Abstract
Purpose
The aim of this paper is to present the first diffusion analysis of ISO/IEC 27001, the fourth most popular ISO certification at global level and the most important standard for information security.
Design/methodology/approach
To achieve the purposes, the authors applied Grey Models (GM) – Even GM (1,1), Even GM (1,1,α,θ), Discrete GM (1,1), Discrete GM (1,1,α) – complemented by the relative growth rate and the doubling time indexes on the six most important countries in terms of issued certificates.
Findings
Results show that a growing trend is likely to be expected in the years to come and that China will lead at country level.
Originality/value
The study contributes to the scientific debate by presenting the first diffusive analysis of ISO/IEC 27001 and by proposing a forecasting approach that to date has found little application in the field of international standards.
Keywords
Citation
Podrecca, M. and Sartor, M. (2023), "Forecasting the diffusion of ISO/IEC 27001: a Grey model approach", The TQM Journal, Vol. 35 No. 9, pp. 123-151. https://doi.org/10.1108/TQM-07-2022-0220
Publisher
:Emerald Publishing Limited
Copyright © 2023, Matteo Podrecca and Marco Sartor
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction
Over the last years, information security (IS) has become one of the main managerial priorities. The implementation of digital technologies and the switch to smart working practices are increasing the vulnerability of firms' networks (e.g. Contieri et al., 2022; Koohang et al., 2020). This is also testified by the growing interest in the ISO/IEC 27001 information security management standard: prominent technology providers (e.g. Apple and Microsoft) but also companies belonging to the old economy (e.g. Stellantis and General Electric) have already decided for its adoption (Culot et al., 2021).
Consistently with other management system standards (e.g. ISO 9001, ISO 14001), ISO/IEC 27001 builds on a process-oriented approach based on formalization and systematization: it introduces a structured framework aimed at ensuring integrity, availability and confidentiality of the information that is maintained and processed by an organisation (Zimon et al., 2022; Rebelo et al., 2014; Gillies, 2011). In doing this, the norm does not impose any specific technological approach or requirement. Rather, it calls for a continuous exploration of available solutions related to logical, physical and organisational aspects of information security; this way integrating both operational practices and technologies.
Despite the relevance of the topic, extant research has highlighted several aspects that may hinder the diffusion of the norm (e.g. lack of clarity on the outcomes of ISO/IEC 27001 adoption, potential competition with other standards, implementation failure). As a result, after 15 years from ISO/IEC 27001 enactment, the number of issued certificates (85,000 as of 2020) is still lagging when compared with other management systems (e.g. over the same period ISO 9001 and ISO 14001 were recording, respectively, 560,000 and 245,000 valid certificates – ISO, 2021).
Against this background, the main aim of this paper is to open the debate on the future diffusion patterns of ISO/IEC 27001. Studies exploring standards dissemination can shed light on a complex phenomenon affected by factors such as regulatory background, economic structure, stakeholder pressures and governmental incentives (Podrecca et al., 2022a). Moreover, according to Castka and Corbett (2015), research focused on long-term adoption patterns is usually neglected in the early stages of management system standards, as available data are usually limited. Nearly two decades after ISO/IEC 27001 enactment, we, therefore, believe that investigating future trajectories could also disclose any similarities between dissemination patterns of ISO/IEC 27001 and those of other more mature norms, thus highlighting potential critical issues of the standard under examination.
To achieve our purpose, we shed light on the diffusion process of ISO/IEC 27001 certifications up to 2030 for the six countries with the highest number of adherents (i.e. Japan, UK, India, China, Germany and Italy).
The remainder of the manuscript is structured as follows. Section 2 provides an overview of the relevant literature. Section 3 introduces the adopted methodology. Section 4 presents and discusses the findings. Finally, conclusions, contributions and limitations of the paper are highlighted in section 5.
2. Literature review
Our study builds on three main research streams: literature on ISO/IEC 27001, studies investigating the diffusion of international management standards and methodological papers on Grey models.
2.1 ISO/IEC 27001
Enacted in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as an evolution of the British norm BS 7799, ISO/IEC 27001 has currently become the most prominent standard in the field of information security (Culot et al., 2021). It “[…] specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of the organization” (ISO/IEC 27001:2013, p. 1). Consistently with other ISO norms (e.g. ISO 9001, ISO 14001), the standard is applicable to all companies without any precondition in terms of size, nature, or industry; ISO/IEC 27001 is not only intended for firms having a high digital maturity level since it does not require any specific security technology. The norm shares the same principles as other ISO standards such as risk-based thinking, process orientation and a continuous improvement logic based on a plan-do-check-act (PDCA) approach. In terms of structure, ISO/IEC 27001 consists of ten chapters – the first three introduce the standard, the other seven define the requirements for setting up and running an ISMS – complemented by a list of controls (Annex A).
Given the pivotal role played by data in both today's economy and society, the norm has attracted the interest of several scholars. Culot et al. (2021) provide a systematic literature review on ISO/IEC 27001 highlighting that research on the topic has moved around three main areas: motivations, implementation process and outcomes.
As for the motivations, scholars have highlighted both institutionalist (i.e. firms embrace ISO/IEC 27001 to achieve a formal certification to qualify in the eyes of external stakeholders) and functionalist (i.e. firms resort to the standard to improve their activities/processes) drivers. In terms of institutionalist motivations, extant research (e.g. Stewart, 2018) reports that ISO/IEC 27001 is adopted to improve the corporate image and attract more customers. Other studies argue that ISO/IEC 27001 is also implemented due to isomorphic phenomena or as a response to specific client requests (e.g. Raabi et al., 2020). In this latter case, however, scholars (e.g. Cowan, 2011) have also warned that firms may decide to adhere only to some requirements of the standard (i.e. those explicitly requested by their customers) without achieving formal certification. Moving to the functionalist aspects, the main drivers are related to expectations around improved information security capabilities and skills and increased efficiency of information security-related processes (e.g. Annarelli et al., 2020).
For what concerns the implementation process, several studies stress that ISO/IEC 27001 adoption requires a significant amount of resources. In particular, companies need to invest considerable time of their staff in activities and meetings related to the set-up/configuration of the information management system (e.g. Pardo et al., 2016), as well as relevant costs are reported in case organizations decide to resort to the help of external consultants (e.g. Rezaei et al., 2014). When it comes to the specific controls that firms should implement, extant research has also highlighted that the norm provides only limited advice on their mutual interdependence and a lack of guidance on cost/benefit assessments in their selection (e.g. Ho et al., 2015). Similarly, relevant difficulties have been highlighted as regards potential relationships between the organization and the external environment; many implementations fail because of an unstructured approach to shared assets and difficult identification of the organizations' dependencies on outsourced services (e.g. Stewart, 2018).
Moving to the outcomes of ISO/IEC 27001 adoption, the literature highlights lower IS risk levels (e.g. Al-Karaki et al., 2022) and improved business continuity (e.g. Rezaei et al., 2014) with consequent reduction of expenditures stemming from legal costs and bad news (e.g. due data leaks – Bakar et al., 2015). Scholars have also argued that the structured approach to information-related activities/processes demanded by ISO/IEC 27001 could result in clearer roles and accountabilities and fewer redundancies (e.g. Annarelli et al., 2020). Moreover, ISO/IEC 27001 can be considered a “ticket to the market” for exporting firms – in particular, when they conduct their activities in contexts characterized by high diffusion degrees (e.g. Dionysiou, 2011) – and vendors located in offshored countries – e.g. India, Taiwan, Singapore – as it allows companies to show their international customers the care paid in ensuring data protection (e.g. Hlača et al., 2008). Despite these positive implications, the formalization required by some of the ISO/IEC 27001 dictates has also been connected to flexibility losses with negative implications for both labour productivity and the ability to fulfil customers' requests (Crowder, 2013, van Wessel et al., 2011). As a result, concerns related to potential side effects on firms' profitability have been raised too (Tejay and Shoraka, 2011). Furthermore, some studies (e.g. Culot et al., 2019) have questioned the potential differentiating role of the standard, arguing that it only provides limited reputational benefits.
To conclude, it is worth acknowledging the specific context in which the empirical studies on ISO/IEC 27001 have been conducted [1]. Most of the authors (4 contributions) investigate issues related to US companies (Tarn et al., 2009; Tejay and Shoraka, 2011; Deane et al., 2019; Podrecca et al., 2022b). German organizations have been considered in three papers (Beckers et al., 2013; Mirtsch et al., 2020, 2021). Spain (Pardo et al., 2013; Mesquida et al., 2014), Iran (Rezaei et al., 2014; Khajouei et al., 2017), Taiwan (Ku et al., 2009; Liao and Chueh, 2012) and Turkey (Başaran, 2016; Ozkan and Karabacak, 2010) follow with two contributions each. Surprisingly, except for the German case, the focus of the studies is not consistent with the diffusion of the standard; many of the countries with the highest number of issued ISO/IEC 27001 certificates (ISO, 2021) have never been considered (e.g. Japan, India) or have been included only in studies resorting to a multi-country perspective (e.g. UK, China, Netherlands – van Wessel et al., 2011; UK, Italy – Annarelli et al., 2020).
Against this background characterized by the emergence of some controversial aspects that may hinder ISO/IEC 27001 adoption (e.g. avoidance of formal certification by firms, implementation failures due to lack of guidance on control selection and shared assets, lack of clarity around the outcomes of the adoption) and of discrepancies between the countries investigated in empirical studies and those recording the highest number of issued ISO/IEC 27001 certificates, a prominent need exists to investigate ISO/IEC 27001 future trajectories and to compare them with those of more mature and widespread management standards (i.e. ISO 9001, ISO 14001). As we will see in the next section, the diffusion patterns of these standards have been widely investigated, while a specific study on ISO/IEC 27001 is still missing.
