Location
Online
Event Website
https://hicss.hawaii.edu/
Start Date
3-1-2023 12:00 AM
End Date
7-1-2023 12:00 AM
Description
The ISO/IEC 27001 standard provides organizations with guidelines to help them evaluate, document, and improve their information security processes. In practice, however, the generality of the standard can create a conflict between its requirements and the adopters’ expectations. To better understand how an organization manages such conflicts, we conduct a case study in a Finnish corporation during the standard’s implementation in one of its units. Two critical conflicts emerged: Conflict I reflects a tension between the standard requirement for disciplinary measures vis-à-vis the organization’s punishment-averse culture. Conflict II reflects a tension between the organization’s aspiration for concrete code reviewing instructions vis-à-vis the lack thereof in the standard. Our findings reveal that whereas the conflict resolution process was similar in managing both conflicts, their content was radically different. Specifically, whereas conflict I’s resolution was paradoxical, conflict II’s resolution was dialectical. We discuss the theoretical and practical implications of our findings.
Recommended Citation
Soliman, Wael and Ojalainen, Anniina, "Conflict Resolution in an ISO/IEC 27001 Standard Implementation: A Contradiction Management Perspective" (2023). Hawaii International Conference on System Sciences 2023 (HICSS-56). 2.
https://aisel.aisnet.org/hicss-56/ks/cross-border_cybersecurity/2
Conflict Resolution in an ISO/IEC 27001 Standard Implementation: A Contradiction Management Perspective
Online
The ISO/IEC 27001 standard provides organizations with guidelines to help them evaluate, document, and improve their information security processes. In practice, however, the generality of the standard can create a conflict between its requirements and the adopters’ expectations. To better understand how an organization manages such conflicts, we conduct a case study in a Finnish corporation during the standard’s implementation in one of its units. Two critical conflicts emerged: Conflict I reflects a tension between the standard requirement for disciplinary measures vis-à-vis the organization’s punishment-averse culture. Conflict II reflects a tension between the organization’s aspiration for concrete code reviewing instructions vis-à-vis the lack thereof in the standard. Our findings reveal that whereas the conflict resolution process was similar in managing both conflicts, their content was radically different. Specifically, whereas conflict I’s resolution was paradoxical, conflict II’s resolution was dialectical. We discuss the theoretical and practical implications of our findings.
https://aisel.aisnet.org/hicss-56/ks/cross-border_cybersecurity/2