Many organizations face a lot of challenges in implementing the Information Security Management System (ISMS), which results in a halt to project execution or delays and imposition of unforeseen costs. Even the vast majority of those who eventually implement the system and even had got the ISO27001 certification do not have the right security level. The purpose of this research is to identify the main causes of these challenges and the lack of real security and to define indicators for measuring the readiness of the organization for the successful implementation of ISMS. In fact, by identifying the main reasons for not achieving the goals of Information Security in different organizations, the challenges of organizations in the implementation of this system are identified and after recognizing these challenges, the success key factors for implementation of ISMS will be derived and finally a model for assessing the readiness level will be developed. Thus, the overall structure of this research will be determining the definition of Information Security objectives, identifying challenges and key drivers for successful implementation of ISMS & developing a model to assess & prepare the organization for the successful implementation of ISMS. To fulfill the objectives of this study, some questionnaires were designed which were completed by brainstorming and focus groups. For this logic, two panels were needed and their members selected through inertial sampling. The findings of this research are the reasons for the failure to implement ISMS and achieving its goals in different organizations. It is a step that needs to be taken to reduce the challenges and increase the organization’s readiness for successful implementation of this system.
Every organization is formed based on its vision and mission which can be translated to its goals. For achieving its goals, required to provide some products or services. To be able to provide its products or services, should define some processes and to be able to run these processes needs a different type of assets. However, these assets should work together as a whole system and customize according to processes.
So I believe for the successful implementation of an information security solution, the Process, People, and Technology model should be changed to Process, Asset, and Configuration model.
To access the full text of the article, please refer to the following address: