ISM found in high-performing organizations for integrating IS performance and operational requirements within a results-oriented business. There are not any clear guiding ISM principles defined for the ISO/IEC 27000 standardization as e.g. there are quality management principles (QMP) in the case of ISO 9000 standards.
OECD has defined nine complementary principles [7] for information security management and culture. ISO/IEC 27001 refers to these principles as follows: “The adoption of the PDCA (Plan-Do-Check-Act) model will also reflect the principles as set out in the OECD guidelines governing the security of information systems and networks.” However, this is not valid for the whole ISO/IEC 27000 standards family, and otherwise OECD principles do not cover the whole scope of ISO/IEC 27000 standards. In addition, the whole referred sentence is absurd because factually correlation between PDCA model and OECD principles is at least unclear.
Without a consistent foundation of guiding principles the different standards of the ISO/IEC 27000 family have very obviously developed on the basis of individual, spontaneous and inconsistent initiatives. 
Basic concepts, terms and definitions are not considered consistently or logically in the ISM standards. In fact, the most central concept IS has not been defined properly. It is only an open list of issues: “Preservation of confidentiality, integrity and availability of information, and … other properties can also be involved” [3]. Additionally the definition is reactive, not covering proactive aspects that are most significant for the business needs. The definition should be consistent with the concepts of information, knowledge and security, too.
Basic dimensions characterizing IS in its standard “definition”, integrity, availability and confidentiality, are very difficult concepts to understand by business people. Even among IS experts there are different opinions about these concepts. The issue becomes more conflicting when the terms are translated into different languages.
There is no systematic concept analysis in the ISM standards. Concepts are not independent of one another, and an analysis of the relationships between concepts within the field of IS and ISM and the arrangement of them into concept systems is a prerequisite of a coherent vocabulary. Such an analysis should be an essential part of the standardization. According to the normal practice in the terminology work, e.g. as used in the standard ISO 9000, the relationships between concepts are based on the hierarchical formation of the characteristics of a species so that the most economical description of a concept is formed by naming its species and describing the characteristics that distinguish it from its parent or sibling concepts [17].
Sometimes a so called CIAPIAA model is used in order to describe the entirety of the IS concept domain considered e.g. in the ISO/IEC standards. This covers confidentiality, integrity, availability, privacy, identity, authority and authenticity. However, again this is only a list of concepts and does not make clear the relationships of the concepts. There is no logical justification for this model.
Privacy is a very central and significant concept in the IS and ISM standards. Its role is, however, vague in the standards. Nevertheless, privacy may be seen as a core issue of all other IS concepts. IS is always related to some object and facts which characterize and determine that object. There is no mind to consider IS without any object. Information identifying an object is the basis for the IS. Privacy means that this information genuinely represents the object, is free from being disturbed by others, and may be used appropriately. Privacy may be considered as the core concept in all IS considerations and as the “archetype” [23] of the whole IS discipline.
IS and its dimensions are not any NOT/YES quantities but characteristics describing continuous IS phenomena that additionally have a stochastic nature. These aspects are not clarified in the IS standards definitions.
Interestingly, the very key concept ISM has not been defined at all in the ISM standards. Of course, one may try to understand the concept by following the definitions of other similar concepts, e.g. quality management [17] and risk management [3]. From that basis ISM may be defined as “coordinated activities to direct and control an organization with regard to IS”. It should be noted that this definition really emphasizes an integrated approach for the ISM. ISM does not mean management of IS but management of an organization (i.e. business management).
Information security management system (ISMS) as it is considered in the standard texts is as if it were a separate system for managing IS. That is against above mentioned definition of ISM, and, in fact, it seems to be very artificial and impossible in practice from the business-integration point of view. Factually it means disintegration.
Also the definition of information security assurance (ISA) and its relationship with ISM are unclear in the standards. Again the example of quality management and quality assurance of the ISO 9000 standard may applied also to the IS terminology.
ISO/IEC JTC1/SC27 has also started to consider the concept of governance [2]. This is causing a very big confusion among standards users because the relationships among the following key managerial concepts have not been made clear: (organizational) business management, corporate governance, IT governance (ITG), ISM, IS governance (ISG), and ISA. Also many other documents for IS guidance use these concepts. In any case, business leaders should be able to deal with these concepts consistently and effectively in practice.

