Information security and value creation: The performance implications of ISO/IEC 27001

Abstract

Although protecting information is the key challenge in a business environment characterized by increasing digitalization and connectivity, the impact of firms’ investments in information security on their financial performance is unclear. In this paper, we focus on ISO/IEC 27001 (i.e., the most renowned norm in the field and the fourth most widespread ISO standard) and analyze the relationship between the attainment of the certification and firms’ financial performance. We developed a set of theory-grounded hypotheses and tested them through a long-term event study complemented by an ordinary least squares regression on a dataset of 143 US-listed companies. The results indicate that the ISO/IEC 27001 certification is associated with improvements in profitability, labor productivity, and (partially) sales performance. The impact appears affected by the level of internationalization of the certified firm. The study contributes to the scientific debate on information security and certifications by developing the first large-scale empirical investigation based on secondary data on the financial implications of ISO/IEC 27001. Moreover, we further deepen the current knowledge on the effects of international management standards on firms’ performance thus enabling comparisons with other major management system standards.