Journal of Knowledge-Research Studies

Assessment of Information Security Management Performance in Government Organizations Based on ISO/IEC 27002

Document Type : Original Article

Authors

1 Associate Professor, Department of Knowledge and Information Science, Shahid Bahonar University of Kerman, Kerman, Iran

2 Assistant Professor, Information Science Research Institute, Scientometrics and Information Analysis Research Group, Iranian Institute of Information Science and Technology, Tehran, Iran

3 Master, Department of Knowledge and Information Science, Shahid bahonar University, Kerman, Iran

10.22034/jkrs.2026.20646

Abstract

Purpose: This study aimed to evaluate the performance of information security management in government organizations in Kerman city based on the ISO/IEC 27002 standard.
Methodology: The research employed a descriptive-survey design. Data were collected using a standardized questionnaire. Reliability was assessed using Cronbach’s alpha coefficient, which yielded a value of 0.98, indicating high internal consistency. The statistical population consisted of 176 information technology managers as well as senior and middle managers working in government organizations in Kerman. Using Cochran’s formula, a sample size of 120 participants was determined.
Findings: The results indicate that the components of information security management in the studied organizations were prioritized based on mean rank as follows: Organizational Asset Security Management (6.95), Organizational Information Security Management (6.49), Business Continuity Management (6.31), Operations and Communications Security Management (5.86), Acquisition, Development, and Maintenance Management (5.83), and Compliance Management (4.68). Furthermore, statistical analysis showed that the overall mean score of information security management performance in these organizations was significantly higher than the expected level according to the ISO/IEC 27002 standard (p = 0.000 < 0.05).
Conclusion: The findings highlight the importance of developing comprehensive information security policy documents within organizations. Clearly defining both general and specialized responsibilities related to information security for all employees is essential. Additionally, organizations should establish systematic reporting mechanisms for security incidents across departments and review security procedures and policies adopted by other organizations to improve their own security programs.
Value: By examining information security from a structural and managerial perspective, this study provides insights that can support strategic planning and policy development in public sector organizations.

