نشریه مطالعات دانش پژوهی

ارزیابی عملکرد مدیریت امنیت اطلاعات در سازمان‌های دولتی با تکیه بر ISO/IEC 27002

نوع مقاله : مقاله پژوهشی

نویسندگان

1 دانشیار، بخش علم اطلاعات و دانش‌شناسی، دانشگاه شهید باهنر کرمان، کرمان، ایران

2 استادیار، پژوهشکده علوم اطلاعات، گروه پژوهشی علم‌سنجی و تحلیل‌اطلاعات، پژوهشگاه علوم و فناوری اطلاعات ایران، تهران، ایران

3 کارشناس ارشد، بخش علم اطلاعات و دانش‌شناسی دانشگاه باهنر کرمان، کرمان، ایران

10.22034/jkrs.2026.20646

چکیده

هدف: پژوهش حاضر باهدف ارزیابی وضعیت عملکرد مدیریت امنیت اطلاعات در سازمان های دولتی مستقر در شهر کرمان بر اساس استاندارد ایزو/ آی.ای.سی 27002 انجام شده است.
روش‌شناسی: روش پژوهش توصیفی- پیمایشی است و به منظور گردآوری اطلاعات از پرسش­نامه استاندارد مذکور استفاده شده است. برای بررسی  سنجش پایایی پژوهش از روش آلفای کرونباخ بهره گرفته شد که میزان آن ۹۸/۰ تعیین شد. جامعه آماری پژوهش شامل، 176 نفر از  مدیران  فناوری اطلاعات و مدیران اصلی و میانی شاغل در سازمان‌های دولتی مستقر در شهر کرمان است. نمونه جامعه آماری با استفاده از فرمول کوکران، شامل 120 نفر تعیین شد.
یافته‌ها: یافته‌های حاصل از پژوهش نشان می‌دهد که در اولویت بندی (بر اساس میانگین رتبه‌ای) شاخص‌های مدیریت امنیت اطلاعات در سازمان­های دولتی کرمان بر اساس آزمون فریدمن به ترتیب: مدیریت امنیت اموال سازمان (95/6)، مدیریت امنیت اطلاعات سازمان (49/6)، مدیریت استمرار کسب و کار (31/6)، مدیریت امنیت عملیات و ارتباطات (86/5)، مدیریت اکتساب توسعه حفظ و نگهداری (83/5) و مدیریت تطابق (68/4) است. نتایج پژوهش حاکی از این است به علت اینکه مقدار p به‌دست آمده از آزمون برابر با 000/0 و کمتر از سطح معنا‌داری تحقیق (05/0) است در نتیجه می‌توان بیان کرد که میانگین نمره عملکرد مدیریت امنیت اطلاعات در سازمان‌های دولتی مستقر در شهر کرمان بر اساس استاندارد ایزو/ آی. ای. سی. 27002 بالاتر از حد انتظار است.
نتیجه‌گیری: نتایج نشان می­دهند که شایسته است تا سند خط‌مشی امنیت اطلاعات برای سازمان­ها تدوین شود. مسئولیت‌های عمومی و تخصصی مدیریت امنیت اطلاعات، برای تمامی کارکنان مشخص باشد. گزارش رخدادهای امنیت اطلاعات در تمامی بخش‌های سازمانی تهیه شود. رویه‌ها و خط‌مشی‌های امنیتی سازمان‌های دیگر بررسی و با برنامه‌های سازمانی تطبیق داده شود.
اصالت و ارزش: پژوهش حاضر از منظر ساختاری به مقوله امنیت اطلاعات پرداخته و نتایج آن می‌تواند برای برنامه‌ریزی در سازمان‎ها مورد استفاده قرار گیرد.  

کلیدواژه‌ها

موضوعات

عنوان مقاله [English]

Assessment of Information Security Management Performance in Government Organizations Based on ISO/IEC 27002

نویسندگان [English]

  • Adel Soleimani Nezhad 1
  • Fariborz Doroudi 2
  • Masoomeh Tahmasbi 3

1 Associate Professor, Department of Knowledge and Information Science, Shahid Bahonar University of Kerman, Kerman, Iran

2 Assistant Professor, Information Science Research Institute, Scientometrics and Information Analysis Research Group, Iranian Institute of Information Science and Technology, Tehran, Iran

3 Master, Department of Knowledge and Information Science, Shahid bahonar University, Kerman, Iran

چکیده [English]