2.2 Diffusion studies
The first studies analysing the (long-term) diffusion patterns of international standards appeared in the early 2000s when Franceschini et al. (2004) noticed that their adoption follows an S-shaped (or sigmoid curve) divided into three different phases: an initial exponential growth (expansion) due to the firms' desire to give formal evidence of their commitment towards a specific topic (e.g. quality assurance, sustainability, social responsibility), a subsequent phase (maturation) characterised by a linear growth, and a last phase (retrocession) in which the interest reaches the peak and becomes stable gradually moving towards saturation.
The abovementioned patterns are close to those of population growth in environments with scarce resources (Pearl, 1978) and innovation adoption (Gurbaxani, 1990), i.e. two topics extensively studied by applying diffusion models like Verhulst (logistic) and Gompertz curves.
Franceschini et al. (2004) used these models to study diffusive patterns of some international management standards. Firstly, they resorted to Verhulst's equation to shed light on ISO 9001 dissemination across Europe. Subsequently, other scholars showed that the estimates of diffusive models can describe adoption trends of other standards (e.g. ISO 14001, SA8000, Global Reporting Initiative – GRI, United Nations Global Compact) both considering them at country and industry level (i.e. shedding light on the dissemination of international standards in specific countries and industries) (see Table 1).
A slightly different technique has, instead, been adopted by most recent contributions (Ikram et al., 2019, 2021). In particular, scholars have started to investigate the future diffusion of international standards using more sophisticated approaches, namely Grey models. When compared with Verhulst and Gompertz curves, the Grey method can provide several benefits such as high accuracy of the forecasts (e.g. several contributions based on logistic approaches underestimated the number of issued certificates) against a reduced computational effort (Liu et al., 2017; Javed and Liu, 2018). The next section provides a review of extant research on Grey models highlighting their characteristics, previous usage for research purposes and main limitations.
2.3 Grey models
First introduced in the ’80s by the Chinese scholar Julong Deng, Grey models are a data-driven intelligent time-series forecasting technique that is particularly useful in the study of samples characterized by reduced size, poor information and uncertainty (Liu et al., 2016); three limitations that usually affect studies dealing with the diffusion of management system standards (Ikram et al., 2019, 2021). The main characteristic of this forecasting approach is the capability of “extracting useful information from what is available” (Liu et al., 2015, p. 141); this way the law describing the system can be effectively explained and quantitative predictions can be done.
Starting from the original first order and one variable Grey Model (1,1) – GM (1,1), over the last 40 years the research on the grey forecasting technique has been particularly active due to both practical needs and its applicability to a wide range of situations. This has led to the development of four basic forms of GM (1,1), namely Even Grey Model (1,1) – EGM (1,1), Original Difference Grey Model (1,1) – ODGM (1,1), Even Difference Grey Model (1,1) – EDGM (1,1) and Discrete Grey Model (1,1) – DGM (1,1). Without entering into the specific peculiarities of each of them, we can refer to the classification of Liu et al. (2015) which argues that ODGM, EDGM and DGM are more useful in the case of homogeneous exponential sequences of data, while EGM describes well non-exponential increasing and vibration (i.e. data moving around a reference value) sequences of data. Building on these basic forms, many contributions have focused on the characteristics of the models (e.g. Ji et al., 2001); on optimizing the parameters of the models (e.g. Jie and Bo, 2012); on strategies aimed at improving the initial values included in the models (e.g. Dang et al., 2005); and on identifying the application boundaries of the different models (e.g. Xie and Liu, 2006). As a result, the different (1,1) models have been used in a wide range of fields including agriculture (e.g. Li et al., 2022), tourism (Dang et al., 2020), energy (Javed and Cudjoe, 2022) and management (Ikram et al., 2021).
Additional improvements in the discipline have led to the development of Grey (1,N) models. In (1,N) models the forecasted values depend not only on the sequence of original data of the dimension being estimated (e.g. the number of issued certificates), but scholars can also include some (independent) variables to investigate the sensitivity of the results to some contextual factors of interest (e.g. they can introduce the GDP growth to take into account the effect of the general economic situation) (Liu et al., 2017). Despite the accuracy improvements achievable thanks to (1,N) models, two main drawbacks hinder their large-scale applicability for prediction purposes (Ofosu-Adarkwa et al., 2020). First, these models can be used for predicting future values only when the original data vary slightly. Second, their estimates are based on the original data sequence of relevant factors (i.e. suppose we want to estimate ISO/IEC 27001 diffusion up to 2030, we would need the values of independent variables up to 2030, which is not feasible). For such reasons, scholars resorting to Grey models to estimate the future trends of international management standards have always adopted (1,1) models (Ikram et al., 2019, 2021).
3. Methodology
3.1 Dataset and modelling approach
The dataset used in this paper comes from the list of ISO/IEC 27001 issued certifications available on the ISO website (ISO, 2021). Analysed data refer to the period from 2010 to 2020 and, consistently with extant research (e.g. Ikram et al., 2019, 2021), consider the six countries with the highest number of certified organizations (i.e. Japan, China, UK, India, Germany, Italy).
As previously argued, when compared with traditional Verhulst and Gompertz equations, Grey models provide several benefits including the higher reliability of the forecasts and the possibility to present the results in a simple mathematical form (Liu et al., 2017). Hence, we resorted to (1,1) Grey models to investigate the diffusion patterns of ISO/IEC 27001. Based on the classification of Liu et al. (2015) described in the previous section and considering the characteristics of the data, we decided to use both a model suitable for exponential sequences and a model useful for non-exponential increasing sequences. While EGM (1,1) was the only available model for non-exponential increasing sequences (Liu et al., 2015), in terms of exponential sequences we preferred DGM (1,1) rather than OGM (1,1) or EDGM (1,1). This is because over the last years many scholars have proposed variations to the DGM (1,1) estimation algorithm aimed at improving its forecasting performance. As such, in line with the most recent contributions (e.g. Javed et al., 2020; Javed and Cudjoe, 2022), the Even Grey model – EGM (1,1), the discrete Grey model – DGM (1,1) and their generalized versions – EGM (1,1,α,θ), DGM (1,1,α) – were selected [2].
3.2 Grey models
3.2.1 DGM (1,1) and EGM (1,1)
Suppose to consider a sequence of raw data
The 1-AGO sequence of data is then introduced in the DGM (1,1) and EGM (1,1) to forecast the desired values.
3.2.1.1 DGM (1,1)
The DGM (1,1) – the discrete form of a first-order single variable Grey model – time-response function of
To estimate the parameters β1 and β2, an ordinary least squares (OLS) approach can be adopted (Zhao et al., 2018), namely
The Online Appendix 2 provides a step-by step application of DGM (1,1) to a real case (i.e. the number of ISO/IEC 27001 issued certificates in Japan). For a more detailed discussion on DGM (1,1) the interested reader might refer, among others, to Zhao et al. (2018).
3.2.1.2 EGM (1,1)
The EGM (1,1) – the even form of a first-order single variable Grey model – time-response function of
To estimate the parameters a and b, an Ordinary Least Square (OLS) approach can be adopted (Liu et al., 2017), namely
The Online Appendix 2 provides a step-by step application of EGM (1,1) to a real case (i.e. the number of ISO/IEC 27001 issued certificates in Japan). For a more detailed discussion on EGM (1,1) the interested reader might refer, among others, to Liu et al. (2017).
3.2.2 EGM (1,1,α,θ) and DGM (1,1,α)
Despite the concept of 1-AGO is widely adopted, it presents some limitations that might worsen the prediction performance of GM (1,1) models. In particular, the models resulting from Deng (2004) definition of 1-AGO are linear models and thus they are oversimplified for many real applications in which diffusion patterns may accelerate or reduce over time. This issue prompted researchers to propose alternative operators for data accumulation. One of the most successful attempts was made by Ma et al. (2020) that proposed the conformable fractional accumulation of raw data and the inverse conformable accumulation of simulated data. The fractional-order accumulation allows considering nonlinearity in data (i.e. it accounts for any potential increase or decrease in the diffusion rate of the phenomenon being investigated) and thus improves the reliability of the model and its adherence to reality (Javed and Cudjoe, 2022).
Suppose to consider the same sequence of raw data as in (1)
The conformable fractional accumulated sequence of data is then introduced in the DGM (1,1,α) and EGM (1,1,α,θ) to forecast the desired values.
3.2.2.1 DGM (1,1,α)
The DGM (1,1,α) – the discrete form of a grey forecasting model with a first-order differential equation containing one variable and conformable fractional accumulation – time-response function of
To estimate the parameters β1 and β2, an OLS approach can be adopted (Javed and Cudjoe, 2022), namely
3.2.2.2 EGM (1,1,α,θ)
The EGM (1,1,α,θ) – the even form of a grey model with a first-order differential equation containing one variable, and weighted background value containing conformable fractional accumulation – time-response function of
To estimate the parameters a and b, an Ordinary Least Square (OLS) approach can be adopted (Javed et al., 2020), namely
α and θ can be identified by minimizing the forecasting error. In particular, according to Javed et al. (2020), this can be done by solving the following optimization problem
3.3 Forecasting performance evaluation
To evaluate the forecasting performance of the four models we resorted to the Mean Absolute Percentage Error (MAPE) defined as follows:
MAPE is one of the most widely adopted measures of goodness-of-fit and has been already used in different contexts (see for example Ikram et al., 2021, 2019; Javed et al., 2020). According to the Lewis scale (Lewis, 1982), MAPE values can be considered as follows (Table 2).
3.4 Growth analysis and doubling time
To complement our analyses, two additional indicators were used: the Relative Growth Rate (RGR) and the Doubling time (Dt). The first was employed to shed light on the country-wise relative growth of ISO/IEC 27001 certificates; the second to understand the time needed to double the number of ISO/IEC 27001 certificates. Previous adoption of these indexes can be found, among others, in Javed and Liu (2018).