Managerial models for the business-integrated ISM

ISM standards strive to use the fundamental business management models of PDCA (Plan-Do-Check-Act) and process management but that is made very superficially that does not support effectively established business practices [24]. These models are very basic elements in the ISM standardization. These models offer multifarious possibilities for business-integrated ISM.

PDCA model for ISM integration

A well-known general model for all areas of management including information security is so called PDCA model or Deming / Shewhart cycle. This model became popular from USA especially through Deming's lectures of managerial quality during several decades (from 1950's to 1990's) [25]. However, originally the model was created by Shewhart [26]. Shiba has made remarkable work by combining the original PDCA model with the ideas of managing knowledge [27] and of Buddhist philosophy [28]. Also Juran's so called Trilogy Model [29] contains the same elements as the PDCA model. The PDCA model has also linkages with traditional systems theory and systems dynamics. PDCA model has a great variety of different applications, possibilities, and uses in the different areas of business management. PDCA model is a basis of the standard ISO/IEC 27001 [4].

PDCA model (figure 3) [24] describes how a consistent management consists of four consecutive activities:
- P: Planning business activities what should be done and what results should be achieved
- D: Doing business obligations according to the plans
- C: Checking what was done and what results achieved
- A: Acting rationally for taking into account the observations and results of the checking

Figure 3. PDCA model for management

In organizational environments the PDCA model is applied in three different management scopes (“Triple” PDCA model):
- Control: Managing daily operations in business processes in order to achieve the specified results. Normally rectifying nonconformities is carried out in connection with control.
- Prevention and operational improvements: Solving acute problems, preventing nonconformities, and finding / implementing operational step by step improvements in business processes
- Breakthrough improvements: Innovating and implementing strategically significant changes in the way doing business, transforming organizations’ business processes

Top business leaders are responsible of the breakthrough improvements. Control, prevention, and small step improvement should be carried out by the responsibility of operational managers, experts and operators.
For ensuring IS, an organization should carry out a lot of different IS specific measures in planning, doing, and checking business activities / results, and reacting to the situation. The organization should carry out correcting, preventing, and continual improving actions, and more comprehensive reengineering of business processes as necessary. From the ISO/IEC 27000 standards one may find a lot of information on detailed methodology for the managerial tasks of IS. The PDCA model gives possibilities to link those tasks to the business management at strategic and operational business levels.
Although the standard ISO/IEC 27001 explicitly refers to the PDCA model, however, the model is applied in the standard rather unsystematically, inexplicitly, and poorly for the purposes of ISM. The PDCA is not referred to in the other standards of the ISO/IEC 27000 family of standards.

ISM through business process management

All business results - including IS - are achieved through managing business processes and projects [24]. Basic (or core or key - different terms are used in different organizations) business processes imply continuously running interlinked business activities, and projects are singular processes for unique business tasks. Both strategic and operational management levels are involved in the process approach, the strategic one focusing on managing the network of inter-linked business processes (i.e. the whole business system) and the operational one on managing single processes and projects.
Processes adhere always to all kinds of daily doings or activities within any organization. In fact, originally the process concept just denotes any kind of activity or operation. Structural questions of business processes have become an interesting management issue in order to increase effectiveness and efficiency of the business operations. In some cases, however, there has been a danger that structural aspects, e.g. specialized management systems (like ISMS) and formal process diagrams, were harmfully overly emphasized in process management.

