Assessment and Continuous Improvement of Information Security Based on TQM and Business Excellence Principles

Abstract

Abstract This paper highlights a part of the results of a doctoral research regarding information security management systems in the context of business excellence conducted by authors in the Research Centre of Business Administration of The Bucharest University of Economic Studies, Romania. It focuses on an approach for self-assessment and continuous improvement of information security based on the fundamental concepts and criteria of the European Foundation for Quality Management (EFQM) Business Excellence Model. The first objective of this paper is to highlight the state of the art regarding the approaches used for the assessment and continuous improvement of information security. A second objective is to propose a methodology for assessment and continuous improvement of information security integrating the criteria of the EFQM Model and its RADAR (Results, Approaches, Deploy, Assess and Refine) logic. The methodology presented can be used by organisations wishing to go beyond compliance with the requirements for Information Security Management System defined in standards such as ISO 27001 or NIST standards, to identify opportunities for improvement and to coordinate efforts towards sustainable information security performance.