Communications of the Association for Information Systems


To protect the information assets of organizations, many different standards and guidelines have been proposed. Among them, International standard ISO 17799 is one of the most prominent international efforts on information security. This standard provides both an authoritative statement on information security and the procedures to be adopted by organizations to ensure information security. Security professionals claim ISO 17799 to be a suitable model for information security management and an appropriate vehicle for addressing information security management issues in the modern organization. However, to our knowledge, no empirical studies have been conducted to validate this standard. Based on a survey of information security professionals, we found that ISO 17799 is comprehensive, but not parsimonious.