Free «ISO Certification» Essay

The Isec Limited (2012) records that ISO/IEC27001:2005 has been in the market since it was started in 1999 as BS 77799. It provides a formal set of specifications, which allows organizations to be able to independently seek the certification of the Information Security Management System. It gives all the standards required for the organization to be able to establish, implement, monitor and review, maintain and improve its management system. It covers all forms of organizations being commercial, non-profit or agencies of the government. Managing the security of the organization’s information is central as it provides sustenance, directedness, and continuity in the improvement of the organization’s information.

According to the Isec Limited (2012), the process of ISO/IEC27001:2005 certification should begin with the auditors that verify the qualifications of the compliant. This is based on the various standards, which are well specified in the ISO/IEC27001:2005 requirements. Organizations must, thus, produce the documents such as the organization’s security policy, the system it uses to manage its security, and the applicability statement. The second stage involves a vigorous process of auditing, in which the experts have to ascertain the credibility and existence of organization.

However, it is not compulsory for the organizations to be ISO/IEC27001:2005 certified, the demand of the certificate among the suppliers and various business partners has ever been on the increase (Zaramdini, 2007). This is because of the increasing concern among all parties about the information security. It is, therefore, with no doubt that those organizations being certified have the certain benefits over those which are uncertified. The certificate itself has been seen as having the potential to market the organization as much as it also gives the security assurance to the partners of the certified organizations.

Practical Study of Dubai Holding Company

On its side, Dubai Holdings have not been left behind as far as the benefits from the certification concerned. It has helped the organization in the identification, management and minimization of the range of threats associated with its information system. The certification has also gone a long way in instilling the confidence in the partners on the organization, especially the customers and suppliers. Additionally, it has also been easy for the organization to strengthen the credibility of the model it uses in business. Finally, Dubai Holdings has also been able to realize a considerable increase in its savings because it has been able to avoid incidences of security breaches which normally contribute to a good percentage of organizational expenses (“AME Info FZ LLC, 4C”, 2011).

These benefits have also been felt by its branches. For example, the study reveled that one of its branches, Dubai Health Care City, has also gone ahead and obtained ISO 9001:2000 certification except the fact that it had already been enjoying the benefits of ISO/IEC27001:2005 by being the entity of Dubai Holdings. The study revealed that the branch considered pursuing their own certification to assure its customers and other stakeholders of its adherence to the quality, besides, giving the company a competitive advantage over its competitors.

Reasons Why Organizations Seek Certification

E.O (2011) notes that ISO/IEC27001:2005 certification has been granted to over 7,300 organizations around the world. Generally, there are varieties of reasons that make organizations to seek for the certification. According to Zaramdini (2007), the most common reasons why organizations rush to secure ISO/IEC27001:2005 certification has been to ensure their customers and stakeholders of their consistency in providing the information security, fulfilling legal requirements, and meeting the expectations of stakeholders. The standards required for this certification assure the customers of the credibility of organizations, thus, increasing their level of confidence in it. This, in turn, gives the aforementioned company a competitive advantage over others.

AME Info FZ LLC, 4C (2011) also identifies a number of ways in which ISO/IEC27001:2005 has helped organizations. These include: the formulation of their security standards and objectives and helping the organization managed their security risks in a cost effective manner. It also notes that when used within organizations, ISO/IEC27001:2005 also enables such organizations to operate within the various laws and regulations as well as providing a process framework, which assists the organization in implementing and managing its controls. All these benefits work to enable the organization to realize its security objectives. The certification is, thus, easeful to all the stakeholders of the firm. That is, it helps the management to know the status of the security of its information. It also enables the external and internal auditors to carry out their demonstration of policies, standards and directives of the organization. Finally, ISO/IEC27001:2005 enables customers to obtain any information related to the informational security of organization.

Methodology

Apart from seeking to obtain the information concerning the process and benefits of ISO/IEC27001:2005 to the company, the study also took into account the additional factors that could affect the knowledge of employees on ISO/IEC27001:2005. These include such factors like whether the specific employees worked directly under the information security division or not. The research was also based on the already known facts and experiences of the chief information officers.

To enable the researcher to succeed in generating the new knowledge on the topic, the study employed the use of the questionnaire survey method and the semi-structured interview. The questionnaires have been well designed based on the fact that the researchers visited and gathered the relevant information on the two organizations from Abu Dhabi Chamber of Commerce and Industry before the date of the actual study. Apart from the basic information on such company like those concerning the company ownership and size, the tool has been designed to include two main sets of questions. One section was directly related to the aspects of processing of certification, while the second section’s questions were those related to the various aspects of benefits the company enjoys as a result of having obtained the ISO/IEC27001:2005 certification.