RGR is defined as (Javed and Liu, 2018):
Moving to the Doubling time (Dt), the underlying equation is given as (Javed and Liu, 2018):
Similarly to the RGR, (t2-t1) is equal to one year. Therefore, Dt equation becomes:
4. Results and discussion
This chapter is structured into two sections. The first evaluates the effectiveness of the models in describing current and future trends of ISO/IEC 27001 adoption. The second presents and discusses the findings.
4.1 Performance evaluation of the models
Table 3–8 report the findings for the six countries under investigation: Japan, China, UK, India, Germany, Italy. For each of them, we first simulated data from 2010 to 2020 and then we predicted the number of issued certificates from 2021 to 2030.
As stated in section 3.3., the goodness of fit of the Grey models is evaluated in terms of their MAPE. Results show that EGM (1,1,α,θ) always outperforms (i.e. its MAPE shows lower values) DGM (1,1,α), EGM (1,1) and DGM (1,1) exhibiting highly accurate (UK, India) or good (Japan, China, Germany, Italy) estimates. Accordingly, in the following section, the findings presentation and discussion will build on EGM (1,1,α,θ) predictions.
As a side note, it is particularly interesting to highlight that the accuracy improvement in moving from EGM (1,1), DGM (1,1,α) and DGM (1,1) to EGM (1,1,α,θ) is far more relevant in countries with higher growth rates. For instance, in China the accuracy improves by almost 40% with a MAPE that goes from 27.02% (DGM (1,1)) to 15.30% (EGM (1,1,α,θ)).
4.2 Presentation of the findings
As regards data up to 2020 (Tables 3 and 8; see Figures 1–6 for a graphical representation of the results), Japan (18,103 certifications) has recorded the highest number of ISO/IEC 27001 issued certificates followed by China (12,489), UK (5,897), India (5,449), Germany (3,367) and Italy (3,324). Moving to the EGM (1,1,α,θ) predicted values (2021–2030), the estimates exhibit exponential growth (Figures 1–6) in the years to come with China (412,338 certificates) that is likely to become the leading country in terms of ISO/IEC 27001 certifications, followed by Japan (59,704), Germany (40,752), Italy (35,708), UK (29,465) and India (26,509). Based on these results, two interesting findings emerge. On the one hand, with 24,292 certificates in 2022 China will overtake Japan (20,763) at the top of the chart. On the other, UK is predicted to lose some positions in favour of Germany and Italy.
After shedding light on the (current and future) diffusion trends, we can notice that the countries characterized by the highest amount of ISO/IEC 27001 certificates are also leading as regards the adoption of more mature standards (i.e. ISO 9001, ISO 14001 – ISO, 2021; Ikram et al., 2021, 2019). These results can be explained considering the findings of Mirtsch et al. (2020), Cots and Casadesús (2015) and Dahlin and Isaksson (2017): firms usually start to implement general standards (i.e. ISO 9001) and then resort to more specific ones. Accordingly, in areas with an established tradition of certifications, many organizations have already validated the quality of their operational processes and therefore they are starting to approach other (more specific) standards like ISO/IEC 27001. In such contexts, ISO/IEC 27001 exhibits two main strengths. On the one hand, the learning process followed for ISO 9001 and ISO 14001 could help firms to adhere more quickly to ISO/IEC 27001 (Podrecca et al., 2022a); companies can therefore take advantage of the positive externalities of ISO/IEC 27001 (e.g. streamlined buyer-supplier relationships – Hannigan et al., 2019; differentiation effect – Stewart, 2018) without all the burdens faced by firms approaching ISO standards for the first time. On the other hand, by implementing ISO/IEC 27001 together with other management standards (and by integrating them into a single management system) firms can benefit from the peculiarities of each of them while reducing costs, complexity and time efforts required to manage common mandatory requirements like documentation, audits and procedures (Hoy and Foley, 2015; Sampaio et al., 2012).
Based on the data up to 2020, the RGR estimates show the following sequence:
The outcomes of these analyses highlight two main findings. First, up to 2020, China has recorded the highest RGR (0.441). Second, after an initial euphoria, the growth rate of Japan has slowed down and the country is currently characterized by the highest Dt (2.072). This evidence is consistent with the dictates of Mastrogiacomo et al. (2021): diffusion patterns are not “synchronous” across different contexts. Some countries exhibit an immediate adoption followed by a reduction of interest (or at least a decrease in the diffusion rate), while in other regions the diffusion processes start more slowly and the sustained growth occurs only at a later stage. These dynamics are generally linked to some peculiar economic and socio-political conditions of each country (Ikram et al., 2019). Accordingly – in parallel with their expansion in worldwide markets – Chinese firms may have been asked to achieve ISO/IEC 27001 as a mandatory prerequisite for establishing some business partnerships (Dionysiou, 2011). On the contrary, the slowdown recorded in Japan might be linked to the issues faced by Japanese firms: both their market shares and their productivity exhibit stagnating trends (e.g. Akram, 2019).
Based on EGM (1,1,α,θ) data (2021–2030) the following sequence is obtained for the RGR:
EGM (1,1,α,θ) predicted data (2021–2030) present higher RGR (and therefore lower Dt) when compared with trends observed up to 2020. For instance, while up to 2020 the RGR of China was 0.441, in the period 2021–2030 the RGR is equal to 0.485. Similarly, Germany moved from 0.364 to 0.409, Italy from 0.362 to 0.402, UK from 0.341 to 0.345, India from 0.323 to 0.345, Japan from 0.285 to 0.330. These data show that, differently from other more mature standards (e.g. ISO 9001, ISO 14001) whose growing trends have recently plateaued (ISO, 2021), ISO/IEC 27001 is expected to play a significant role in the years to come. This pattern seems to reflect the increasing central position of information technologies in all economic fields (Maganga and Taifa, 2023; Sony et al., 2022): nowadays value creation is all about data exchange across organizational boundaries (Rendon-Benavides et al., 2023; Wu et al., 2022). The relevance of both scope and scale of these interactions poses several new challenges to information system security (Wong et al., 2019); supply chains are increasing their digitalization level, online solutions are connecting a relevant amount of customers and suppliers, cloud-based platforms are leading to massive outsourcing of computing capabilities and data storage. In this new landscape, holistic approaches – such as ISO/IEC 27001 – are a given for worldwide companies and organizations (Rauniyar et al., 2023; Vance et al., 2020). Moreover, as more and more firms are demanding the external validation of the IS-related processes of their business partners, ISO/IEC 27001 is becoming a common ground to overcome transaction barriers (Villarreal, 2019).
Summing up, while some scholars (e.g. Mirtsch et al., 2021) have raised potential concerns regarding ISO/IEC 27001 long-term diffusion, our study shows that such controversial issues will not overshadow the adoption of the standard. As long as information security will remain a hot business topic, ISO/IEC 27001 adoption will continue growing and giving certified organizations the required capabilities to ensure data availability, integrity and confidentiality together with the chance to present formal evidence of their commitment.
At this point, it is worth acknowledging some factors that may alter the estimates in the years to come. Building on extant research (e.g. Sampaio et al., 2009; Franceschini et al., 2006; Corbett and Kirsch, 2001) two macroeconomic aspects appear particularly relevant: the economic development and the export propensity of the different countries. First, as for economic development, previous studies have posited that the greater the development of the country, the higher the number of companies and the larger the number of issued certificates (e.g. Corbett and Kirsch, 2001). A potential economic slowdown in the years to come (e.g. due to the rising energy prices – We Forum, 2022), could reduce the number of companies interested in adopting ISO/IEC 27001 and thus cause the estimates of this study to be revised downward. Second, as for the export propensity of the companies' home country, firms usually implement international management standards as a response to the coercive pressures of some foreign commercial partners that require formal evidence of their commitment towards a specific topic (e.g. quality assurance, sustainability, social responsibility – Guler et al., 2002). Some recent events (e.g. Brexit, US-China trade war, Russia-Ukraine war) might, however, decrease the economic openness and the export propensity of the countries (e.g. Goulard, 2020) potentially leading to a reduction in the number of issued certificates in the years to come. To conclude, in addition to the macroeconomic factors emerging from the literature, other relevant aspects such as the enactment of incentives aimed at fostering the adoption of ISO/IEC 27001 and modifications in the dictates underpinning this certification scheme might further modify the dissemination patterns. In particular, in case governments decide to resort to promotional and regulatory activities aimed at sustaining the adoption of ISO/IEC 27001, the estimates might need to be revised upward. As regards potential modifications to the ISO/IEC 27001 dictates, a specific prediction cannot be made: less stringent requirements could lead to faster diffusion, thanks to the possibility for firms to invest a lower amount of resources in the implementation of this international management standard; too loose requirements could reduce the trustworthiness of ISO/IEC 27001 and lead to a slow-moving diffusion or even a reduction of interest in the standard (e.g. Seppala, 2009; Soederberg, 2007).
5. Conclusions
The growing digitalization of business processes is increasing the risks associated with security breaches. Organizations are now asked to take holistic approaches to ensure the continuity of their activities and preserve data availability, integrity and confidentiality; in such context, information security standards play a pivotal role. Against this background, the aim of this paper was to provide the first systematic analysis of the diffusion of ISO/IEC 27001, the fourth most popular ISO certification at the global level, and the most important standard for information security. Based on the number of ISO/IEC 27001 issued certificates from 2010 to 2020, the study shed light on the issue by combining Grey models with the relative growth rate and the doubling time indexes. The findings show that a generalized growing trend is likely to be expected in the years to come and that China will lead as regards the number of issued certificates. Moreover, the results highlight the usefulness and high reliability of Grey Models to investigate the diffusion of international management standards.
