Next Article in Journal
Going Green in SMEs: Unpacking How Innovative Work Behavior Impacts Employee Commitment Through a Mediated–Moderated Model
Previous Article in Journal
Online Marketing Tools and Students’ Career Decision Processes: Managerial Insights from Iraqi Higher Education
Previous Article in Special Issue
Language as Career Capital: A Scoping Review of Human Capital Development, Employee Mobility, and HR Implications in Multilingual Organisations
error_outline You can access the new MDPI.com website here. Explore and share your feedback with us.
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Administrative Sciences
Volume 16
Issue 1
10.3390/admsci16010026
admsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Integration of ISMS into the Organization’s Strategy and Its Impact on Security Culture in the Digital Environment

by
Nikola Staffenova
*,
Dominika Dupakova
and
Milan Kubina
Department of Managerial Theories, University of Žilina, 010 26 Žilina, Slovakia
*
Author to whom correspondence should be addressed.
Adm. Sci. 2026, 16(1), 26; https://doi.org/10.3390/admsci16010026
Submission received: 21 November 2025 / Revised: 27 December 2025 / Accepted: 30 December 2025 / Published: 6 January 2026
(This article belongs to the Special Issue Human Capital Development—New Perspectives for Diverse Domains)
Browse Figures
Versions Notes

Abstract

Information security is currently a key pillar of information protection in organizations and a fundamental element of functioning organizational strategy. The aim of this article is to analyze how the integration of an information security management system (ISMS) into the strategic management of an organization can influence its security culture and ability to implement new technologies. The study uses a conceptual approach based on the PDCA model and a comparative analysis of the available literature on ISMS, organizational culture, and digital transformation. The results of the study show that an effectively implemented ISMS can strengthen an organization’s resilience, increase the confidence of its stakeholders, and promote openness to adopting innovative solutions. It also points out that a developed security culture is a prerequisite for the proper and successful functioning of ISMS, especially in an environment of rapid technological change. The study offers recommendations for managers focused on integrating ISMS into strategic planning, strengthening security awareness, and continuously evaluating the maturity of security processes.

