Analysis of Relationships between Non-conformities, Process Maturity and Continual Improvement in Information Security Management Systems

Naumann Michael Matthias (), Olaru Stelian Mircea (), Lampe Georg Sven () and Pitz Fabian ()
Additional contact information
Naumann Michael Matthias: Bucharest University of Economic Studies, 010374, Romania
Olaru Stelian Mircea: Bucharest University of Economic Studies, 010374, Romania
Lampe Georg Sven: Bucharest University of Economic Studies, 010374, Romania
Pitz Fabian: Bucharest University of Economic Studies, 010374, Romania

Proceedings of the International Conference on Business Excellence, 2024, vol. 18, issue 1, 494-506

Abstract: In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Keywords: information security management systems; system-audit; non-conformities; process maturity; continuous improvement; information security risks (search for similar items in EconPapers)
Date: 2024
References: View complete reference list from CitEc
Citations:

Downloads: (external link)
https://doi.org/10.2478/picbe-2024-0043 (text/html)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:vrs:poicbe:v:18:y:2024:i:1:p:494-506:n:1004

DOI: 10.2478/picbe-2024-0043

Access Statistics for this article

Proceedings of the International Conference on Business Excellence is currently edited by Alina Mihaela Dima

More articles in Proceedings of the International Conference on Business Excellence from Sciendo
Bibliographic data for series maintained by Peter Golla ().