According to the outcomes and the considerations reported in the previous sections, this paper contributes to both academia and practice. From an academic point of view, four main contributions can be identified. First, we answer previous calls for more research on the diffusion trends of ISO/IEC 27001 (Culot et al., 2021) by proposing the first analysis of its past, present and future adoption patterns. This way, we increase the understanding of ISO/IEC 27001 spread and, in particular, we point out a difference between the countries investigated in empirical studies and those recording the highest number of issued ISO/IEC 27001 certificates. This calls for further investigations aimed at shedding light on issues related to the adoption (e.g. motivations) and effectiveness (e.g. performance implications) of ISO/IEC 27001 for organizations operating in these contexts. Second, looking at the growing interest in IS, we highlight the relevance that ISO/IEC 27001 is likely to have in the years to come. Based on the data of issued certificates from 2010 to 2020 in the six leading countries, we show that a rising trend is likely to be expected in the near future. This finding is particularly relevant considering the concerns posed by extant research as regards the usefulness of this international management standard and the competition it might suffer from other general and context-specific standards. Third, by shedding light on the diffusion trends of ISO/IEC 27001, we contribute to the literature on management systems and voluntary standards, also enabling comparisons among them; the number of ISO/IEC 27001 issued certificates will approach that of more mature standards such as ISO 9001 and ISO 14001. Finally, scholars investigating the diffusion of international management standards may find our findings particularly relevant: the use of Grey models shows an analytical methodology that, with the exception of Ikram et al. (2021, 2019), has been rarely employed and which may apply to other voluntary standards as well.
From a practical point of view, the analysis of the current diffusion of ISO/IEC 27001 and the accurate forecasts regarding its future dissemination patterns presented in this study might support companies in improving their awareness of the importance of ISO/IEC 27001 and in taking more informed decisions as regards the choice to certify. In particular, by highlighting the relevant role that ISO/IEC 27001 is likely to assume in the near future, our findings can help firms to align their strategy with global requirements, which are progressively moving towards internationally recognized management standards (Granja et al., 2021), and to strengthen their business by planning, developing and communicating practices related to information security. Organizations' capability to demonstrate care in ensuring data protection is increasingly acknowledged as a relevant lever for value creation (e.g. Deane et al., 2019); hence, the decision to embrace a highly growing standard like ISO/IEC 27001 could allow firms to prove their reliability and signal it to current and prospective customers. The study is also useful for the certification body itself (ISO) which can use our predictions to understand how the ISO/IEC 27001 market will develop in the future, anticipate demands, refine medium-term strategic planning, guide promotional strategies and understand potential areas of improvement. Policymakers may find our results relevant as well; in particular, to develop promotional and regulatory activities aimed at sustaining the diffusion of the standard. To conclude, by highlighting the relevance that ISO/IEC 27001 is likely to have in the years to come, our study might also encourage the adoption of the standard. This may contribute to a society more attentive to the issues related to information security and data protection.
The study is not exempt from limitations, which represent potential avenues for further development of the research. First, we only evaluated a small number of countries exhibiting a high number of issued certificates. Future studies could extend our findings to different settings (e.g. regions, countries, industries); specific diffusion patterns might appear depending on cultural and legal factors, the relevance of IT/IS for the considered context and the existence of alternative standards/approaches (e.g. Culot et al., 2021). Second, despite Grey models (1,1) provide robust and reliable results both in terms of explaining past trends and predicting the future diffusion of ISO/IEC 27001, this forecasting technique can only take into account endogenous factors of growth and does not consider the effects of exogenous factors such as those related to the global economic situation, enactment of incentives aimed at fostering the adoption of ISO/IEC 27001 and modifications in the dictates underpinning this certification scheme. Should these variations occur, it would be advisable to repeat the analyses. This would allow, on the one hand, to obtain updated forecasts; on the other, to understand the specific effect of the discontinuity on the diffusion trends of ISO/IEC 27001. Further research could also resort to Grey models to shed light on the joint adoption of multiple management standards (e.g. ISO 9001 and ISO 14001; ISO 9001 and ISO/IEC 27001; ISO 9001, ISO 14001 and ISO/IEC 27001). Moreover, in light of the managerial challenges posed by information security, further studies could investigate the diffusion patterns of other management standards aimed at helping firms to cope with the risks posed by new technologies (e.g. ISO 27701). To conclude, we hope that by showing the relevance of ISO/IEC 27001 our study will lead more scholars to consider this certification scheme; for instance, by investigating how the motivations for the adoption, the implementation challenges and the effectiveness differ when considering different contexts.
Figures
Diffusion studies
Standard | Authors | Adopted approach | Level of analysis |
---|---|---|---|
ISO 9001 | Franceschini et al. (2004) | Logistic | Country |
ISO 9001 | Franceschini et al. (2006) | Logistic | Country and economic sector |
ISO 9001 | Llach et al. (2011) | Logistic | Economic sector |
ISO 9001 | Ikram et al. (2021) | Grey | Country |
ISO 9001 and ISO 14001 | Marimon et al. (2006) | Logistic | Country and economic sector |
ISO 9001 and ISO 14001 | Casadesús et al. (2008) | Logistic | Country |
ISO 9001 and ISO 14001 | Marimon et al. (2009) | Logistic | Country |
ISO 9001 and ISO 14001 | Marimon et al. (2010) | Logistic | Country |
ISO 9001 and industry-specific “Q” standard | del Mar Alonso-Almeida et al. (2013) | Logistic | Economic sector |
ISO 14001 | Marimon et al. (2011) | Logistic | Economic sector |
ISO 14001 | Ikram et al. (2019) | Grey | Country |
ISO 20000 | Cots and Casadesús (2015) | Logistic | Country |
ISO 22000 | Granja et al. (2021) | Gompertz | Country |
ISO/TS 16949 | Franceschini et al. (2011) | Logistic | Country |
GRI | Marimon et al. (2012) | Logistic | Country and economic sector |
GRI | del Mar Alonso-Almeida et al. (2014) | Logistic | Country and economic sector |
GRI | del Mar Alonso-Almeida et al. (2015) | Logistic | Universities |
SA8000 | Llach et al. (2015) | Logistic | Country and economic sector |
United Nations Global Compact | Podrecca et al. (2022a) | Logistic | Country and economic sector |
