Exploring the Adoption of the International Information Security Management System Standard ISO/IEC 27001 in Finland

Authors

  • Gülfem Özmen LUT School of Engineering Sciences, LUT University, Lappeenranta, Finland; Department of Engineering, Innovation and Intellectual Property Management Laboratory, Centre for Technology Management, Institute for Manufacturing, University of Cambridge, United Kingdom https://orcid.org/0009-0008-5471-8495
  • Jussi Heikkilä LUT School of Engineering Sciences, LUT University, Lahti, Finland https://orcid.org/0000-0002-5122-7956
  • Ville Ojanen LUT School of Engineering Sciences, LUT University, Lappeenranta, Finland https://orcid.org/0000-0001-8124-5082

DOI:

https://doi.org/10.59490/jos.2026.8368

Keywords:

ISO/IEC 27001, information security, cybersecurity, certification, signaling theory

Abstract

This study examines the adoption of the ISO/IEC 27001 standard among firms in Finland by analyzing the websites of 97 ICT firms, 35 (36%) of which held certification of this standard. The findings show that certified firms communicate their certification through websites, annual reports, and press releases, and engage in cybersecurity-related activities. The results reveal substantial heterogeneity in how firms communicate certification and signal information security quality. ISO/IEC 27001 certification thus functions not only as a compliance mechanism but also as a signaling tool, the effectiveness of which depends on how firms deploy it across communication channels. A thematic analysis of annual reports and press releases identifies four key themes: resilience to cyberattacks, continuous improvement, regulatory compliance, and building trust and reputation. These findings further suggest that certification reflects not only signaling and institutional dynamics but also underlying organizational capabilities, pointing to additional theoretical dimensions for future research.

References

Alexei, A. (2021). Ensuring information security in public organizations in the Republic of Moldova through the ISO 27001 standard. Journal of Social Science, 4(1), 84–94. https://doi.org/10.52326/jss.utm.2021.4(1).11

Anderson, S., Daly, D., & Johnson, M. (1999). Why firms seek ISO 9000 certification: Regulatory compliance or competitive advantage? Production and Operations Management, 8(1), 28–43. https://doi.org/10.1111/j.1937-5956.1999.tb00059.x

Barney, J. B. (2001). Is the resource-based “view” a useful perspective for strategic management research? Yes. Academy of Management Review, 26(1), 41–56. https://doi.org/10.5465/amr.2001.4011938

Beattie, V., McInnes, B., & Fearnley, S. (2004). A methodology for analysing and evaluating narratives in annual reports: A comprehensive descriptive profile and metrics for disclosure quality attributes. Accounting Forum, 28(3), 205–236. https://doi.org/10.1016/j.accfor.2004.07.001

Bergh, D. D., Connelly, B. L., Ketchen, D. J., Jr., & Shannon, L. M. (2014). Signaling theory and equilibrium in strategic management research: An assessment and a research agenda. Journal of Management Studies, 51(8), 1334–1360. https://doi.org/10.1111/joms.12097

Clougherty, J. A., & Grajek, M. (2023). Decertification in quality-management standards by incrementally and radically innovative organizations. Research Policy, 52, 104647. https://doi.org/10.1016/j.respol.2022.104647

Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard: Literature review and research agenda. The TQM Journal, 33(7), 76–105. https://doi.org/10.1108/TQM-09-2020-0202

Deane, J. K., Goldberg, D. M., Rakes, T. R., & Rees, L. P. (2019). The effect of information security announcements on the market value of the firm. Information Technology Management, 20(3), 107–121. https://doi.org/10.1007/s10799-018-00297-3

Delmas, M., & Montiel, I. (2009). The diffusion of voluntary international management standards: Responsible Care, ISO 9000, and ISO 14001 in the chemical industry. Policy Studies Journal, 36(1), 65–93. https://doi.org/10.1111/j.1541-0072.2007.00254.x

Diamantopoulou, V., Tsohou, A., & Karyda, M. (2020). From ISO/IEC 27001:2013 and ISO/IEC 27002:2013 to GDPR compliance controls. Information and Computer Security, 28(4), 645–662. https://doi.org/10.1108/ICS-01-2020-0004