Purpose: This study aimed to evaluate the performance of information security management in government organizations in Kerman city based on the ISO/IEC 27002 standard.
Methodology: The research employed a descriptive-survey design. Data were collected using a standardized questionnaire. Reliability was assessed using Cronbach’s alpha coefficient, which yielded a value of 0.98, indicating high internal consistency. The statistical population consisted of 176 information technology managers as well as senior and middle managers working in government organizations in Kerman. Using Cochran’s formula, a sample size of 120 participants was determined.
Findings: The results indicate that the components of information security management in the studied organizations were prioritized based on mean rank as follows: Organizational Asset Security Management (6.95), Organizational Information Security Management (6.49), Business Continuity Management (6.31), Operations and Communications Security Management (5.86), Acquisition, Development, and Maintenance Management (5.83), and Compliance Management (4.68). Furthermore, statistical analysis showed that the overall mean score of information security management performance in these organizations was significantly higher than the expected level according to the ISO/IEC 27002 standard (p = 0.000 < 0.05).
Conclusion: The findings highlight the importance of developing comprehensive information security policy documents within organizations. Clearly defining both general and specialized responsibilities related to information security for all employees is essential. Additionally, organizations should establish systematic reporting mechanisms for security incidents across departments and review security procedures and policies adopted by other organizations to improve their own security programs.
Value: By examining information security from a structural and managerial perspective, this study provides insights that can support strategic planning and policy development in public sector organizations.

کلیدواژه‌ها [English]

  • Performance Evaluation
  • Information Security Management
  • ISO/IEC 27002
  • Government Organizations
  • Kerman Cit
مراجع
 