Integrated management systems (ISO 9001, ISO 14001, and OHSAS, 18001) | Cabecinhas et al. (2018) | Logistic + Gompertz | Country |
Integrated management systems (ISO 9001, ISO 14001, and OHSAS, 18001) | Cabecinhas et al. (2020) | Logistic + Gompertz | Country |
Source(s): Table by authors
Lewis scale for MAPE evaluation
MAPE (%) | Forecast accuracy |
---|---|
Lower than 10% | Highly accurate forecast |
Between 10% and 20% | Good forecast |
Between 20% and 50% | Reasonable forecast |
Higher than 50% | Inaccurate forecast |
Source(s): Table by authors
ISO/IEC 27001 growth for Japan
Year | Actual data | EGM (1,1,α,θ) | EGM (1,1) | DGM (1,1,α) | DGM (1,1) | Cumulative data | RGR | RGR mean | Dt | Dt mean |
---|---|---|---|---|---|---|---|---|---|---|
2010 | 6,237 | 6,237 | 6,237 | 6,237 | 6,237 | 6,237 | ||||
2011 | 6,914 | 4,859 | 5,000 | 5,060 | 5,060 | 13,151 | 0.746 | 0.285 | 0.986 | 2.072 |
2012 | 7,199 | 5,545 | 5,721 | 5,784 | 5,784 | 20,350 | 0.437 | 1.522 | ||
2013 | 7,140 | 6,328 | 6,546 | 6,611 | 6,611 | 27,490 | 0.301 | 1.895 | ||
2014 | 7,171 | 7,221 | 7,490 | 7,557 | 7,557 | 34,661 | 0.232 | 2.155 | ||
2015 | 8,240 | 8,240 | 8,571 | 8,638 | 8,638 | 42,901 | 0.213 | 2.238 | ||
2016 | 8,945 | 9,403 | 9,807 | 9,873 | 9,873 | 51,846 | 0.189 | 2.357 | ||
2017 | 9,161 | 10,730 | 11,222 | 11,285 | 11,285 | 61,007 | 0.163 | 2.509 | ||
2018 | 12,145 | 12,245 | 12,841 | 12,899 | 12,899 | 73,152 | 0.182 | 2.399 | ||
2019 | 16,848 | 13,973 | 14,693 | 14,744 | 14,744 | 90,000 | 0.207 | 2.267 | ||
2020 | 18,103 | 15,945 | 16,813 | 16,853 | 16,853 | 108,103 | 0.183 | 2.390 | ||
2021 | 18,195 | 19,238 | 19,263 | 19,263 | 18,195 | |||||
2022 | 20,763 | 22,014 | 22,018 | 22,018 | 38,958 | 0.761 | 0.330 | 0.966 | 1.912 | |
2023 | 23,694 | 25,189 | 25,167 | 25,167 | 62,652 | 0.475 | 1.437 | |||
2024 | 27,038 | 28,823 | 28,766 | 28,766 | 89,690 | 0.359 | 1.718 | |||
2025 | 30,854 | 32,980 | 32,880 | 32,880 | 120,544 | 0.296 | 1.912 | |||
2026 | 35,208 | 37,738 | 37,583 | 37,583 | 155,752 | 0.256 | 2.055 | |||
2027 | 40,178 | 43,182 | 42,958 | 42,958 | 195,930 | 0.229 | 2.165 | |||
2028 | 45,848 | 49,411 | 49,101 | 49,101 | 241,778 | 0.210 | 2.253 | |||
2029 | 52,319 | 56,539 | 56,123 | 56,123 | 294,097 | 0.196 | 2.323 | |||
2030 | 59,704 | 64,695 | 64,150 | 64,150 | 353,801 | 0.185 | 2.381 | |||
a; β1 | −0.13203 | −0.13475 | 1.14302 | 1.14302 | ||||||
b; β2 | 3,722.141 | 3,829.922 | 4,168.496 | 4,168.496 | ||||||
α | 1 | 1 | ||||||||
θ | 0.67579 | |||||||||
MAPE (%) | 11.68% | 12.28% | 12.32% | 12.32% |
Source(s): Table by authors
ISO/IEC 27001 growth for China
Year | Actual data | EGM (1,1,α,θ) | EGM (1,1) | DGM (1,1,α) | DGM (1,1) | Cumulative data | RGR | RGR mean | Dt | Dt mean |
---|---|---|---|---|---|---|---|---|---|---|
2010 | 509 | 509 | 509 | 509 | 509 | 509 | ||||
2011 | 664 | 459 | 604 | 371 | 635 | 1,173 | 0.835 | 0.441 | 0.874 | 1.556 |
2012 | 790 | 668 | 857 | 624 | 902 | 1,963 | 0.515 | 1.357 | ||
2013 | 965 | 965 | 1,216 | 965 | 1,282 | 2,928 | 0.400 | 1.610 | ||
2014 | 1,210 | 1,389 | 1,725 | 1,441 | 1,821 | 4,138 | 0.346 | 1.755 | ||
2015 | 1,469 | 1,994 | 2,447 | 2,111 | 2,588 | 5,607 | 0.304 | 1.885 | ||
2016 | 2,618 | 2,858 | 3,471 | 3,056 | 3,676 | 8,225 | 0.383 | 1.652 | ||
2017 | 5,069 | 4,091 | 4,923 | 4,387 | 5,224 | 13,294 | 0.480 | 1.427 | ||
2018 | 7,612 | 5,849 | 6,983 | 6,261 | 7,422 | 20,906 | 0.453 | 1.486 | ||
2019 | 8,357 | 8,357 | 9,905 | 8,892 | 10,545 | 29,263 | 0.336 | 1.783 | ||
2020 | 12,489 | 11,933 | 14,050 | 12,583 | 14,983 | 41,752 | 0.355 | 1.728 | ||
2021 | 17,029 | 19,930 | 17,754 | 21,289 | 17,029 | |||||
2022 | 24,292 | 28,270 | 24,989 | 30,247 | 41,321 | 0.886 | 0.485 | 0.814 | 1.459 | |
2023 | 34,640 | 40,100 | 35,100 | 42,977 | 75,961 | 0.609 | 1.189 | |||
2024 | 49,380 | 56,880 | 49,216 | 61,063 | 125,341 | 0.501 | 1.385 | |||
2025 | 70,372 | 80,682 | 68,904 | 86,760 | 195,713 | 0.446 | 1.501 | |||
2026 | 100,263 | 114,444 | 96,342 | 123,272 | 295,976 | 0.414 | 1.576 | |||
2027 | 142,819 | 162,335 | 134,551 | 175,149 | 438,795 | 0.394 | 1.625 | |||
2028 | 203,399 | 230,266 | 187,720 | 248,857 | 642,194 | 0.381 | 1.658 | |||
2029 | 289,624 | 326,624 | 261,663 | 353,585 | 931,818 | 0.372 | 1.681 | |||
2030 | 412,338 | 463,303 | 364,432 | 502,386 | 1,344,156 | 0.366 | 1.697 | |||
a; β1 | −0.35019 | −0.34957 | 1.37186 | 1.42083 | ||||||
b; β2 | 188.415 | 326.972 | 181.652 | 420.702 | ||||||
α | 0.93717 | 0.70528 | ||||||||
θ | 0.92309 | |||||||||
MAPE (%) | 15.30% | 22.74% | 18.30% | 27.02% |
Source(s): Table by authors
ISO/IEC 27001 growth for UK
Year | Actual data | EGM (1,1,α,θ) | EGM (1,1) | DGM (1,1,α) | DGM (1,1) | Cumulative data | RGR | RGR mean | Dt | Dt mean |
---|---|---|---|---|---|---|---|---|---|---|
2010 | 1,157 | 1,157 | 1,157 | 1,157 | 1,157 | 1,157 | ||||
2011 | 1,464 | 1,443 | 1,552 | 1,380 | 1,560 | 2,621 | 0.818 | 0.341 | 0.894 | 1.874 |
2012 | 1,701 | 1,708 | 1,811 | 1,701 | 1,820 | 4,322 | 0.500 | 1.386 | ||
2013 | 1,923 | 2,013 | 2,114 | 2,038 | 2,124 | 6,245 | 0.368 | 1.693 | ||
2014 | 2,253 | 2,368 | 2,467 | 2,414 | 2,479 | 8,498 | 0.308 | 1.871 | ||
2015 | 2,790 | 2,781 | 2,879 | 2,841 | 2,893 | 11,288 | 0.284 | 1.952 | ||
2016 | 3,367 | 3,263 | 3,361 | 3,330 | 3,377 | 14,655 | 0.261 | 2.036 | ||
2017 | 4,503 | 3,826 | 3,922 | 3,892 | 3,941 | 19,158 | 0.268 | 2.010 | ||
2018 | 4,723 | 4,483 | 4,578 | 4,539 | 4,599 | 23,881 | 0.220 | 2.206 | ||
2019 | 5,251 | 5,251 | 5,343 | 5,286 | 5,368 | 29,132 | 0.199 | 2.309 | ||
2020 | 5,897 | 6,148 | 6,236 | 6,148 | 6,265 | 35,029 | 0.184 | 2.384 | ||
2021 | 7,197 | 7,278 | 7,144 | 7,312 | 7,197 | |||||
2022 | 8,423 | 8,494 | 8,295 | 8,533 | 15,620 | 0.775 | 0.345 | 0.948 | 1.855 | |
2023 | 9,855 | 9,914 | 9,623 | 9,959 | 25,475 | 0.489 | 1.408 | |||
2024 | 11,528 | 11,571 | 11,159 | 11,623 | 37,003 | 0.373 | 1.679 | |||
2025 | 13,484 | 13,505 | 12,932 | 13,565 | 50,487 | 0.311 | 1.862 | |||
2026 | 15,769 | 15,762 | 14,981 | 15,832 | 66,256 | 0.272 | 1.996 | |||
2027 | 18,439 | 18,396 | 17,347 | 18,477 | 84,695 | 0.246 | 2.097 | |||
2028 | 21,559 | 21,471 | 20,081 | 21,564 | 106,254 | 0.227 | 2.177 | |||
2029 | 25,205 | 25,059 | 23,238 | 25,167 | 131,459 | 0.213 | 2.240 | |||
2030 | 29,465 | 29,247 | 26,884 | 29,372 | 160,924 | 0.202 | 2.291 | |||
a; β1 | −0.15443 | −0.15455 | 1.15102 | 1.16709 | ||||||
b; β2 | 1,123.561 | 1,256.080 | 1,204.810 | 1,366.185 | ||||||
α | 0.96497 | 0.90072 | ||||||||
θ | 1 | |||||||||
MAPE (%) | 3.94% | 5.87% | 4.43% | 6.16% |
Source(s): Table by authors
ISO/IEC 27001 growth for India
Year | Actual data | EGM (1,1,α,θ) | EGM (1,1) | DGM (1,1,α) | DGM (1,1) | Cumulative data | RGR | RGR mean | Dt | Dt mean |
---|---|---|---|---|---|---|---|---|---|---|
2010 | 1,281 | 1,281 | 1,281 | 1,281 | 1,281 | 1,281 | ||||
2011 | 1,427 | 1,356 | 1,372 | 1,380 | 1,380 | 2,708 | 0.749 | 0.323 | 0.983 | 1.920 |
2012 | 1,611 | 1,585 | 1,607 | 1,616 | 1,616 | 4,319 | 0.467 | 1.455 | ||
2013 | 1,931 | 1,854 | 1,882 | 1,892 | 1,892 | 6,250 | 0.370 | 1.689 | ||
2014 | 2,168 | 2,168 | 2,205 | 2,216 | 2,216 | 8,418 | 0.298 | 1.905 | ||
2015 | 2,490 | 2,535 | 2,582 | 2,596 | 2,596 | 10,908 | 0.259 | 2.044 | ||
2016 | 2,902 | 2,965 | 3,024 | 3,040 | 3,040 | 13,810 | 0.236 | 2.138 | ||
2017 | 3,272 | 3,467 | 3,542 | 3,561 | 3,561 | 17,082 | 0.213 | 2.241 | ||
2018 | 4,723 | 4,054 | 4,149 | 4,171 | 4,171 | 21,805 | 0.244 | 2.103 | ||
2019 | 5,052 | 4,741 | 4,860 | 4,885 | 4,885 | 26,857 | 0.208 | 2.262 | ||
2020 | 5,449 | 5,544 | 5,692 | 5,721 | 5,721 | 32,306 | 0.185 | 2.382 | ||