1. Introduction

In an environment of ever-accelerating digitalization and globally interconnected markets, information technology has become not only the operational foundation of organizations, but also their strategic asset. With the growing volume of data, increasing system interconnection and growing threats in the field of information security, the ability of organizations to protect and effectively manage their information is becoming a decisive factor in competitive advantage, stakeholder trust, and long-term sustainability.
Information security has long ceased to be just a technical problem of the IT department. It has become an integral part of the organization’s strategy, governance, and culture. The traditional view of security as a set of reactive measures is today unsustainable—modern organizations must approach security proactively, systematically and in line with their strategic goals. In this context, the Information Security Management System (ISMS) plays a key role. ISMS is not just a set of internal rules or a compliance framework, but a strategic tool that allows organizations to identify, assess and manage information risks in line with their business priorities (Tu et al., 2018; Koman et al., 2023).
At the same time, however, the implementation of ISMS also affects fewer tangible areas of the organization—such as organizational culture, innovative ability, or employees’ willingness to cooperate in securing data and systems. In practice, therefore, tension often arises between the pursuit of agility, innovation, and rapid digital transformation on the one hand, and the need to implement control and security mechanisms on the other. However, successful organizations find a balance—they create an environment in which security becomes a catalyst for innovation and trust, not a brake on it (Dornheim & Zarnekow, 2024).
Existing research in the field of information security management systems has focused primarily on the technical, procedural, and normative aspects of ISMS. It has only marginally addressed the issue of organizational strategy and other related topics. There is a lack of connection between how the ISMS affects the security culture of an organization and how these factors jointly influence strategic management and the willingness to support innovation. Similarly, ISMS is often addressed separately, without considering its impact on employee decision-making or behavior. This article responds to these shortcomings and analyzes the connection between ISMS, organizational security culture, and strategic management using the PDCA framework. It also proposes a conceptual model that explains the relationships and their impact on the organization.
Research and case studies show that a strong information security culture—i.e., shared values, attitudes, and behaviors of employees in security—significantly increases the effectiveness of ISMS. Organizations that can systematically build this culture not only better face threats, but also demonstrate a higher level of digital maturity as well as the ability to quickly innovate and adapt to change. A key prerequisite is that the organization’s leadership understands ISMS as part of strategic management—not as a technical or legal issue (Dornheim & Zarnekow, 2024; Hassan et al., 2025; Alzahrani & Seth, 2021). Despite the growing number of studies on ISMS, most authors focus on its technical elements, compliance with standards, or risk management. Less attention is paid to the question of how ISMS becomes part of the organization’s strategic management and how it influences the formation of a security culture, which is crucial for the adoption of new technologies in a digitally transformed environment. This article therefore focuses on the analysis of the integration of ISMS into the organization’s strategy through the PDCA framework and examines how such integration supports the development of a security culture and organizational resilience. The main contribution of the study is a conceptual model that links strategic management, information security and cultural factors, and offers recommendations for managers when implementing ISMS in the era of digital transformation.
Authors who address this issue continue to focus primarily on technical elements, compliance with standards, or risk management. In contrast, much less attention is paid to how ISMS becomes an integral part of an organization’s strategic management and how its integration affects the security culture in today’s digital environment. This study attempts to fill this gap by addressing the integration of ISMS into organizational strategy using the PDCA framework. Based on this, it examines the impact on security culture as well as the organization’s ability to implement new technologies.
The article is divided into several parts. First, it discusses the theoretical framework of information security, digital transformation, and culture. Then, it presents a methodological approach that examines the interaction between the implementation of ISMS and strategic processes in selected organizations. The results section presents the main findings of the research, especially in the ISMS process as a PDCS cycle and its impact on organizational processes, employee engagement and the perception of security as a value. In conclusion, recommendations for practice, a summary of the main implications and suggestions for further research in this area are offered.
In the digital age, the question is not whether an organization will be the target of security incidents, but when and how effectively it can respond to them. Even more importantly, the question is whether it can set up processes and a culture that not only reduces risks, but also supports trust and innovation. In this context, information security management becomes a key pillar of strategic management and a prerequisite for long-term resilience and success.
The article is structured systematically. The first part is a literature review, which presents the issue of information security in more detail, explains security culture and digital transformation, and lays out how important this is for organizations and their proper functioning today. This is followed by a presentation of the methodology and three research questions that this study answers. The results chapter presents the proposed information security management system model. It is also linked to the PDCA model, and the individual parts and connections are explained. The last part is discussion and conclusions, which summarizes the most important findings from this article along with answers to the research questions. The conclusion also suggests possible directions for future research.