Abrew, K. M. N. D., & Wickramarachchi, R. (2021). A review on organizational factors affecting the effectiveness of information security management systems in IT sector organizations in Sri Lanka. In Proceedings of the International Conference on Advanced Marketing (ICAM4): Business, Law, and Management (BLM2).
Aftabi, N., et al. (2025). SD-ABM-ISM: An integrated system dynamics and agent-based modeling framework for information security management in complex information systems with multi-actor threat dynamics. Expert Systems with Applications, 263, 125681. https://doi.org/10.1016/j.eswa.2024.125681
Ahmed, V., & Al-Haddad, S. (2021). The use of social engineering to change organizational behavior toward information security in an educational institution. Journal of Information System Security, 17(2), 103–124.
Akello, B. O. (2024). Organizational information security threats: Status and challenges. World Journal of Advanced Engineering Technology and Sciences, 11(1), 148–162. https://doi.org/10.30574/wjaets.2024.11.1.0047
AlGhamdi, S., et al. (2020). Information security governance challenges and critical success factors: Systematic review. Computers & Security, 99, 102030. https://doi.org/10.1016/j.cose.2020.102030
Amaro, F. (2020). Organizational challenges in adopting a security baseline to protect federal information from insider threats (Doctoral dissertation, Capella University).
Arianty, K. P. (2025). Analysis of information security management system implementation at BSN. Jurnal Informatika: Jurnal Pengembangan IT, 10(1), 119–129.
Bitzer, M., et al. (2021). Disentangling the concept of information security properties: Enabling effective information security governance. In Proceedings of the European Conference on Information Systems (ECIS).
Chase, J. L. (2021). Examining the effect of organizational culture on end-user attitude towards information security awareness (Doctoral dissertation, Colorado Technical University).
Chiu, C.-M., & Tan, C. M. (2020). Enhancing employees’ intention to comply with information security policies: The roles of job crafting and organizational commitment.
da Veiga, A., et al. (2020). Defining organisational information security culture: Perspectives from academia and industry. Computers & Security, 92, 101713. https://doi.org/10.1016/j.cose.2020.101713
Dang-Pham, D., et al. (2025). Shadow information security practices in organizations: The role of information security transparency, overload, and psychological empowerment. Computers & Security, 156, 104538. https://doi.org/10.1016/j.cose.2025.104538
de Wit, J., et al. (2024). Bias and noise in security risk assessments: An empirical study on the information position and confidence of security professionals. Security Journal, 37(1), 170–191. https://doi.org/10.1057/s41284-023-00376-1
Diesch, R., et al. (2020). A comprehensive model of information security factors for decision-makers. Computers & Security, 92, 101747. https://doi.org/10.1016/j.cose.2020.101747
Ejigu, K., et al. (2021). Influence of organizational culture on employees’ information security policy compliance in Ethiopian companies. In Proceedings of the Pacific Asia Conference on Information Systems (PACIS).
Emmanuel, K., & Hamid, T. (2023). A qualitative study of the effects of socio-organizational factors on the information security culture of employees in a financial institution. In Proceedings of the International Conference on Advances in Communication Technology and Computer Engineering (ICACTCE). Springer.
Folorunso, A., et al. (2024). The impact of ISO security standards on enhancing cybersecurity posture in organizations. World Journal of Advanced Research and Reviews, 24(1), 2582–2595. https://doi.org/10.30574/wjarr.2024.24.1.3344
Grigaliūnas, Š., et al. (2024). Holistic information security management and compliance framework. Electronics, 13(19), 1–31. https://doi.org/10.3390/electronics13193862
Hameed, M. A., & Arachchilage, N. A. G. (2020). A conceptual model for the organizational adoption of information system security innovations. In Security, privacy, and forensics issues in big data (pp. 317–339). IGI Global.
Hasan, S., et al. (2021). Evaluating the cyber security readiness of organizations and its influence on performance. Journal of Information Security and Applications, 58, 102726. https://doi.org/10.1016/j.jisa.2020.102726
Hussein, H. A. (2024). Organizational factors that influence information security in SMEs: A case study of Mogadishu, Somalia. International Journal of Innovative Science and Research Technology, 9(6), 1373–1382.
Kam, H.-J., et al. (2020). A cross-industry study of institutional pressures on organizational effort to raise information security awareness. Information Systems Frontiers, 22(5), 1241–1264. https://doi.org/10.1007/s10796-019-09941-6
Khando, K., et al. (2021). Enhancing employees’ information security awareness in private and public organisations: A systematic literature review. Computers & Security, 106, 102267. https://doi.org/10.1016/j.cose.2021.102267
Kreutz, H., & Jahankhani, H. (2024). Impact of artificial intelligence on enterprise information security management in the context of ISO 27001 and 27002: A tertiary systematic review and comparative analysis. In Cybersecurity and artificial intelligence: Transformational strategies and disruptive innovation (pp. 1–34).
Latola, S. (2023). Positive organizational behavior in information security compliance management: A literature review.
Lopes, A., et al. (2022). Information security threat assessment using social engineering in the organizational context: Literature review. In Information systems and technologies. Springer.
López-Vasco, F., et al. (2024). Application of ISO/IEC 27001 in higher education technological institutes: Case-control study. In Multidisciplinary International Conference of Research Applied to Defense and Security. Springer.
Ma, X. (2022). IS professionals’ information security behaviors in Chinese IT organizations for information security protection. Information Processing & Management, 59(1), 102744. https://doi.org/10.1016/j.ipm.2021.102744
Nagata, K. (2024). Establishing information security policy as an organizational risk management. IntechOpen.
Nowicka, J., et al. (2024). Information security management as the basis for the functioning of an organization. European Research Studies Journal, 27(3), 128–141.
Oluwasefunmi, A., et al. (2021). Critical factors affecting the efficiency of information security risk management in business organizations: An empirical study. Covenant Journal of Informatics and Communication Technology, 9(1), 1–18.
Otieno, E. O. (2021). The impact of organizational culture on information security compliance culture: A case of Kenyan universities (Master’s thesis, University of Nairobi).
Parvin, S., et al. (2019). Information security from a scientometric perspective. Webology, 16(1), 196–209.
Selifanov, V. V., et al. (2021). Acceptable variants formation methods of organizational structure and the automated information security management system structure. In 2021 XV International Scientific-Technical Conference on Actual Problems of Electronic Instrument Engineering (APEIE). IEEE.
Selifanov, V. V., et al. (2022). Methodology for the synthesis of acceptable options for organizational functional structure of the security management system of a significant object of critical information infrastructure. In 2022 IEEE 23rd International Conference of Young Professionals in Electron Devices and Materials (EDM). IEEE.
Szczepaniuk, E. K., et al. (2020). Information security assessment in public administration. Computers & Security, 90, 101709. https://doi.org/10.1016/j.cose.2019.101709
Usmonov, M. (2024). Basic concepts of information security. Indexing, 1(1), 81–85.
نشریه مطالعات دانش پژوهی
دوره 5، شماره 1 - شماره پیاپی 15
فروردین 1405
فایل ها
هم رسانی
ارجاع به این مقاله
آمار