2021 | 6,483 | 6,667 | 6,701 | 6,701 | 6,483 | |||||
2022 | 7,581 | 7,809 | 7,848 | 7,848 | 14,064 | 0.774 | 0.345 | 0.949 | 1.856 | |
2023 | 8,865 | 9,147 | 9,192 | 9,192 | 22,929 | 0.489 | 1.409 | |||
2024 | 10,367 | 10,713 | 10,766 | 10,766 | 33,296 | 0.373 | 1.679 | |||
2025 | 12,123 | 12,548 | 12,609 | 12,609 | 45,419 | 0.310 | 1.863 | |||
2026 | 14,176 | 14,698 | 14,768 | 14,768 | 59,595 | 0.272 | 1.996 | |||
2027 | 16,577 | 17,215 | 17,297 | 17,297 | 76,172 | 0.245 | 2.098 | |||
2028 | 19,385 | 20,164 | 20,258 | 20,258 | 95,557 | 0.227 | 2.177 | |||
2029 | 22,669 | 23,618 | 23,727 | 23,727 | 118,226 | 0.213 | 2.240 | |||
2030 | 26,509 | 27,663 | 27,790 | 27,790 | 144,735 | 0.202 | 2.291 | |||
a; β1 | −0.15648 | −0.15810 | 1.17122 | 1.17122 | ||||||
b; β2 | 1,052.006 | 1,063.804 | 1,160.167 | 1,160.167 | ||||||
α | 1 | 1 | ||||||||
θ | 0.56732 | |||||||||
MAPE (%) | 4.26% | 4.49% | 4.57% | 4.57% |
Source(s): Table by authors
ISO/IEC 27001 growth for Germany
Year | Actual data | EGM (1,1,α,θ) | EGM (1,1) | DGM (1,1,α) | DGM (1,1) | Cumulative data | RGR | RGR mean | Dt | Dt mean |
---|---|---|---|---|---|---|---|---|---|---|
2010 | 357 | 357 | 357 | 357 | 357 | 357 | ||||
2011 | 424 | 345 | 330 | 338 | 338 | 781 | 0.783 | 0.364 | 0.938 | 1.771 |
2012 | 488 | 444 | 421 | 430 | 430 | 1,269 | 0.485 | 1.416 | ||
2013 | 581 | 571 | 536 | 548 | 548 | 1,850 | 0.377 | 1.669 | ||
2014 | 634 | 734 | 683 | 699 | 699 | 2,484 | 0.295 | 1.915 | ||
2015 | 994 | 943 | 871 | 890 | 890 | 3,478 | 0.337 | 1.782 | ||
2016 | 1,338 | 1,212 | 1,110 | 1,135 | 1,135 | 4,816 | 0.325 | 1.816 | ||
2017 | 1,339 | 1,558 | 1,415 | 1,446 | 1,446 | 6,155 | 0.245 | 2.098 | ||
2018 | 2,003 | 2,003 | 1,803 | 1,843 | 1,843 | 8,158 | 0.282 | 1.960 | ||
2019 | 2,095 | 2,575 | 2,298 | 2,349 | 2,349 | 10,253 | 0.229 | 2.169 | ||
2020 | 3,367 | 3,309 | 2,928 | 2,993 | 2,993 | 13,620 | 0.284 | 1.952 | ||
2021 | 4,254 | 3,732 | 3,815 | 3,815 | 4,254 | |||||
2022 | 5,468 | 4,756 | 4,861 | 4,861 | 9,722 | 0.827 | 0.409 | 0.884 | 1.653 | |
2023 | 7,029 | 6,061 | 6,196 | 6,196 | 16,751 | 0.544 | 1.302 | |||
2024 | 9,035 | 7,724 | 7,896 | 7,896 | 25,786 | 0.431 | 1.534 | |||
2025 | 11,613 | 9,843 | 10,062 | 10,062 | 37,399 | 0.372 | 1.683 | |||
2026 | 14,928 | 12,544 | 12,824 | 12,824 | 52,327 | 0.336 | 1.784 | |||
2027 | 19,188 | 15,987 | 16,342 | 16,342 | 71,515 | 0.312 | 1.857 | |||
2028 | 24,665 | 20,374 | 20,827 | 20,827 | 96,180 | 0.296 | 1.909 | |||
2029 | 31,704 | 25,965 | 26,542 | 26,542 | 127,884 | 0.285 | 1.949 | |||
2030 | 40,752 | 33,090 | 33,826 | 33,826 | 168,636 | 0.277 | 1.978 | |||
a; β1 | −0.25107 | −0.24249 | 1.27441 | 1.27441 | ||||||
b; β2 | 214.279 | 205.225 | 239.598 | 239.598 | ||||||
α | 1 | 1 | ||||||||
θ | 0.35361 | |||||||||
MAPE (%) | 10.05% | 11.91% | 11.29% | 11.29% |
Source(s): Table by authors
ISO/IEC 27001 growth for Italy
Year | Actual data | EGM (1,1,α,θ) | EGM (1,1) | DGM (1,1,α) | DGM (1,1) | Cumulative data | RGR | RGR mean | Dt | Dt mean |
---|---|---|---|---|---|---|---|---|---|---|
2010 | 374 | 374 | 374 | 374 | 374 | 374 | ||||
2011 | 425 | 365 | 343 | 357 | 357 | 799 | 0.759 | 0.362 | 0.969 | 1.804 |
2012 | 495 | 465 | 433 | 450 | 450 | 1,294 | 0.482 | 1.423 | ||
2013 | 901 | 592 | 546 | 566 | 566 | 2,195 | 0.528 | 1.331 | ||
2014 | 969 | 753 | 688 | 713 | 713 | 3,164 | 0.366 | 1.699 | ||
2015 | 1,013 | 959 | 867 | 898 | 898 | 4,177 | 0.278 | 1.974 | ||
2016 | 1,220 | 1,220 | 1,094 | 1,130 | 1,130 | 5,397 | 0.256 | 2.055 | ||
2017 | 958 | 1,553 | 1,379 | 1,422 | 1,422 | 6,355 | 0.163 | 2.505 | ||
2018 | 1,818 | 1,976 | 1,738 | 1,791 | 1,791 | 8,173 | 0.252 | 2.073 | ||
2019 | 2,513 | 2,515 | 2,191 | 2,254 | 2,254 | 10,686 | 0.268 | 2.010 | ||
2020 | 3,324 | 3,201 | 2,762 | 2,837 | 2,837 | 14,010 | 0.271 | 1.999 | ||
2021 | 4,074 | 3,482 | 3,572 | 3,572 | 4,074 | |||||
2022 | 5,186 | 4,390 | 4,496 | 4,496 | 9,260 | 0.821 | 0.402 | 0.890 | 1.673 | |
2023 | 6,600 | 5,534 | 5,660 | 5,660 | 15,860 | 0.538 | 1.313 | |||
2024 | 8,400 | 6,977 | 7,125 | 7,125 | 24,260 | 0.425 | 1.549 | |||
2025 | 10,692 | 8,795 | 8,969 | 8,969 | 34,952 | 0.365 | 1.701 | |||
2026 | 13,608 | 11,088 | 11,290 | 11,290 | 48,560 | 0.329 | 1.805 | |||
2027 | 17,319 | 13,978 | 14,212 | 14,212 | 65,879 | 0.305 | 1.881 | |||
2028 | 22,043 | 17,622 | 17,890 | 17,890 | 87,922 | 0.289 | 1.936 | |||
2029 | 28,055 | 22,215 | 22,520 | 22,520 | 115,977 | 0.277 | 1.977 | |||
2030 | 35,708 | 28,006 | 28,349 | 28,349 | 151,685 | 0.268 | 2.008 | |||
a; β1 | −0.24118 | −0.23164 | 1.2588 | 1.25881 | ||||||
b; β2 | 232.813 | 218.548 | 260.680 | 260.680 | ||||||
α | 1 | 1 | ||||||||
θ | 0.31327 | |||||||||
MAPE (%) | 15.67% | 20.29% | 18.22% | 18.22% |
Source(s): Table by authors
Notes
Data are based on the literature review of Culot et al. (2021) complemented with the most recent papers on the topic (see Table OA1 in the Online Appendix 1 for the full list of contributions).
The adopted Grey Models present two main limitations (Javed and Cudjoe, 2022; Javed et al., 2020). First, the sequence of input data must consist of at least four values. Second, they can only deal with input numbers greater or equal to zero. These constraints do not represent an issue in our study because our input sequences include values from 2010 to 2020 (i.e. they are longer than four) and they refer to the yearly number of ISO/IEC 27001 issued certificates (i.e. positive numbers).
Funding: This work received the financial support of the Regione Autonoma Friuli Venezia Giulia (Specific Program 89/2019 – Fondo Sociale Europeo, 2014/ 2020).
Supplementary material for this article can be found online.
References
Akram, T. (2019), “The Japanese economy: stagnation, recovery, and challenges”, Journal of Economic Issues, Vol. 53 No. 2, pp. 403-410.
Al-Karaki, J.N., Gawanmeh, A. and El-Yassami, S. (2022), “GoSafe: on the practical characterization of the overall security posture of an organization information system using smart auditing and ranking”, Journal of King Saud University, Vol. 34 No. 6, pp. 3079-3095.
Annarelli, A., Nonino, F. and Palombi, G. (2020), “Understanding the management of cyber resilient systems”, Computers and Industrial Engineering, Vol. 149, 106829.
Bakar, Z.A., Yaacob, N.A. and Udin, Z.M. (2015), “The effect of business continuity management factors on organizational performance: a conceptual framework”, International Journal of Economics and Financial Issues, Vol. 5 No. 1, pp. 128-134.
Başaran, B. (2016), “The effect of ISO quality management system standards on industrial property rights in Turkey”, World Patent Information, Vol. 45, pp. 33-46.
Beckers, K., Côté, I., Faßbender, S., Heisel, M. and Hofbauer, S. (2013), “A pattern-based method for establishing a cloud-specific information security management system”, Requirements Engineering, Vol. 18 No. 4, pp. 343-395.
Cabecinhas, M., Domingues, P., Sampaio, P., Bernardo, M., Franceschini, F., Galetto, M., Gianni, M., Gotzamani, K., Mastrogiacomo, L. and Hernandez-Vivanco, A. (2018), “Integrated management systems diffusion models in South European countries”, International Journal of Quality and Reliability Management, Vol. 35 No. 10, pp. 2289-2303.
Cabecinhas, M., Domingues, P., Sampaio, P. and Arezes, P. (2020), “Diffusion, drivers and trends on integrated management systems evolution among Portuguese companies”, International Journal of Occupational and Environmental Safety, Vol. 4 No. 1, pp. 15-36.