2. Theoretical Background

2.1. Information Security Management and Related Roles

An information security management system (ISMS) is a systematic way to protect an organization’s sensitive data from potential threats, vulnerabilities, and unauthorized access. This approach is implemented using an information security management system, which is developed according to the ISO/IEC 27001 standard. A fundamental part of this system is risk management, which involves identifying, assessing, and managing risk situations. The goal is to reduce the likelihood of security issues occurring and minimize their impact on the organization’s important resources (ISO, 2022; Whitman & Mattord, 2017; NIST, 2020).
The information security management system represents the way in which organizations protect their information from various threats, unauthorized access, or the exploitation of vulnerabilities. It is a systematic approach based on the ISO/IEC 27001 standard. Risk management is a very important part of the entire system. This involves identifying and assessing risks, as well as addressing them and implementing measures. The main objective of the information security management system is to set up processes to prevent security incidents. If one occurs, the aim is to minimize its impact.
It is a comprehensive set of methods, procedures, and processes that organizations use to securely manage their important information resources and assets. This system is designed to protect information technology and related data from various threats while enabling risk management at all levels. It helps ensure that information remains confidential, available at the right time, and intact throughout its lifecycle. The basic framework for building and maintaining this system is the international standard ISO/IEC 27001, which provides detailed guidance for its effective implementation (Creative Solution, 2025).
The ISO/IEC 27001:2022 standard states that an information security management system (ISMS) is a tool that enables organizations to protect the integrity, confidentiality, and availability of information. This is achieved through systematic risk management, which also builds the confidence of stakeholders that risks are correctly identified, assessed, and managed (ISO, 2022).
The standard states that an overall information security management system is a way for organizations to protect their information. This system makes it possible to adequately ensure confidentiality, availability, and integrity of information. This can be achieved by regularly reviewing and addressing identified risks.
The main processes included in the ISMS can be defined according to the structure of the ISO/IEC 27001 standard. Haufe et al. (2016) identified ten basic processes, which are described below.
Information security risk assessment is a process aimed at identifying and analyzing threats that may affect an organization’s information resources and evaluating their potential impact.
Employee awareness and competency support focuses on expanding employees’ knowledge and skills in security measures, thereby increasing the organization’s overall resilience to risks.
Security management in cooperation with external partners ensures that all external services and supplies are in line with the organization’s security requirements and that risks associated with outsourcing are adequately controlled.
Internal information security audits refer to regular inspections that serve to verify the system’s compliance with the standard and internal policies and help identify areas where improvement is needed.
Security incident management includes procedures for identifying, reporting, evaluating, and correcting them, to minimize negative consequences.
Implementing measures to eliminate or mitigate risks is the planning and implementing steps that reduce the likelihood or impact of security threats.
Continuously improving the security system is the use of feedback, audit results and incident experience to improve the effectiveness of the ISMS.
Managing communication and collaboration with all relevant parties is about ensuring that all stakeholders, whether internal or external, have adequate information and are involved in security processes.
Measuring and evaluating the performance of security measures is the process of monitoring the effectiveness of implemented controls and the overall functioning of the system to identify potential weaknesses.
Managing information security changes is the oversight of changes to IT infrastructure, processes, or organizational structure to prevent the emergence of new security risks.
If information security is managed consistently and systematically in an organization, it brings several benefits (Peltier, 2016; S. E. A. Ali et al., 2021).
Reducing security-related costs: which lies in effective management that allows for better use of technology and process funds, thereby preventing duplicate activities and mitigating financial losses caused by security incidents.
Strengthening organizational culture involves implementing security rules and raising awareness among employees supports a responsible approach, trust, and professionalism throughout the organization.
Increasing credibility and attracting new clients speaks to meeting international standards and demonstrable information protection improves the organization’s reputation, which can lead to new business opportunities.
The main purpose of information security management is to prevent unwanted security incidents. To achieve this, an organization must thoroughly know and understand the risks it faces, which will allow it to effectively manage them and thus ensure comprehensive information protection.
For effective information security management, it is necessary to clearly define the competencies, responsibilities, and interrelationships of individual roles in the organization. To ensure the availability, confidentiality, and integrity of information, it is not enough to focus only on the technical side, but it is also necessary to pay attention to the organizational structure, which is closely linked to specific roles. The most important positions in information security management include the Chief Information Security Officer (CISO), Chief Security Officer (CSO), Chief Risk Officer (CRO), and Chief Information Officer (CIO) (Jawaharrani et al., 2023; Ford et al., 2022; Namuduri & Varanasi, 2011; Harris, 2011; Saeidi et al., 2012).
CISO position: Managers are responsible for creating and implementing security programs that protect the organization’s data and IT systems, often reporting directly to the CEO. Announcements of new CISO appointments have a positive impact on organizational value, especially in the financial services sector. Research also suggests that most new CISOs are filled by external candidates, with newly created positions typically reporting to the CEO, while replacements often report to the CIO.
Chief Security Officer (CSO): A broader scope than the CISO, as in addition to information security, he is also responsible for physical security, personnel protection, property, and crisis situations. He is responsible for the creation and implementation of security programs and often communicates directly with senior management. In the last five years, this position has become increasingly important, especially in technology organizations. There are also theoretical models, such as the so-called “Chief Security Officer Problem”, which deal with the secure transfer of information between the CSO and other team members while protecting data from unauthorized eavesdropping.