Due to its business significance, process management is a comprehensive business management issue. Today, however, truly effective and efficient process management implies a radical change to the established management thinking and structures in many organizations. This should be taken into account in ISM realizations, too.
In integrating IS practices, it is extremely important to understand IS issues in the context of business processes. This is because, in practice (operationally), IS originates from processes. That is based on the fact that all process-activities are nowadays very strongly information-intensive, and information flows between these activities and between different performers and even between distant operational locations. Thus, IS is affected directly in real time through process arrangements, tools, technical systems, and people in practical work and how these are managed by appropriate and systematic practices.
Process approach [24] was used already in ancient plant and construction activities. The concept is often referred to in cases of natural development. Through industrialization processes became an everyday concept in so called process industry. From 1980's process approach has been used for computers' internal activities according to structured analysis and design technique (SADT) and later in connection with service oriented architectures (SOA). However, in a large scale business process approach has been used comprehensively for the benefits of business management only for less than twenty years, and during that time a lot of practical means have been developed for that purpose. In these approaches, especially learning from system theory and system dynamics was used. To the quality management standards ISO 9000, process concept was introduced in the 1990's, and later just in very recent years the methodology came to the ISM standards from the ISO 9000 standards.
Process management  implies how strategic and operational business objectives are realized through business processes by using PDCA (Plan - Do - Check - Act) principle [24]. The operations are managed by feedback through measurements. There are in fact three PDCA loops (see figure 4) for a comprehensive process management:
a) the loop (red) of control and corrective actions
b) the loop (green) of prevention
c) the loop (brown) of real improvements through innovative re-designing and re-engineering of process(es).

Figure 4. PDCA loops in business process management

Both the whole process network (the business system) and individual business processes are being managed according to this systematic model. Management of the comprehensive process network includes normal responsibilities of the business management, e.g. using business plans, action plans, business performance assessments, and regular business audits and reviews. It is essential, that the business system is understood here especially as a network of business processes and not only as functional units (organizational "silos"). The scope of managing individual processes consists of process planning, control of the operation, performance improvement, and quality assurance. Bases for the process management are the process plan, process performance assessment, and monitoring process performance indicators. IS aspects should be included in these activities if an organization really considers them significant from the business point of view.
In order to take IS issues into account, one should understand which phenomena within single business processes and between different processes are critical from the IS point of view. Technical information systems are parts of the operational business processes. On this basis one may be able to define suitable performance indicators and set quantitative target values for IS according to the relevant needs and expectations. A key management issue is to monitor these indicators in a real time and to initiate - as needed - necessary measures for control, correction, prevention, or improvement of performance just according to the PDCA model. From the ISM standards one may find general guidance for defining ISM means to be applied within business processes.
Also IS performance should be considered both from strategic and operational point of view. Strategic performance management of processes consists of an organization's vision- and strategy-based measures and evaluations of the overall process performance. Needs of operational process performance measures for daily management are focused on diagnostics and analysis for corrective and preventive actions.
Process performance in general and also IS performance of processes is a fuzzy concept. It is always a matter of degree. Process performance evaluation consists of strategic assessment of the whole business performance (process network), and operational assessment of individual processes [20]. Assessment results are useful both for company-internal process improvement and for ISA. ISA includes all those measures through which an organization demonstrates to its stakeholders that the organization is capable to fulfill effectively all agreed requirements.

Business realities and environments

A real crisis in the ISM standardization today is that it is not creating innovative solutions for modern business environments that are distinguishingly emphasizing speed, changes, agility, complexity, diversity, immaterialness, and variety. All these aspects are big challenges also in ISM.
ISO/IEC 27000 standards family evolved over the years from national standards (in particular BS7799 [30]) and de facto standards (in particular the British DTI/BSI PD0003 [31]). The basic standards of the family are currently being revised. This work is still strongly based on the existing principles, standard structures and contents.
Evolutionary development is a development through small steps. No significant innovation contributions have been implemented or are not expected in these standards, in their structures or contents. This has led to a serious crisis in the international ISM standardization, since the standards will not be able to track the organizations and their operating environments in real-world development.
IS is born in practice at organization's business processes through their activities [19]. Today, organizations, and their business processes are in accordance with Stacey [32] complex responsive processes of relating. This means that all processes operate in networks with many other processes or activities. Some of those processes may also be in entirely different organizations and thus may not even in principle be under a common operational or strategic business management. Organizations have tried to resolve the situation with different types of contracts and management systems, but the possibilities are very limited. Further complications are caused by the complex nature of the process operations as a result of, inter alia, that they are at least in the details singular or unique. Also process activities are always operated by a wide range of people whose actions are virtually impossible to control by detailed instructions.