Casadesús, M., Marimon, F. and Heras-Saizarbitoria, I. (2008), “ISO 14001 diffusion after the success of the ISO 9001 model”, Journal of Cleaner Production, Vol. 16 No. 16, pp. 1741-1754.
Castka, P. and Corbett, C.J. (2015), “Management systems standards: diffusion, impact and governance of ISO 9000, ISO 14000, and other standards”, Foundations and Trends in Technology and Operations Management, Vol. 7 Nos 3-4, pp. 161-379.
Contieri, P.G.S., Anholon, R. and De Santa-Eulalia, L.A. (2022), “Industry 4.0 enabling technologies in manufacturing: implementation priorities and difficulties in an emerging country”, Technology Analysis and Strategic Management, Vol. 34 No. 5, pp. 489-503.
Corbett, C.J. and Kirsch, D.A. (2001), “International diffusion of ISO 14000 certification”, Production and Operations Management, Vol. 10 No. 3, pp. 327-342.
Cots, S. and Casadesús, M. (2015), “Exploring the service management standard ISO 20000”, Total Quality Management and Business Excellence, Vol. 26 Nos 5-6, pp. 515-533.
Cowan, D. (2011), “External pressure for internal information security controls”, Computer Fraud and Security, Vol. 2011 No. 11, pp. 8-11.
Crowder, M. (2013), “Quality standards: integration within a bereavement environment”, The TQM Journal, Vol. 25 No. 1, pp. 18-28.
Culot, G., Fattori, F., Podrecca, M. and Sartor, M. (2019), “Addressing industry 4.0 cybersecurity challenges”, IEEE Engineering Management Review, Vol. 47 No. 3, pp. 79-86.
Culot, G., Nassimbeni, G., Podrecca, M. and Sartor, M. (2021), “The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda”, The TQM Journal, Vol. 33 No. 7, pp. 76-105.
Dahlin, G. and Isaksson, R. (2017), “Integrated management systems – interpretations, results, opportunities”, The TQM Journal, Vol. 29 No. 3, pp. 528-542.
Dang, H.S., Nguyen, T.M.T., Wang, C.N., Day, J.D. and Dang, T.M.H. (2020), “Grey system theory in the study of medical tourism industry and its economic impact”, International Journal of Environmental Research and Public Health, Vol. 17 No. 3, p. 961.
Dang, Y., Liu, S. and Liu, B. (2005), “The GM models that x(n) be taken as initial value”, Chinese Journal of Management Science, Vol. 13 No. 1, pp. 132-134.
Deane, J.K., Goldberg, D.M., Rakes, T.R. and Rees, L.P. (2019), “The effect of information security certification announcements on the market value of the firm”, Information Technology and Management, Vol. 20 No. 3, pp. 107-121.
del Mar Alonso‐Almeida, M., Llach, J. and Marimon, F. (2014), “A closer look at the ‘Global Reporting Initiative’ sustainability reporting as a tool to implement environmental and social policies: a worldwide sector analysis”, Corporate Social Responsibility and Environmental Management, Vol. 21 No. 6, pp. 318-335.
del Mar Alonso-Almeida, M., Marimon, F. and Bernardo, M. (2013), “Diffusion of quality standards in the hospitality sector”, International Journal of Operations and Production Management, Vol. 33 No. 5, pp. 504-527.
del Mar Alonso-Almeida, M., Marimon, F., Casani, F. and Rodriguez-Pomeda, J. (2015), “Diffusion of sustainability reporting in universities: current situation and future perspectives”, Journal of Cleaner Production, Vol. 106, pp. 144-154.
Deng, J. (2004), “On IAGO operator”, Journal of Grey System, Vol. 16 No. 3, pp. 242-272.
Dionysiou, I. (2011), “An investigation on compliance with ISO 27001 in Cypriot private and public organisations”, International Journal of Services and Standards, Vol. 7 Nos 3-4, pp. 197-234.
Franceschini, F., Galetto, M. and Gianni, G. (2004), “A new forecasting model for the diffusion of ISO 9000 standard certifications in European countries”, International Journal of Quality and Reliability Management, Vol. 21 No. 1, pp. 32-50.
Franceschini, F., Galetto, M. and Cecconi, P. (2006), “A worldwide analysis of ISO 9000 standard diffusion: considerations and future development”, Benchmarking: An International Journal, Vol. 13 No. 4, pp. 523-541.
Franceschini, F., Galetto, M., Maisano, D.A. and Mastrogiacomo, L. (2011), “ISO/TS 16949: analysis of the diffusion”, Proceedings of the Institution of Mechanical Engineers, Part B: Journal of Engineering Manufacture, Vol. 225 No. 5, pp. 735-745.
Gillies, A. (2011), “Improving the quality of information security management systems with ISO27000”, The TQM Journal, Vol. 23 No. 4, pp. 367-376.
Goulard, S. (2020), “The impact of the US–China trade war on the European Union”, Global Journal of Emerging Market Economies, Vol. 12 No. 1, pp. 56-68.
Granja, N., Domingues, P., Cabecinhas, M., Zimon, D. and Sampaio, P. (2021), “ISO 22000 certification: diffusion in Europe”, Resources, Vol. 10 No. 10, p. 100.
Guler, I., Guillén, M.F. and Macpherson, J.M. (2002), “Global competition, institutions, and the diffusion of organizational practices: the international spread of ISO 9000 quality certificates”, Administrative Science Quarterly, Vol. 47 No. 2, pp. 207-232.
Gurbaxani, V. (1990), “Diffusion in computing networks: the case of BITNET”, Communications of the ACM, Vol. 33 No. 12, pp. 65-75.
Hannigan, L., Deyab, G., Al Thani, A., Al Marri, A. and Afifi, N. (2019), “The implementation of an integrated management system at Qatar biobank”, Biopreservation, Vol. 17 No. 6, pp. 506-511.
Hlača, B., Aksentijević, S. and Tijan, E. (2008), “Influence of ISO 27001 on the port of Rijeka security”, Pomorstvo/Journal of Maritime Studies, Vol. 22 No. 2, pp. 245-258.
Ho, L.H., Hsu, M.T. and Yen, T.M. (2015), “Identifying core control items of information security management and improvement strategies by applying fuzzy DEMATEL”, Information and Computer Security, Vol. 23 No. 2, pp. 161-177.
Hoy, Z. and Foley, A. (2015), “A structured approach to integrating audits to create organisational efficiencies: ISO 9001 and ISO 27001 audits”, Total Quality Management and Business Excellence, Vol. 26 Nos 5-6, pp. 690-702.
Ikram, M., Mahmoudi, A., Shah, S.Z.A. and Mohsin, M. (2019), “Forecasting number of ISO 14001 certifications of selected countries: application of even GM (1, 1), DGM, and NDGM models”, Environmental Science and Pollution Research, Vol. 26 No. 12, pp. 12505-12521.
Ikram, M., Zhang, Q. and Sroufe, R. (2021), “Future of quality management system (ISO 9001) certification: novel grey forecasting approach”, Total Quality Management and Business Excellence, Vol. 32 Nos 15-16, pp. 1666-1693.
ISO (2021), “The ISO survey of management system standard certifications 2020”, available at: https://www.iso.org/the-iso-survey.html (accessed 12 April 2022).
Javed, S.A. and Cudjoe, D. (2022), “A novel grey forecasting of greenhouse gas emissions from four industries of China and India”, Sustainable Production and Consumption, Vol. 29, pp. 777-790.
Javed, S.A. and Liu, S. (2018), “Predicting the research output/growth of selected countries: application of Even GM (1, 1) and NDGM models”, Scientometrics, Vol. 115 No. 1, pp. 395-413.
Javed, S.A., Zhu, B. and Liu, S. (2020), “Forecast of biofuel production and consumption in top CO2 emitting countries using a novel grey model”, Journal of Cleaner Production, Vol. 276, 123997.
Ji, P., Huang, W. and Hu, X. (2001), “Study on the characteristic of grey prediction model”, Systems Engineering Theory and Practice, Vol. 21 No. 9, pp. 105-109.
Jie, C. and Bo, Z. (2012), “Study on parameters characteristics of NGM (1,1,k) prediction model with multiplication transformation”, Grey Systems: Theory and Application, Vol. 2 No. 1. pp. 24-35.
Khajouei, H., Kazemi, M. and Moosavirad, S.H. (2017), “Ranking information security controls by using fuzzy analytic hierarchy process”, Information Systems and e-Business Management, Vol. 15 No. 1, pp. 1-19.
Koohang, A., Anderson, J., Nord, J.H. and Paliszkiewicz, J. (2020), “Building an awareness-centered information security policy compliance model”, Industrial Management and Data Systems, Vol. 120 No. 1, pp. 231-247.
Ku, C., Chang, Y. and Yen, D.C. (2009), “National information security policy and its implementation: a case study in Taiwan”, Telecommunications Policy, Vol. 33 No. 7, pp. 371-384.
Lewis, C. (1982), International and Business Forecasting Methods, Butterworths, London.
Li, B., Zhang, S., Li, W. and Zhang, Y. (2022), “Application progress of Grey model technology in agricultural science”, Grey Systems: Theory and Application, Vol. 12 No. 4, pp. 744-784.
Liao, K.H. and Chueh, H.E. (2012), “An evaluation model of information security management of medical staff”, International Journal of Innovative Computing, Information and Control, Vol. 8 No. 11, pp. 7865-7873.
Liu, S., Zeng, B., Liu, J., Xie, N. and Yang, Y. (2015), “Four basic models of GM(1, 1) and their suitable sequences”, Grey Systems: Theory and Application, Vol. 5 No. 2, pp. 141-156.
Liu, S., Yang, Y., Xie, N. and Forrest, J. (2016), “New progress of grey system theory in the new millennium”, Grey Systems: Theory and Application, Vol. 6 No. 1, pp. 2-31.
