Research on the Impact of Information Security Certification and Concealment on Financial Performance: Impact of ISO 27001 and Concealment on Performance

Introduction

The rapid development and wide application of information technology can facilitate companies’ information management; however, it also creates security challenges (Yaokumah, et al., 2019). Improper use of information technology can cause the unintended disclosure of personal or company documentation which can damage the corporate image and reduce business volume (Bidgoli, 2006); therefore, information security protection has become increasingly important. Information security management system certification ISO 27001 was issued in response to the business need for information technology and security management. ISO 27001 standard originated from the British Standards Institution’s BS 7799 and was officially issued by the International Standards Organization (ISO) in 2005. ISO 27001 standard has gained wide attention since its introduction; by 2018, ISO had established 59,934 ISO 27001 sites in 125 countries and regions and issued 31,910 valid certificates (ISO, 2018).

ISO 27001 certification provides a scientific standard for defending against information security breaches and assessing organizational information security. It synthesizes, arranges, and provides a set of detailed rules using best practice (ISO, 2013). In practice, ISO 27001 standard is considered to be an accurate and effective information security management tool. The standard also coordinates information management of electronic transactions from multiple perspectives to help firms gain business transaction credits, and its adoption into an enterprise’s management system is expected to result in improved financial performance.

Some scholars have discussed the value of implementing information security management systems in enterprises. Hall (2011) discusses the relationship between information security and organizational capacity and suggests that having an overall information security strategy can make enterprises better able to respond to the dynamic business environment and maintain brand strength and business flexibility. Okoye (2017) applies a multi-case study to understand how to minimize the impact of information security threats on small and medium-sized businesses. The results show that formulating an information security strategy can reduce the potential for damage to business performance caused by unintentional disclosure and misuse of information. Davis (2017) emphasizes the importance of information security in American corporate governance and its effectiveness in resolving the issue of declining customer trust caused by security breaches. Edwards (2011) notes that improving information security systems can help enterprises to prevent major consequences caused by information security breaches, including property loss, reduced business productivity, and efficiency decline. Spears (2007) provides evidence to suggest that the institutionalization of information security risk management can resolve inadequacies in information technology assets and improve operational performance. In sum, most existing research focuses on the effect of information security strategies in improving operational performance; however, there is currently no direct evidence of a relationship between ISO 27001 certification and financial performance. Therefore, it is necessary to determine the effect of information security certification on corporate financial performance. It is also important to understand the effect mechanisms of certification and the sustainability of these effects on corporate financial performance.