Stacey examines management of the complex responsive processes of relating and their activities through identifying management decisions on two dimensions: the degree of certainty and the level of agreement (figure 5). The organization's business processes are functionally multifaceted and all aspects of the Stacey Matrix [33] come up in all processes in all organizations.

Figure 5. Organizations’ process management in accordance with the Stacey Matrix. Effects and effectiveness of the agreements depend on the nature of the process and its activities. Certainty is associated with predictability, strength of cause-effect relationships, and uniqueness and arbitrariness of the process activities.

Rational control is typically based on the managerial structures, which are also the basis of the current ISM standards, should be effective and efficient only in small part of real process activities. Rational control is carried out by various management systems and documented procedures. Operational control is a fact-based activity. Too tight rational control does not give respect on situational solutions, not even the use of "common sense".

Political decision-making and control highlight various alliances, negotiations and compromises, which are very typical of organizations’ business management. Instead of rationality, management is often based on power position of leading people, intuitions and post wisdom or explanations afterwards.
Rational risk-based decision-making is often related to different kinds of experiments. This area is the traditional area of structured and continuous development. In this case the future is built on traditional models and rational knowledge-base. Issues are generally agreed, although there is no clear certainty about the achievement of results.
The complexity area is very important for the success of organizations. Creativity and innovation originate in this area and transition to the new forms of activity is made possible. Operation in complex situation can not only be lead by  rational control and fact-based. According to Ashby [34], a successful operation in complex circumstances require acceptance of differences and diversity (“Requisite variety”). The organization can get benefit of such effects particularly through wide range of external networks.

Chaotic phenomena are burdensome for management in many organizations, because they can not be managed by traditional means or not even completely avoided. In modern business process networks we are always accompanied by the agents and operators, which we are not even exactly aware about. Individuals’ awareness as well as management flexibility and speed are useful in these difficult situations.
For a sound development, a new culture in the organizational ISM and also in the corresponding standardization should be recognized by accepting the existing realities according to the Stacey Matrix, and new principles, and operational and organizational procedures should be developed on this basis. The corresponding standardization should adapt itself to this development by creating appropriate new solutions for all areas of the Stacey Matrix. These should also take into account in practical application of the standards in organizations.

Complexity may be seen as an opportunity. Complexity was recognized with so-called Millennium bug cases. It became abundantly clear that large-scale information systems could not be updated by computer programs, nor there was sufficiently human capacity for this task. It was one of the most extensive tasks ever carried out by the mankind. It was solved by hard work, or perhaps the systems were already so robust that the case did not reveal any serious problems. Today very complex global challenges include the climate change and environmental protection problem, the modern terrorism, and the economic crisis which are all also difficult information security cases.

Toffler [35] stated that whenever the situation seems to be the hardest and easy solutions are not seen, it is possible to enter a new, more sophisticated level of performance. In the phases of the mankind we can observe long periods of steady development. They are not associated with great development leaps. Toffler said about exceptionally difficult circumstances: "This is the era of despair - this is a time of opportunity." Also Sorokin [36] confirmed in his time that in spite of all inherent cruelty of the time and the turmoil, however, we are moving towards a better world. In his view, the current culture already contains in its beginning a toxic virus. The current crisis is due to this secret virus and its continuous evolution. A radical change and transformation should be achieved in our operational attitude and habits in the situation of overly matured “systematicity” and rationality. This would require replace the existing modes of operation with better culture and expertise.

In complex business situations, including information security questions, one could according to Naidoo [37] turn to interactive principles and methodology by identifying the affected stakeholders and understanding the nature of interactions and communication between them.
It is necessary that the development and expertise of the ISM move from past reactive systems-based culture and activities to new innovative formats that effectively and efficiently take into account needs and expectations of the modern business environment. Of course, this should reflect to the standardization work, too.
It is not expected that very significant improvements or major operational changes in the international standardization could take place in the next few years. Therefore, individual organizations applying the standards should highlight their own responsibility of business leaders and experts in order to achieve the benefits. They are required to greater awareness and knowledge, and innovation and the courage to make useful solutions for applying the standards. Fortunately, there is nothing in the standards to prevent this, but even invite to do it.