DiMaggio, P. J., & Powell, W. W. (1983). The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields. American Sociological Review, 48(2), 147–160. https://doi.org/10.2307/2095101

Dionysiou, I., Kokkinaki, A., Magirou, S., & Iacovou, T. (2015). Adoption of ISO 27001 in Cyprus enterprises: Current state and challenges. In Standards and standardization: Concepts, methodologies, tools, and applications (pp. 994–1017). IGI Global. https://doi.org/10.4018/978-1-4666-8111-8.ch047

Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(2), 92–100. https://doi.org/10.4236/jis.2013.42011

Dutta, S., Lanvin, B., León, L. R., & Wunsch-Vincent, S. (2024). Global innovation index 2024: Unlocking the promise of social entrepreneurship. WIPO.

Edquist, H., Goodridge, P., & Haskel, J. (2021). The Internet of Things and economic growth in a panel of countries. Economics of Innovation and New Technology, 30(3), 262–283. https://doi.org/10.1080/10438599.2019.1695941

Eisenhardt, K. M., & Martin, J. A. (2000). Dynamic capabilities: What are they? Strategic Management Journal, 21(10–11), 1105–1121. https://doi.org/10.1002/1097-0266(200010/11)21:10/11%3C1105::AID-SMJ133%3E3.0.CO;2-E

European Commission. (2022). The digital economy and society index (DESI). https://digital-strategy.ec.europa.eu/en/policies/desi

European Commission. (2025). Cyber Resilience Act. https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

European Insurance and Occupational Pensions Authority (EIOPA). (2026). Digital Operational Resilience Act (DORA). https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

Ferrigno, G., Di Paola, N., Oguntegbe, K., F., & Kraus, S. (2023). Value creation in the metaverse age: A thematic analysis of corporate press releases. International Journal of Entrepreneurial Behavior & Research, 29(8), 1902–1923. https://doi.org/10.1108/IJEBR-01-2023-0039

Finnish Accreditation Service (FINAS). (2025). Akkreditoidut toimijat. https://www.finas.fi/toimijat/Sivut/default.aspx#l=1035

Fomin, V. V., de Vries, H. J., & Barlette, Y. (2008). ISO/IEC 27001 information systems security management standard: Exploring the reasons for low adoption. Proceedings of the International Conference on Information Systems, Nice, France.

Freeman, R. E. (1984). Strategic management: A strategic approach. Pitman.

Garg, M., Wang, T., & Wikin, C. L. (2025). Impact of reporting information security breaches, accounting quality, and the opportunistic disclosure of good news and bad news. International Journal of Accounting Information Systems, 56, 100729. https://doi.org/10.1016/j.accinf.2025.100729

Göransson Ording, L., Gao, S., & Chen, W. (2022). The influence of inputs in the information security policy development: An institutional perspective. Transforming Government: People, Process and Policy, 16(4), 418–435. https://doi.org/10.1108/TG-03-2022-0030

Hsu, C., Wang, T., & Lu, A. (2016). The impact of ISO 27001 certification on firm performance. In 49th Hawaii International Conference on System Sciences (HICSS) (pp. 4842–4848). IEEE. https://doi.org/10.1109/HICSS.2016.600

Hudson, J., & Orviska, M. (2013). Firms’ adoption of international standards: One size fits all? Journal of Policy Modeling, 35(2), 289–306. https://doi.org/10.1016/j.jpolmod.2012.04.001

Ibrahim, A. E. A., Elamer, A. A., & Ntim, C. G. (2021). Cybersecurity disclosure and corporate governance: Evidence from UK firms. International Journal of Accounting & Information Management, 29(4), 701–724. http://dx.doi.org/10.6007/IJARAFMS/v11-i4/11346

International Accreditation Forum (IAF). (2025). ISO Survey Results. https://www.iafcertsearch.org/analytics/iso-survey

International Organization for Standardization (ISO). (2022). Information security, cybersecurity and privacy protection—Information security management systems—Requirements. ISO/IEC 27001:2022 (en). https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27001:ed-3:v1:en

