Designing a national adoption policy framework for ISO/IEC 27000 standarnds implementation in Namibia
To ensure that the information asset is protected and available to organisations, information security needs to be governed by security standards. The ISO/IEC 27000 family of standards is one such standard; it keeps information assets secure and provides an information security management best practises framework. Despite its importance, the usage and adoption of the ISO/IEC 27000 standards is missing in Namibian organisations. An exploratory pilot survey conducted in 2015 with the key stakeholders namely the Communications Regulatory Authority, Internet Service Providers and government departments revealed that these standards are not being implemented at all. Based on literature review and the preliminary surveys, this paper presents the extent to which the ISO/IEC 27000 implementation framework is adopted in Namibia. The study will focus on the implementation extent for ISO 27000, 27001, 27002, 27003 and 27004 as these are the critical standards to the security posture of any organisation. A qualitative case study research approach with security critical organisations in Namibia was used for this study. Surveys and interviews were used to collect data from purposefully identified key stakeholders. The stakeholders offered rich information about the phenomenon under study. The survey results were used to evaluate the extent of implementation and the factors contributing to the poor implementation. A theoretical framework was derived from the findings and is thus presented in this paper. The factors making up the theoretical framework will be used as a basis in designing a policy framework for the adoption of security standards by organisations in Namibia to secure its critical assets, manage risks more effectively, improve and maintain customer confidence, demonstrate conformance to international best practice, avoid brand damage and change its information security posture as the technology is evolving.