Organizational positioning to the IS and ISM standardization

Two worlds meet in the international standardization, i.e. the world of standardization based on consensus principle and the world of the applying standards in an organization based on innovation (figure 6).

Figure 6. Two worlds in the international standardization, the world of standardization and the world of the applying standards in organizations.

The consensus text of a standard represents mediocrity but its wisdom is entailed in the fact that the issues to which it points attract one’s attention to certain important issues. Then implementation of those issues may be innovative according to the real business requirements. This applies especially to understanding the central principles of the subject matter, and using effective and efficient tools and infrastructure for implementation.

In the consensus text all issues are not visible. Those that are, should be understood as advisory guidelines in the organization-specific application of the issues in question. The reality of an organization’s business calls for solutions to the superior implementation of issues brought to light by the standard. That means innovations for implementation. In fact, it is useful for organizational applications to understand ISM standards as platforms for innovations (“ A Trampoline Strategy” (figure 7)).
Figure 7. A trampoline strategy for creating out-of-box solutions for the ISM


ISO/IEC 27000 ISM standards have same pros and cons as in general in the international standardization. The users should be aware of general principles and practices of the standardization processes in order to be able to understand and apply standards properly. In addition to the ISO/IEC 27000 standards there are lots of other international standards and de-facto standards considering the ISM. Although they are not necessarily consistently or easily compatible with each others they may be useful and sometimes even obligatory for organizations developing their ISM approaches and practices. ISM standards have also complicated links with many other management standards issued by other standardization bodies. Application of the ISM standards cannot be isolated from the use of these other management standards. At organizational level all these standards should be applied simultaneously. Especially linkages with the quality management standardization is significant. In order to manage situation in practice, an organization should have a strategically clear and sound business management system to integrate necessary ISM aspects with business management activities in accordance with the needs and expectations assigned to the organization. Distinct solutions for ISM are abnormal, ineffective, and finally frustrating.

Each organization should make clear for its own business needs the guiding ISM principles, concepts, terms and definitions that are used in the organization because these are not consistently presented in the general standards.

ISM standards and their application should create real business benefits in organizations and promote beneficial development in societies at large. It is not enough only to fulfill some standards, minimum requirements or average performance levels.

Business-integration of the ISM is realized through practical managerial tools. PDCA and process management models are the basic elements in the ISM standards and their application. These models support effectively normal business management practices. Therefore they are excellent platforms also for the development of ISM activities. Business leaders and security professionals should be familiar of the foundations and practical approaches of these managerial methodologies.

There may be significant inadequacies, inconsistencies and other problems in the general international standardization and standards mainly due to the normal standardization processes. Individual organizations applying the general standards should highlight their own responsibility of business leaders and experts in order to achieve the benefits. A continuously increasing awareness and knowledge, innovations, and courage would have required to create and implement useful and organization-dedicated solutions when applying the standards in real business environments. There should also be an effective cooperation of business leaders and IS experts. A proactive standards recognition may be promoted by active participation in standards preparation and commenting.


