Abstract

Information systems certifications are becoming increasingly important for information security and data protection by providing organizations with best practices and independent feedback. However, superficial certification internalization is a significant problem: organizations often implement certifications in a lightweight way without truly integrating them into their organizational practices. To mitigate this problem, it is crucial to uncover how different stakeholders involved in the certification make sense of its purpose and criteria. We strive to explore and theorize how organizations internalize information security and data protection certifications through the lens of sensemaking. We draw on a literature review and qualitative interviews to develop a process model of certification internalization spanning three sensemaking cycles: pre-audit assessment, audit, and post-audit maintenance. Taking a more nuanced view of time and process unfolding, we revealed that the ongoing maintenance of certifications plays a critical role in ensuring certification internalization.

Share

COinS