Liu, S., Yang, Y. and Forrest, J. (2017), Grey Data Analysis, Springer, Berlin.
Llach, J., Marimon, F. and Bernardo, M. (2011), “ISO 9001 diffusion analysis according to activity sectors”, Industrial Management and Data Systems, Vol. 111 No. 2, pp. 298-316.
Llach, J., Marimon, F. and del Mar Alonso-Almeida, M. (2015), “Social Accountability 8000 standard certification: analysis of worldwide diffusion”, Journal of Cleaner Production, Vol. 93, pp. 288-298.
Ma, X., Wu, W., Zeng, B., Wang, Y. and Wu, X. (2020), “The conformable fractional grey system model”, ISA Transactions, Vol. 96, pp. 255-271.
Maganga, D.P. and Taifa, I.W.R. (2023), “Quality 4.0 conceptualisation: an emerging quality management concept for manufacturing industries”, The TQM Journal, Vol. 35 No. 2, pp. 389-413.
Marimon, F., Casadesús, M. and Heras-Saizarbitoria, I. (2006), “ISO 9000 and ISO 14000 standards: an international diffusion model”, International Journal of Operations and Production Management, Vol. 26 No. 2, pp. 141-165.
Marimon, F., Heras, I. and Casadesús, M. (2009), “ISO 9000 and ISO 14000 standards: a projection model for the decline phase”, Total Quality Management, Vol. 20 No. 1, pp. 1-21.
Marimon, F., Casadesús, M. and Heras-Saizarbitoria, I. (2010), “Certification intensity level of the leading nations in ISO 9000 and ISO 14000 standards”, International Journal of Quality and Reliability Management, Vol. 27 No. 9, pp. 1002-1020.
Marimon, F., Llach, J. and Bernardo, M. (2011), “Comparative analysis of diffusion of the ISO 14001 standard by sector of activity”, Journal of Cleaner Production, Vol. 19 No. 15, pp. 1734-1744.
Marimon, F., del Mar Alonso-Almeida, M., del Pilar Rodríguez, M. and Alejandro, K.A.C. (2012), “The worldwide diffusion of the global reporting initiative: what is the point?”, Journal of Cleaner Production, Vol. 33, pp. 132-144.
Mastrogiacomo, L., Carrozza, A., Maisano, D.A. and Franceschini, F. (2021), “Is ‘post-decline’ the next phase of the diffusion of ISO 9001 certifications? New empirical evidence from European countries”, Total Quality Management and Business Excellence, Vol. 32 Nos 11-12, pp. 1384-1403.
Mesquida, A.L., Mas, A., Feliu, T.S. and Arcilla, M. (2014), “MIN-ITs: a framework for integration of it management standards in mature environments”, International Journal of Software Engineering and Knowledge Engineering, Vol. 24 No. 6, pp. 887-908.
Mirtsch, M., Blind, K., Koch, C. and Dudek, G. (2021), “Information security management in ICT and non-ICT sector companies”, Computers and Security, Vol. 109, 102383.
Mirtsch, M., Kinne, J. and Blind, K. (2020), “Exploring the adoption of the international information security management system standard ISO/IEC 27001”, IEEE Transactions on Engineering Management, Vol. 68 No. 1, pp. 87-100.
Ofosu-Adarkwa, J., Xie, N. and Javed, S.A. (2020), “Forecasting CO2 emissions of China's cement industry using a hybrid Verhulst-GM (1, N) model and emissions' technical conversion”, Renewable and Sustainable Energy Reviews, Vol. 130, 109945.
Ozkan, S. and Karabacak, B. (2010), “Collaborative risk method for information security management practices: a case context within Turkey”, International Journal of Information Management, Vol. 30 No. 6, pp. 567-572.
Pardo, C., Pino, F.J., Garcia, F., Baldassarre, M.T. and Piattini, M. (2013), “From chaos to the systematic harmonization of multiple reference models: a harmonization framework applied in two case studies”, Journal of Systems and Software, Vol. 86 No. 1, pp. 125-143.
Pardo, C., Pino, F.J. and Garcia, F. (2016), “Towards an integrated management system (IMS), harmonizing ISO/IEC 27001 and ISO/IEC 20000-2”, Journal of Software Engineering and Its Applications, Vol. 10 No. 9, pp. 217-230.
Pearl, R. (1978), The Biology of Population Growth, Ayer Publishing, New York.
Podrecca, M., Culot, G., Nassimbeni, G. and Sartor, M. (2022b), “Information security and value creation: the performance implications of ISO/IEC 27001”, Computers in Industry, Vol. 142, 103744.
Podrecca, M., Sartor, M. and Nassimbeni, G. (2022a), “United nations global Compact: where are we going?”, Social Responsibility Journal, Vol. 18 No. 5, pp. 984-1003.
Raabi, A., Assoul, S., Touhami, K.O. and Roudies, O. (2020), “Information and cyber security maturity models: a literature review”, Information and Computer Security, Vol. 28 No. 4, pp. 627-644.
Rauniyar, K., Wu, X., Gupta, S., Modgil, S. and Lopes de Sousa Jabbour, A.B. (2023), “Risk management of supply chains in the digital transformation era: contribution and challenges of blockchain technology”, Industrial Management and Data Systems, Vol. 123 No. 1, pp. 253-277.
Rebelo, M., Santos, G. and Silva, R. (2014), “A generic model for integration of quality, environment and safety management systems”, The TQM Journal, Vol. 26 No. 2, pp. 143-159.
Rendon-Benavides, R., Perez-Franco, R., Elphick-Darling, R., Plà-Aragonés, L.M., Gonzalez Aleu, F., Verduzco-Garza, T. and Rodriguez-Parral, A.V. (2023), “In-transit interventions using real-time data in Australian berry supply chains”, The TQM Journal, Vol. 35 No. 3, pp. 759-777.
Rezaei, G., Ansari, M., Memari, A., Zahraee, S.M. and Shaharoun, A.M. (2014), “A huiristic method for information scaling in manufacturing organizations”, Jurnal Teknologi, Vol. 69 No. 3, pp. 87-91.
Sampaio, P., Saraiva, P. and Domingues, P. (2012), “Management systems: integration or addition?”, International Journal of Quality and Reliability Management, Vol. 29 No. 4, pp. 402-424.
Sampaio, P., Saraiva, P. and Guimarães Rodrigues, A. (2009), “An analysis of ISO 9000 data in the world and the European Union”, Total Quality Management, Vol. 20 No. 12, pp. 1303-1320.
Seppala, N. (2009), “Business and the international human rights regime: a comparison of UN initiatives”, Journal of Business Ethics, Vol. 87 No. 2, pp. 401-417.
Soederberg, S. (2007), “Taming corporations or buttressing market-led development? A critical assessment of the Global Compact”, Globalizations, Vol. 4 No. 4, pp. 500-513.
Sony, M., Antony, J. and McDermott, O. (2022), “The impact of medical cyber–physical systems on healthcare service delivery”, The TQM Journal, Vol. 34 No. 7, pp. 73-94.
Stewart, A. (2018), “A utilitarian re-examination of enterprise-scale information security management”, Information and Computer Security, Vol. 26 No. 1, pp. 39-57.
Tarn, J.M., Raymond, H., Razi, M. and Han, B.T. (2009), “Exploring information security compliance in corporate IT governance”, Human Systems Management, Vol. 28 No. 3, pp. 131-140.
Tejay, G.P. and Shoraka, B. (2011), “Reducing cyber harassment through de jure standards”, Journal of Management and Decision Making, Vol. 11 Nos 5-6, pp. 324-343.
van Wessel, R., Yang, X. and de Vries, H.J. (2011), “Implementing international standards for Information Security Management in China and Europe: a comparative multi-case study”, Technology Analysis and Strategic Management, Vol. 23 No. 8, pp. 865-879.
Vance, A., Siponen, M.T. and Straub, D.W. (2020), “Effects of sanctions and neutralization on information security policy violations”, Information and Management, Vol. 57 No. 4, 103212.
Villarreal, A.B. (2019), “Keeping an eye on what matters for the economy”, available at: https://www. iso.org/news/ref2428.htm (accessed 10 April 2022).
We Forum (2022), “How are rising food and energy prices affecting the economy?”, available at: https://www.weforum.org/agenda/2022/09/inflation-rising-food-energy-prices-economy (accessed 2 November 2022).
Wong, W.P., Tan, H.C., Tan, K.H. and Tseng, M.-L. (2019), “Human factors in information leakage: mitigation strategies for information sharing integrity”, Industrial Management and Data Systems, Vol. 119 No. 6, pp. 1242-1267.
Wu, X., Li, Y., Liu, H. and Zhang, K. (2022), “Influence of IT support on firms' cross-channel integration: the moderating role of institutional environment”, Industrial Management and Data Systems, Vol. 122 No. 4, pp. 1056-1080.
Xie, N. and Liu, S. (2006), “Research on extension of discrete grey model and its optimize formula”, Systems Engineering Theory and Practice, Vol. 26 No. 6, pp. 108-112.
Zhao, H., Han, X. and Guo, S. (2018), “DGM (1, 1) model optimized by MVO (multi-verse optimizer) for annual peak load forecasting”, Neural Computing and Applications, Vol. 30 No. 6, pp. 1811-1825.
Zimon, D., Madzík, P., Dellana, S., Sroufe, R., Ikram, M. and Lysenko-Ryba, K. (2022), “Environmental effects of ISO 9001 and ISO 14001 management system implementation in SSCM”, The TQM Journal, Vol. 34 No. 3, pp. 418-447.
Acknowledgements
The authors acknowledge Dr Margherita Molinaro, Dr Saad Javed and Mr Davide Truccolo for their advice and support on the preliminary versions of the manuscript.