Determining Information Security Maturity Level of an organization based on ISO 27001

International Journal of Computer Science and Engineering
© 2019 by SSRG - IJCSE Journal
Volume 6 Issue 7
Year of Publication : 2019
Authors : Daniel Makupi, Nelson Masese

How to Cite?

Daniel Makupi, Nelson Masese, "Determining Information Security Maturity Level of an organization based on ISO 27001," SSRG International Journal of Computer Science and Engineering , vol. 6,  no. 7, pp. 5-11, 2019. Crossref,


Technology adoption is key critical component for organization success. With continued and rapid advancement in technology especially brought by the need for employees to use their personal devices, it presents a major opportunity and challenge for enterprises, it poses a challenge as adversaries have taken advantage of widening cyber space to attack information and information systems. Our study provides a solution by designing a model to compute information security maturity of universities. The research is based on ISO 27001 by involving specific clauses relevant to universities because of its unique organizational ecocentric nature having varied categories of user’s and extensive research allowing it to serve as a plausible area for study compared to other organizations. The cumulative factors having being considered statistically varied towards contribution towards the maturity model. The model is then designed considering the different information security levels of compliance suggested by ISO 27001. The study adopted design research approach to come with the model design


Model, design, Maturity, ISO 27001


[1] Yang, Yaping. "Literature review of information security practice survey reports." (2018).
[2] Dzazali, Suhazimah, "Social Factors Influencing the Information Security Maturity of Malaysian Public Service Organization: An Empirical Analysis" (2006). ACIS 2006 Proceedings. Paper 103.Electronic version found at
[3] Surni Erniwati and Nina Kurnia Hikmawati. An Analysis of Information Technology on Data Processing by using Cobit Framework‖, (IJACSA) Intermasional Journal of Advanced Computer Science and Application, Vol. 6 No. 9 2015, pp 151 – 157.
[4] Kerzner, H., & Kerzner, H. R. (2017). Project management: a systems approach to planning, scheduling, and controlling. John Wiley & Sons.
[5] Almutiq, Mutiq Mohammed. "An evaluation model for information security strategies in healthcare data systems." PhD diss., Keele University, 2018.
[6] Suwito, M. H., Matsumoto, S., Kawamoto, J., Gollmann, D., & Sakurai, K. (2016). An Analysis of IT Assessment Security Maturity in Higher Education Institution. In Information Science and Applications (ICISA) 2016 (pp. 701-713). Springer, Singapore.
[7] Malik F. Saleh Management Information Systems, Chair Prince Mohammad Bin Fahd University Al Khobar, 31952, Saudi Arabia, 2011
[8] Da Silva, Denise Ranghetti Pilar, and Lilian Milnitsky Stein. "Information Security: A Reflection on the Human Component." Science & Cognition 10 (2011).
[9] Curry, M., Marshall, B., Crossler, R. E., & Correia, J. (2018). InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior. ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 49(1), 49-66.
[10] Bourgeois, Dave, and David T. Bourgeois. "Information Systems Security." Information Systems for Business and Beyond (2014).
[11] Siponen, Mikko T. "A conceptual foundation for organizational information security awareness." Information Management & Computer Security 8, no. 1 (2000): 31-41.
[12] Albuquerque Junior, Antonio Eduardo de, and Ernani Marques dos Santos. "Adoption of Information Security measures in public research institutes." JISTEM-Journal of Information Systems and Technology Management 12, no. 2 (2015): 289-315.
[13] Garcia, Mary Lynn. Design and evaluation of physical protection systems. Elsevier, 2007.
[14] Björck, Fredrik. Discovering information security management. Department of Computer and Systems Sciences, Stockholm University, 2005.
[15] Belasco, K., and S. P. Wan. "Online retail banking: security concerns, breaches, and controls." Handbook of Information Security: threats, vulnerabilities, prevention, detection, and management 1 (2006).
[16] Dresner, Daniel Gideon. "A study of standards and the mitigation of risk in information systems." PhD diss., The University of Manchester (United Kingdom), 2011.
[17] ABNT, AB de NT. "NBR ISO/IEC 17799–Tecnologia da Informação–Código de prática para gestão da segurança da informação." Rio do Janeiro: ABNT (2005).
[18] Makupi, D., Karume, S.M., Rabah, K. (2016). The Impact of Driver Behaviour on Road Accidents and the Need for a Driver Road Safety Index (DRSI) in Kenya.
Mara Res. J. inf. Sci. Technol. Vol. 1, No. 1, pp. 66 - 77. ISSN 2518-8844.
[19] Kombo, Donald Kisilu, and Delno LA Tromp. "Proposal and thesis writing: An introduction." Nairobi: Paulines Publications Africa 5 (2006): 814-30. [20] Siponen, Mikko, and Robert Willison. "Information security management standards: Problems and solutions." Information & Management 46, no. 5 (2009): 267-270.