Kalemli-Özcan, Ş., Sørensen, B. E., Villegas-Sanchez, C., Volosovych, V., & Yeşiltaş, S. (2024). How to construct nationally representative firm-level data from the Orbis Global Database: New facts on SME and aggregate implications for industry concentration. American Economic Journal: Macroeconomics, 16(2), 1–22. https://doi.org/10.1257/mac.20220036

Kamil, Y., Lund, S., & Islam, M. S. (2023). Information security objectives and the output legitimacy of ISO/IEC 27001: Stakeholders’ perspective on expectations in private organizations in Sweden. Information Systems and e-Business Management, 21, 699–722. https://doi.org/10.1007/s10257-023-00646-y

King, A., Lenox, M. J., & Terlaak, A. K. (2005). The strategic use of decentralized institutions: Exploring certification with the ISO 14001 management standard. Academy of Management Journal, 48(6), 1091–1106. https://doi.org/10.5465/amj.2005.19573111

Kitsios, F., Chatzidimitriou, E., & Kamariotou, M. (2023). The ISO/IEC 27001 information security management standard: How to extract value from data in the IT sector. Sustainability, 15, 5828. https://doi.org/10.3390/su15075828

Krippendorff, K. (2019). Content analysis: An Introduction to Its Methodology. SAGE Publications. https://doi.org/10.4135/9781071878781

Longras, A., Pereira, T., Carneiro, P., & Pinto, P. (2018). On the track of ISO/IEC 27001:2013 implementation difficulties in Portuguese organizations. International Conference on Intelligent Systems (IS), 886–890. https://doi.org/10.1109/IS.2018.8710558

Lopes, I. M., Guarda, T., & Oliveira, P. (2019). Implementation of ISO 27001 standards as GDPR compliance facilitator. Journal of Information Systems Engineering & Management, 4(2), em0089. https://doi.org/10.29333/jisem/5888

Lumivero. (2025). NVivo (Version 15.0) [Computer software]. https://lumivero.com/products/nvivo/

Magnusson, L., Iqbal, S., Elm, P., & Dalipi, F. (2025). Information security governance in the public sector: Investigations, approaches, measures, and trends. International Journal of Information Security, 24, 177. https://doi.org/10.1007/s10207-025-01097-x

Meissner, F., Wilke, A. J., & Puikytė, M. (2025). How is cybersecurity discussed across media channels? Exploratory analyses of Twitter content and news reporting. Journal of Risk Research, 28(8), 855–875. https://doi.org/10.1080/13669877.2025.2553079

Meyer, J. W., & Rowan, B. (1977). Institutionalized organizations: Formal structure as myth and ceremony. American Journal of Sociology, 83(2), 340–363. https://doi.org/10.1086/226550

Mirtsch, M., Kinne, J., & Blind, K. (2021a). Exploring the adoption of the international information security management system standard ISO/IEC 27001: A web mining-based analysis. IEEE Transactions on Engineering Management, 68(1), 87–100. https://doi.org/10.1109/TEM.2020.2977815

Mirtsch, M., Blind, K., Koch, C., & Dudek, G. (2021b). Information security management in ICT and non-ICT sector companies: A preventive innovation perspective. Computers & Security, 109, 102383. https://doi.org/10.1016/j.cose.2021.102383

Mirtsch, M. (2023). Adoption of the information security management system standard ISO/IEC 27001: A study among German organizations. International Journal for Quality Research, 17(3), 747–768. https://doi.org/10.24874/IJQR17.03-08

Mirtsch, M., Pohlisch, J., & Blind, K. (2026). Certification as a compensation mechanism for weak regulation? Exploring the diffusion of the international standard ISO/IEC 27001 for information security management. Computers & Security, 162, 104774. https://doi.org/10.1016/j.cose.2025.104774

Montiel, I., Husted, B. W., & Christmann, P. (2012). Using private management standard certification to reduce information asymmetries in corrupt environments. Strategic Management Journal, 33(9), 1103–1113. https://doi.org/10.1002/smj.1957

Moore, T. (2010). The economics of cybersecurity: Principles and policy options. International Journal of Critical Infrastructure Protection, 3(3–4), 103–117. https://doi.org/10.1016/j.ijcip.2010.10.002

