Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
1 1
National Culture and the ISO 27001 Development, based on the Information Security Guidelines Bahareh Shojaie · Hannes Federrath · Iman Saberi University of Hamburg, Germany https://svs.informatik.uni-hamburg.de
May 16th, 2016
2 2
Information Security Management Standards
• International ISO 27001
– Market assurance (Legal requirements) – IT governance (Customer demand)
• Motivation
– National IS guidelines or ISO 27001
• Contribution
– Structured comparison – National IS culture
3 3
Motivation for national IS guidelines development
• ISO 27001/ ISO 27002 Development
• Time establishment
• National characteristics
– Economy & trading
– Specific legislation & requirements
– History and development
4 4
National IS guidelines vs. ISO 27001
• Stakeholder description
– Compatibility level
• Developed Vs. Developing
– Focus level
• Scope description
– Detail level
5 5
National IS guidelines & ISO 27001 issued certificates
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%China
GermanyRussian Federation
BrazilUnited Kingdom
Saudi Arabia Poland
South Africa Pakistan
AustriaNorway
United Arab EmiratesQatar
New ZealandSri LankaSlovakia
AzerbaijanCroatiaUganda
LatviaRwanda
MalawiUSAIndia
JapanFrance
CanadaAustralia
Hong KongSingapore
Percentage Ave. ISO 27001 annual growth (ISO survey 2014)
Cou
ntrie
s
6 6
National IS guidelines & ISO 27001 issued certificates
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Japan
United Kingdom
India
China
USA
Sri Lanka
Uganda
Latvia
Rwanda
Malawi
Percentage Ave. ISO 27001 annual growth (ISO survey 2014)
7 7
National IS guidelines & ISO 27001 withdrawn certificates
0% 10% 20% 30% 40% 50%
ChinaGermany
Russian FederationBrazil
United KingdomPoland
South Africa Pakistan
AustriaUnited Arab Emirates
SlovakiaCroatia
USAIndia
JapanFrance
CanadaAustralia
Hong Kong, ChinaSingapore
Percentage Ave. ISO 27001 withdrawn certificates (ISO survey 2014)
Cou
ntrie
s
8 8
National IS guidelines & ISO 27001 withdrawn certificates
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Singapore
Pakistan
China
Brazil
Australia
United Arab Emirates
USA
Percentage Ave. ISO 27001 withdrawn certificates (ISO survey 2014)
9 9
Tightness vs. Looseness
UAI Uncertainty Avoidance
PDI Power Distance
IDV Individualism
Cultu
ral E
ffect
s
The Most Applicable Cultural Dimensions
The Most Leading Literature
Gelfand
National (Country)
National cultural characteristics & ISO 27001
UAI: Degree of comfortableness with uncertainty (Saudi Arabia) PDI: Relation to authority (Sri Lanka) IDV: Self image as »I« or »we« (New Zealand)
Hofstede
10 10
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%China
GermanyRussian Federation
BrazilUnited Kingdom
Saudi ArabiaPoland
South AfricaPakistan
AustriaNorway
United Arab EmiratesNew Zealand
Sri LankaSlovakia
CroatiaLatvia
MalawiUSAIndia
JapanFrance
CanadaAustralia
Hong KongSingapore
Ave. cultural characteristics distribution (Hofstede Centre)
Cou
ntrie
s
UAI PDI IDV Tight
National IS guidelines & cultural characteristics
11 11
National IS guidelines & cultural characteristics
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Japan
United Kingdom
India
China
USA
Germany
Poland
Australia
Slovakia
France
Ave. cultural characteristics distribution (Hofstede Centre)
nUAI nPDI nIDV nTight
12 12
The most effective national characteristics
• National economic power
• National IS requirements
• National cultural barriers
– National IS guidelines selection & development
– ISO 27001 adoption & performance
13 13
Enhancing ISO 27001 long-term performance
• Resource management
• Main focus of development
• Supplementary security guidelines
Bahareh Shojaie [email protected]
14 14
References
• ISO, 2014. ISO Survey 2014
• Beckers, A structured comparison of security standards.
• Hofstede, the Hofstede Centre http://geert-hofstede.com/countries.html