Keywords

Main Subjects

References
 
Abrew, K. M. N. D., & Wickramarachchi, R. (2021). A review on organizational factors affecting the effectiveness of information security management systems in IT sector organizations in Sri Lanka. In Proceedings of the International Conference on Advanced Marketing (ICAM4): Business, Law, and Management (BLM2).
Aftabi, N., et al. (2025). SD-ABM-ISM: An integrated system dynamics and agent-based modeling framework for information security management in complex information systems with multi-actor threat dynamics. Expert Systems with Applications, 263, 125681. https://doi.org/10.1016/j.eswa.2024.125681
Ahmed, V., & Al-Haddad, S. (2021). The use of social engineering to change organizational behavior toward information security in an educational institution. Journal of Information System Security, 17(2), 103–124.
Akello, B. O. (2024). Organizational information security threats: Status and challenges. World Journal of Advanced Engineering Technology and Sciences, 11(1), 148–162. https://doi.org/10.30574/wjaets.2024.11.1.0047
AlGhamdi, S., et al. (2020). Information security governance challenges and critical success factors: Systematic review. Computers & Security, 99, 102030. https://doi.org/10.1016/j.cose.2020.102030
Amaro, F. (2020). Organizational challenges in adopting a security baseline to protect federal information from insider threats (Doctoral dissertation, Capella University).
Arianty, K. P. (2025). Analysis of information security management system implementation at BSN. Jurnal Informatika: Jurnal Pengembangan IT, 10(1), 119–129.
Bitzer, M., et al. (2021). Disentangling the concept of information security properties: Enabling effective information security governance. In Proceedings of the European Conference on Information Systems (ECIS).
Chase, J. L. (2021). Examining the effect of organizational culture on end-user attitude towards information security awareness (Doctoral dissertation, Colorado Technical University).
Chiu, C.-M., & Tan, C. M. (2020). Enhancing employees’ intention to comply with information security policies: The roles of job crafting and organizational commitment.
da Veiga, A., et al. (2020). Defining organisational information security culture: Perspectives from academia and industry. Computers & Security, 92, 101713. https://doi.org/10.1016/j.cose.2020.101713
Dang-Pham, D., et al. (2025). Shadow information security practices in organizations: The role of information security transparency, overload, and psychological empowerment. Computers & Security, 156, 104538. https://doi.org/10.1016/j.cose.2025.104538
de Wit, J., et al. (2024). Bias and noise in security risk assessments: An empirical study on the information position and confidence of security professionals. Security Journal, 37(1), 170–191. https://doi.org/10.1057/s41284-023-00376-1
Diesch, R., et al. (2020). A comprehensive model of information security factors for decision-makers. Computers & Security, 92, 101747. https://doi.org/10.1016/j.cose.2020.101747
Ejigu, K., et al. (2021). Influence of organizational culture on employees’ information security policy compliance in Ethiopian companies. In Proceedings of the Pacific Asia Conference on Information Systems (PACIS).
Emmanuel, K., & Hamid, T. (2023). A qualitative study of the effects of socio-organizational factors on the information security culture of employees in a financial institution. In Proceedings of the International Conference on Advances in Communication Technology and Computer Engineering (ICACTCE). Springer.
Folorunso, A., et al. (2024). The impact of ISO security standards on enhancing cybersecurity posture in organizations. World Journal of Advanced Research and Reviews, 24(1), 2582–2595. https://doi.org/10.30574/wjarr.2024.24.1.3344
Grigaliūnas, Š., et al. (2024). Holistic information security management and compliance framework. Electronics, 13(19), 1–31. https://doi.org/10.3390/electronics13193862
Hameed, M. A., & Arachchilage, N. A. G. (2020). A conceptual model for the organizational adoption of information system security innovations. In Security, privacy, and forensics issues in big data (pp. 317–339). IGI Global.
Hasan, S., et al. (2021). Evaluating the cyber security readiness of organizations and its influence on performance. Journal of Information Security and Applications, 58, 102726. https://doi.org/10.1016/j.jisa.2020.102726
Hussein, H. A. (2024). Organizational factors that influence information security in SMEs: A case study of Mogadishu, Somalia. International Journal of Innovative Science and Research Technology, 9(6), 1373–1382.
Kam, H.-J., et al. (2020). A cross-industry study of institutional pressures on organizational effort to raise information security awareness. Information Systems Frontiers, 22(5), 1241–1264. https://doi.org/10.1007/s10796-019-09941-6
Khando, K., et al. (2021). Enhancing employees’ information security awareness in private and public organisations: A systematic literature review. Computers & Security, 106, 102267. https://doi.org/10.1016/j.cose.2021.102267
Kreutz, H., & Jahankhani, H. (2024). Impact of artificial intelligence on enterprise information security management in the context of ISO 27001 and 27002: A tertiary systematic review and comparative analysis. In Cybersecurity and artificial intelligence: Transformational strategies and disruptive innovation (pp. 1–34).
Latola, S. (2023). Positive organizational behavior in information security compliance management: A literature review.
Lopes, A., et al. (2022). Information security threat assessment using social engineering in the organizational context: Literature review. In Information systems and technologies. Springer.
López-Vasco, F., et al. (2024). Application of ISO/IEC 27001 in higher education technological institutes: Case-control study. In Multidisciplinary International Conference of Research Applied to Defense and Security. Springer.
Ma, X. (2022). IS professionals’ information security behaviors in Chinese IT organizations for information security protection. Information Processing & Management, 59(1), 102744. https://doi.org/10.1016/j.ipm.2021.102744
Nagata, K. (2024). Establishing information security policy as an organizational risk management. IntechOpen.
Nowicka, J., et al. (2024). Information security management as the basis for the functioning of an organization. European Research Studies Journal, 27(3), 128–141.
Oluwasefunmi, A., et al. (2021). Critical factors affecting the efficiency of information security risk management in business organizations: An empirical study. Covenant Journal of Informatics and Communication Technology, 9(1), 1–18.
Otieno, E. O. (2021). The impact of organizational culture on information security compliance culture: A case of Kenyan universities (Master’s thesis, University of Nairobi).
Parvin, S., et al. (2019). Information security from a scientometric perspective. Webology, 16(1), 196–209.
Selifanov, V. V., et al. (2021). Acceptable variants formation methods of organizational structure and the automated information security management system structure. In 2021 XV International Scientific-Technical Conference on Actual Problems of Electronic Instrument Engineering (APEIE). IEEE.
Selifanov, V. V., et al. (2022). Methodology for the synthesis of acceptable options for organizational functional structure of the security management system of a significant object of critical information infrastructure. In 2022 IEEE 23rd International Conference of Young Professionals in Electron Devices and Materials (EDM). IEEE.
Szczepaniuk, E. K., et al. (2020). Information security assessment in public administration. Computers & Security, 90, 101709. https://doi.org/10.1016/j.cose.2019.101709
Usmonov, M. (2024). Basic concepts of information security. Indexing, 1(1), 81–85.
Journal of Knowledge-Research Studies
Volume 5, Issue 1 - Serial Number 15
March 2026
Files
Share
How to cite
Statistics