Nieuwesteeg, B., van Eeten, M., & Bauer, J. M. (2022). An Analysis of Changing Transparency Regarding Cybersecurity in Annual Reports. http://doi.org/10.2139/ssrn.4268272

Parsons, E. K., Panaousis, E., Loukas, G., & Sakellari, G. A. (2023). A survey on cyber risk management for the Internet of Things. Applied Sciences, 13, 9032. https://doi.org/10.3390/app13159032

Podrecca, M., Culot, G., Nassimbeni, G., & Sartor, M. (2022). Information security and value creation: The performance implications of ISO/IEC 27001. Computers in Industry, 142, 103744. https://doi.org/10.1016/j.compind.2022.103744

Ramírez, Y., Manzaneque, M., & Priego, A. M. (2022). The disclosure of information on cybersecurity in listed companies: Proposal for a cybersecurity disclosure index. Sustainability, 14(3), 1390. https://doi.org/10.3390/su14031390

Riillo, C. A. F. (2025). ISO 14001 and innovation: Environmental management system and signal. Technological Forecasting & Social Change, 215, 124000. https://doi.org/10.1016/j.techfore.2025.124000

Skopak, A., & Sakanovic, S. (2016). Adoption of standard for information security ISO/IEC 27001 in Bosnia and Herzegovina. In International Conference on Economic and Social Studies (ICESoS), Sarajevo, Bosnia and Herzegovina.

Spence, M. (1973). Job market signaling. Quarterly Journal of Economics, 87(3), 355–379. https://doi.org/10.2307/1882010

Svoboda, T., & Horalek, J. (2018). Analysis of the information security management in Czech Republic. Advanced Science Letters, 24(11), 8562–8566. https://doi.org/10.1166/asl.2018.12303

Tejay, G. P. S., & Shoraka, B. (2011). Reducing cyber harassment through de jure standards: A study on the lack of the information security management standard adoption in the USA. International Journal of Management and Decision Making, 11(5-6), 324-343. https://doi.org/10.1504/IJMDM.2011.043407

Teece, D. J., Pisano, G., & Shuen, A. (1997). Dynamic capabilities and strategic management. Strategic Management Journal, 18(7), 509–533. https://doi.org/10.1002/(SICI)1097-0266(199708)18:7%3C509::AID-SMJ882%3E3.0.CO;2-Z

Terlaak, A., & King, A. A. (2006). The effect of certification with the ISO 9000 quality management standard: A signaling approach. Journal of Economic Behavior & Organization, 60(4), 579–602. https://doi.org/10.1016/j.jebo.2004.09.012

Thomas, J. (1997). Discourse in the marketplace: The making of meaning in annual reports. Journal of Business Communication, 34(1), 47–66. https://doi.org/10.1177/002194369703400103

Uwizeyemungu, S., & Poba-Nzaou, P. (2015). Understanding information technology security standards diffusion: An institutional perspective. International Conference on Information Systems Security and Privacy (ICISSP), 1, 5-16. https://doi.org/10.5220/0005227200050016

van Wessel, R., & de Vries, H. J. (2013). Business impact of international standards for information security management: Lessons from case companies. Journal of ICT Standardization, 1(1), 25–40. https://doi.org/10.13052/jicts2245-800X.122

Weber, R. H., & Studer, E. (2016). Cybersecurity in the Internet of Things: Legal aspects. Computer Law & Security Review, 32(5), 715–728. https://doi.org/10.1016/j.clsr.2016.07.002

Wernerfelt, B. (1984). A resource‐based view of the firm. Strategic Management Journal, 5(2), 171–180. https://doi.org/10.1002/smj.4250050207

Image generated with OpenAI's GPT-5.5

Downloads

Published

2026-06-16

How to Cite

Özmen, G., Heikkilä, J., & Ojanen, V. (2026). Exploring the Adoption of the International Information Security Management System Standard ISO/IEC 27001 in Finland. Journal of Standardisation, 5. https://doi.org/10.59490/jos.2026.8368

Issue

Vol. 5 (2026)

Section

Research articles

License

Copyright (c) 2026 Gülfem Özmen, Jussi Heikkilä, Ville Ojanen

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.