Making Sense of Certification Internalization: A Process Model for Implementing Information Security and Data Protection Certifications
Abstract:
Information systems certifications are becoming increasingly important for information security and data protection by providing organizations with best practices and independent feedback. However, superficial certification internalization is a significant problem: organizations often implement certifications in a lightweight way without truly integrating them into their organizational practices. To mitigate this problem, it is crucial to uncover how different stakeholders involved in the certification make sense of its purpose and criteria. We strive to explore and theorize how organizations internalize information security and data protection certifications through the lens of sensemaking. We draw on a literature review and qualitative interviews to develop a process model of certification internalization spanning three sensemaking cycles: pre-audit assessment, audit, and post-audit maintenance. Taking a more nuanced view of time and process unfolding, we revealed that the ongoing maintenance of certifications plays a critical role in ensuring certification internalization.
| Zugehörige Institution(en) am KIT | Institut für Angewandte Informatik und Formale Beschreibungsverfahren (AIFB) |
| Publikationstyp | Proceedingsbeitrag |
| Publikationsdatum | 11.12.2022 |
| Sprache | Englisch |
| Identifikator | KITopen-ID: 1000153861 |
| Erschienen in | Proceedings of the 17th Pre-ICIS Workshop on Information Security and Privacy (WISP 2022) |
| Veranstaltung | 17th Pre-ICIS Workshop on Information Security and Privacy (WISP 2022), Kopenhagen, Dänemark, 11.12.2022 |
| Seiten | 1855-1 - 1855-20 |
| Bemerkung zur Veröffentlichung | in press |
| Schlagwörter | certification, internalization, information security, sensemaking, ISO/IEC 27001 |