Investigation into the State-of-Practice of Operations Security Management Based on ISO/IEC 27002

摘要

This study assessed information security management in organizations through a questionnaire based on the ISO/IEC 27002, with special focus on operations security. A survey with cross-sectional research design was conducted and data collected from 223 participants from 56 organizations. Overall, the level of operations security maturity was 61.2%, which is the maturity Level 3 (well-defined). This level suggested that operations security controls and processes were documented, approved, and implemented organization-wide. Backups and malware protection were the most implemented security controls, while logging, auditing and monitoring were the least implemented controls. Assessment of inter-organizational operations security found significant differences among the organizations. Financial and Health Care Institutions outperform Educational Institutions and Government Public Service. The study provided insight into maturity levels of operations security controls and the results useful for benchmarking inter-organizational performance, competitiveness and improvement in information security.