The study was conducted by the group composed of 3 chief information officers drawn from the other companies within the UAE which were considered to have had a long-term experience with the certification standards for a longer duration. The officers specifically help during the review of survey results. This was followed by the necessary adjustment of questionnaire and interview tools.  Even though the respondents were not made aware of the contents of questionnaires and interview guides, the questions were discussed with the director information security in relation to the study objectives before the actual study. This was done in light with the recommendations that were given by the study group.

The information officers were considered for the study based on the review of materials on the past studies which had revealed them as being the most suitable parties in providing the relevant information. This was also in line with the early findings that these are the information officers being in charge of the coordination of process of certification; thus, they were expected to have undergone through an extensive trainings in the management of matters to do with the security of the organizational information.

The study never considered the use of such scales as the Likert in the evaluation of its question statements. Instead, it utilized the open ended questions to enable the researchers to involve the respondents into the discussion, which would allow them to probe their understanding of the issues related to the ISO/IEC27001:2005 certification (Thomas, Nelson & Silverman, 2011). The focus group allowed the participants to discuss freely giving close insights about the topic of discussion. On the other hand, the eye-to-eye interview with the information officers helped to give more insights on what has already been known about the topic and answers obtained from the focus group discussions with other employees.

The questionnaire method was, thus, used in cases of the information officers, while the focus group discussion through the use of interview guide proved to be effective with the rest of employees. The response rate for the research was 100% due to the limited scope of study, and the fact that the researchers had sought to secure the permission from management, through the director information security, which made earlier preparations to avail their employees for the study.

As a strategy, the study employed the use of the case study. This enabled the researchers to obtain and present holistic findings on the subject, in question. The strategy, for example, allowed the research around the process and benefits of ISO/IEC27001:2005. This means that the study most likely succeeded in demonstrating the knowledge and commitment of employees towards the requirements of the certification. The case study was the holistic two cases’ study with two branches of Dubai Holdings which had been taken as the units of analysis within the UAE.  Thus, the research considered 50 employees with 25 employees being selected from Dubai Holding’s information technology division dealing directly with the issues of the Information security, while the other 25 ones were comprised of other employees from Dubai Holdings Health Care City.

The stratified sampling method was then used in selecting the participants. The 25 representatives from each company were then chosen based on the random sampling method to give each member a same chance of participating in the study. It is also worth noting that considering two different branches enabled the researcher to compare the findings obtained from different cases. This, the researchers thought, could give the additional insights like the commitment of employees to adherence to ISO/IEC27001:2005 standards. The methods used in this study, thus, allowed the researcher to make appropriate recommendations and conclusions which would not only be helpful to Dubai Holdings but also the other companies seeking to be certified by ISO/IEC27001:2005.

Results

Being that the two companies were basically service providers, a good number of their respondents had a long term experience in information security management and, therefore, in the issues related to ISO/IEC27001:2005 certification. The findings were also considered valid since the generated statements in the list of benefits and process were scrutinized and confirmed by a group of the selected quality managers and a group of consultants. The two groups worked together at the infancy state of study. 

Data Analysis and Ethical Issues

The participants being interviewed had no problem with having the researcher jotting short hand notes on the issues that they have discussed. In addition, the researcher sought the permission of the participants to have the proceedings recorded. More attention was paid on the sections of interview that were essential for answering the research questions. This enabled the researcher to have an easy task during the data analysis considering that all the collected data stored in the soft copy. Concerning the ethical considerations, the researcher secured permissions from the management of two Dubai Holding organisations and that of the participants’ long before the actual study. Moreover, the participants’ voices were only recorded after their consent had been secured.

Conclusion

The research has considered a holistic study of Dubai Holdings with one of its entities, Dubai Holding Health Care City. The use of a number of methods enabled the researchers to come up with various new insights on the process and benefits of having the company certified. This means that the findings of this study can be helpful not only to Dubai Holdings but also to other relevant companies, which are already certified and even those which are considered to take the necessary steps towards the same. However, through the focus group, it was revealed that there was the need for companies to consider conducting trainings on the requirements of various certifications, which they are a part, to all their employees. This would ensure that other employees offered the necessary support to the division directly involved with managing the standard adherence to the given certifications.

The study also revealed that the company had strictly followed the laid down procedures, while presenting their complaint to be considered for the certification. The firm was, thus, able to realize a great increase in its business giving it the competitive advantage. Together with its entity, the company was able to prove its credibility to its various stakeholders. However, the study also pointed on the need for a further study on the long term effects of ISO/IEC27001:2005 certifications.

Recommendations

A number of recommendations were made to the practitioners based on the practical implications of study. Firstly, ISO/IEC27001:2005 certification has resulted into important benefits to these two companies. It is also true that by focusing on the right motives, companies can greatly benefit from gaining such certifications as ISO/IEC27001:2005. Additionally, ISO/IEC27001:2005 certification can help the organization to improve their competitive advantage by improving the public image of firm. It can, thus, be said to be a marketing tool. Finally, it should be made clear to the companies that have gained the ISO/IEC27001:2005 certification that they can freely engage in the international business using their certificate as a passport.