CIO position: A key role within the management of the organization, where it is necessary to combine business acumen with technical expertise. Studies on the management roles of CIOs show that their responsibilities differ from other executives and are closer to financial directors or IT managers. Despite its strategic importance, this role faces high turnover rates, twice that of CFOs or CEOs, which can be due to unclear responsibilities and pressure to quickly demonstrate value.
Chief Risk Officer (CRO) role: They represent a specific category of managers and internal auditors who often compete with other functions for priority within risk management. Research suggests that organizations with greater financial exposure are more likely to establish this position, which helps to better manage information asymmetries about risk. The quality and presence of the CRO significantly influences the adoption of risk assessment methods in the organization, and these managers work closely with other leaders to implement effective systems and disseminate risk information across the organization (Randaliev et al., 2019).
To manage information security adequately, it is not enough to have only technical measures in place; it is also necessary to have a properly set up organizational structure and to define who does what, who is responsible for what, and what powers they have. Properly defined powers ensure that information is adequately protected, accessible, and reliable.
Successful information security management requires a comprehensive approach that combines both a process and a systems perspective. Both approaches complement each other and together form a solid foundation for creating a functional information security management system (ISMS).
The process approach focuses on the detailed management of individual activities that are necessary for information protection. It defines specific processes, such as risk management, security incident management, employee awareness raising, or regular internal audits. Each process has clearly defined inputs and outputs, responsibilities, and methods for measuring its effectiveness. For example, the risk management process includes identifying threats, assessing their likelihood and possible consequences and taking measures to mitigate them. This approach brings transparency to the organization and the possibility of continuous evaluation and improvement of activities (Green, 2024; von Solms & van Niekerk, 2013).
The process approach is a way for an organization to have precisely organized steps that are necessary to protect information. These are specific steps and procedures for dealing with risks, resolving security incidents, training employees in security, and conducting regular internal controls and audits.
The systems approach, on the other hand, perceives the organization, consisting of interconnected elements—people, technologies, processes, and policies. This view ensures that information security is not addressed in isolation, but as an integrated system where individual components cooperate with each other and are coordinated. For example, when implementing a new security tool, a systems approach ensures that the implementation fits into existing processes, is properly communicated to employees, and does not compromise current security standards. Such an approach helps prevent negative side effects and ensures the smooth operation of the entire system (Green, 2024; Whitman & Mattord, 2017).
When implementing an ISMS according to ISO/IEC 27001, it is necessary to first define individual security processes (e.g., incident management, risk assessment) and then ensure their mutual coordination within the entire organization, which leads to better efficiency and uniformity of the entire system. If a security incident occurs, the process approach defines specific steps for resolving it—from detection to analysis to remediation. At the same time, the system’s approach ensures that these steps are in accordance with established rules, that the right people are informed, and that the necessary changes are made in the organization to prevent the incident from recurring. When training employees, the process approach ensures regular education and testing of their knowledge, while the system approach creates an environment where security awareness is supported by management and is part of the organization’s culture. The internationally valid ISO/IEC 27001 standard is built on the above principles. It emphasizes the need for a clear definition of security processes, their regular monitoring and mutual integration into a single functional system (ISMS). The standard also requires organizations to regularly review their processes and make necessary adjustments, which leads to continuous improvement of security measures. As a result, the standard supports the view that information security cannot be addressed only at the level of individual activities but must be part of a comprehensive system that covers all aspects of the organization’s functioning.
To better connect theoretical frameworks, an ISMS reference model was created that links information security with security culture (Figure 1). The model consists of 4 layers, the strategic layer is based on strategic IT management and ISO/IEC 27001 and determines the direction and priorities for the ISMS and security culture; the process layer is anchored in ISO/IEC 27001, the PDCA cycle and NIST SP 800-53, and within it, information protection is implemented and consistency of measures is ensured; the system layer ensures the integration of the ISMS into the organization so that it functions as an integral system (von Solms & van Niekerk, 2013); the security layer mediates the effectiveness of the ISMS process to increase the resilience of the organization (Da Veiga et al., 2020; Tolah et al., 2021; ISO, 2022). The results are at the end of the model and represent increased resistance of the organization to cyber-attacks.
Concepts such as security culture, resilience and innovation adoption can be linked to existing validated models and frameworks. Security culture is often studied using empirically validated models. The model by Kankanhalli et al. (2003) emphasizes individual attitudes, organizational policies and employee behavior in shaping security practices. Soomro et al. (2016) provide a comprehensive framework linking organizational culture, employee awareness and behavior in accordance with security standards. Resilience can be understood in the context of organizational and cyber resilience models, as a concept emphasizing the adaptive capabilities of organizations in responding to changing threats (Linkov et al., 2013). Adoption of innovations is analyzed using models such as the TOE (Technology–Organization–Environment) framework (Tornatzky & Fleischer, 1990) or the theory of diffusion of innovations (Rogers, 2003), which explain how technological, organizational, and environmental factors influence the adoption of new practices. By linking these concepts, the study is grounded in empirical research based on best practices.
This section provides the basis for understanding information security and the Information Security Management System. It is a systematic concept based on the ISO/IEC 27001 standard. ISMS uses a process-based approach and clearly defined roles within the system, emphasizing that it is not just about technical security and technical means, but also about involving people and their understanding. This subchapter is directly linked to research question 1, as it explains why security culture is important. It is also linked to research question 3, as it states that only with properly set up processes is it possible to keep ISMS functional.