  1. ISO, ISO Guide 2 – Standardization and related activities - General vocabulary, Geneve: ISO, 2004
  2. ISO/IEC JTC 1/SC27, “Working documents”, Geneve: ISO/IEC, 2009
  3. ISO/IEC, ISO/IEC 27000 - Information technology — Security techniques — Information security management systems — Overview and vocabulary, Geneve: ISO/IEC, 2009
  4. ISO/IEC, ISO/IEC 27001 - Information technology - Security techniques - Information security management systems - Requirements, Geneve: ISO/IEC, 2005
  5. ISO/IEC, ISO/IEC 27002 - Information technology - Security techniques - Code of practice for information security management, Geneve: ISO/IEC, 2005
  6. ISO, ISO 27799 - Health informatics - Information security management in health using ISO/IEC 27002, Geneve: ISO, 2008
  7. OECD, Guidelines for the security of information systems and networks - Towards a culture of security, Paris: OECD, 2002
  8. ISO/IEC, ISO/IEC 20000 - Information technology - Service management - Part 1: Specification, Geneve: ISO/IEC, 2005
  9. The Office of Government Commerce (OGC), ITIL, Norwich, UK: TSO, 2009
  10. ISACA, Cobit - Guidelines and procedures for auditing and control professionals, Rolling Meadows, IL: ISACA, 2009
  11. U.S. Government, Sarbanes-Oxley Act - The Public Company Accounting Reform and Investor Protection Act, Washington: U.S. Government Printing Office, 2002
  12. Basel Committee on Banking Supervision, Basel II - Identity and access management, Basel, Switzerland: The Bank for International Settlements, 2004
  13. U.S. Government,  The Federal Information Security Management Act of 2002 (FISMA), Washington: U.S. Government Printing Office, 2002
  14. U.S. Government,  The Health Insurance Portability and Accountability Act (HIPAA), Washington: U.S. Government Printing Office, 1996
  15. U.S. Government,  The Gramm-Leach-Bliley Act (GLBA) - The Financial Services Modernization Act, Washington: U.S. Government Printing Office, 1999
  16. NIST, Information security documents, Gaithersburg, MD: NIST, 2009
  17. ISO, ISO 9000 - Quality management systems – Fundamentals and vocabulary, Geneve: ISO, 2005
  18. SFS, “Standardization information”, Helsinki: SFS, 2009
  19. J. Anttila, J. Kajava, R. Varonen, and G. Quirchmayr, “Business Integrated Information Security Management”, In J. Lopez, S. Furnell,  S. Katsikas, and A. Patel (eds.), Securing Information and Communication Systems: Principles, Technologies, and Applications, Boston|London: Artech House, 2008
  20. J. Anttila, “Managing and assuring information security in integration with the business management of a company”, In J. H. P Eloff and R.  von Solms (eds.): Information security, Small systems security & information security management, Volume 2. IFIP TC 11 Wg 11.1. Vienna – Budapest, 1998
  21. NIST, Criteria for excellence, Gaithersburg, MD: NIST, 2009
  22. J. Anttila, “Reinforcing business leaders’ role in striving for information security”, CIS’07 Conference, Harbin, 2007
  23. C. G. Boeree, Carl Jung, http://webspace.ship.edu/cgboer/jung.html, 2006
  24. J. Anttila, J. Kajava, and R. Varonen, “General manegerial tools for business-integrated information security management”, In J. Lindfors (ed.), Applied information technology research – Articles by cooperative science network, University of Lapland, Department of Research Methodology Reports, Essays and Working Papers 2, Rovaniemi: University of Lapland, 2007
  25. W. J. Latzko and D. M. Saunders, Four days with Dr. Deming. A strategy for modern methods of management, Reading, MA: Addison Wesley, 1997
  26. W. A. Shewhart, Economic control of quality of manufactured product, New York: Van Nostrand, 1931
  27. S. Shiba, “Evolution of quality: From control to breakthrough TQM”, EOQ Annual congress, Trondheim: NFK/EOQ, 1997
  28. S. Shiba and D. Walden, Breakthrough management, New Delhi: Confederation of Indian Industry, 2006
  29. J. Juran, Juran on planning for quality, New York: The Free Press, 1988
  30. BS, BS7799 - Information Technology - Code of practice for information security management, London: BS, 1995
  31. DTI/BSI, PD0003 Disc - A Code of Practice for Information Security Management, London: BSI, 1993 
  32. R. Stacey, “Organizations as complex responsive processes of relating”, Journal of Innovative Management. Vol. 8, No. 2. Salem. USA, 2002
  33. R. Stacey, The Stacey Matrix, 2002 
  34. W. R. Ashby, An introduction to cybernetics, London: Chapman & Hall, 1957
  35. Toffler, The third wave, New York: Bantam Books, 1980
  36. P. Sorokin, The crisis of our age, Charham, NY: Oneworld, 1941
  37. M. Naidoo, “I am because we are (A never ending story). The emergence of a living theory of inclusional and responsive practice.” 2005

[This text is modified from the conference text presented in Krakow, Poland in 2010 (ARES 2010) and made with Jorma Kajava.]