Information security management standards: problems and solutions

Mikko Siponen, Robert Willison

Research output: Contribution to journalArticlepeer-review

238 Citations (Scopus)


International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.
Original languageEnglish
Pages (from-to)267-270
JournalInformation & Management
Issue number5
Publication statusPublished - 2009


Dive into the research topics of 'Information security management standards: problems and solutions'. Together they form a unique fingerprint.

Cite this