2.2. Culture of Information Security and Digital Transformation

Security culture is an intangible but very important aspect of organizational security. It is a mix of beliefs, values, attitudes, and common habits that influence how individuals within an organization behave in information security situations. It is not just about following the rules, but about an internal understanding of their meaning.
Security culture goes beyond technological measures. Even if an organization has modern security solutions in place, their effectiveness can be reduced if employees underestimate their responsibility, neglect the principles, or succumb to social engineering. Therefore, security culture is considered one of the most important pillars of an overall security strategy (Tolah et al., 2021; Da Veiga et al., 2020).
Information security culture creates an environment in which the principles of secure behavior are a natural part of the organization’s daily functioning. This means that employees not only comply with regulations, but also actively think about how their decisions affect overall security (Solomon & Brown, 2021; Karlsson et al., 2022).
Security culture can be understood as the functioning of an organization that is not only about technologies and rules, but mainly about how employees behave and how they perceive the importance of information security, as well as their habits, attitudes, and values. It is about employees understanding that they do not do things just because they have to, but because they understand the importance of their actions.
ISO/IEC 27001, which is a central part of the ISO/IEC 27000 family of standards, defines the requirements for implementing and managing an ISMS. This standard emphasizes not only the technical side of data protection, but also the human factor—that is, building and maintaining a strong security culture among employees (ISO, 2022).
ISO/IEC 27001 explicitly states the need to raise awareness of information security, ensure staff competence, and actively involve all employees in the data protection system. Without an effective security culture, an established ISMS would not be able to meet its goals. Security incidents caused by negligence, curiosity or ignorance of the rules can pose a greater threat than technical failures (ISO, 2022).
Digital transformation refers to the process of integrating modern digital technologies into the daily activities of an organization to improve efficiency, innovation and overall performance. This process is often accompanied by fundamental changes in organizational structures, work tools and the way of communication.
Although digital technologies such as cloud computing, artificial intelligence, big data, automation or IoT (Internet of Things) bring competitive advantages to organizations, they also significantly change the security environment. As a result of these changes, new types of risks and attack vectors arise, which require a more comprehensive approach to information protection (Varmus et al., 2016).
Digital transformation can be understood as the process by which an organization integrates modern technologies into its operations. This enables them to operate more efficiently and make better use of innovation to achieve better results. Various technologies such as IoT, cloud, or artificial intelligence can give an organization a competitive advantage when used correctly. It is important to remember that the integration of various technologies also brings new threats and risks.
According to AlHogail (2015) and Schein (2010), the most significant consequences of digital transformation that affect security culture include increased complexity of the environment (more systems, devices and applications mean more opportunities for errors or exploitation), distributed access to data (employees often work from different locations, including home environments, which requires greater confidence in their security behavior) and finally the speed of technology deployment (many organizations implement new solutions without sufficient security testing and training of employees).
In this dynamic environment, security culture becomes the “invisible infrastructure” that ensures that technological innovations are implemented without compromising information security. Within the ISMS, information security culture is not just an add-on, but an integral part of risk management. Employees play a crucial role in preventing incidents and their behavior is often the determining factor in the success or failure of security measures.
The ISO/IEC 27001 standard therefore emphasizes several aspects (Von Solms & Von Solms, 2004; Saeed et al., 2020; Blasková et al., 2022), such as education and awareness-raising (organizations must ensure that all employees understand the risks and their responsibilities), clear communication (policies and guidelines must be formulated in a way that is understandable to everyone, not just security specialists), accountability and leadership by example (managers should lead by example because their attitude influences the behavior of other employees), but also continuous improvement (through regular measurement, audits and feedback, weaknesses in the culture can be identified and worked on to improve them).
New digital technologies, such as process automation, IoT devices, cloud services, artificial intelligence, or big data, bring new opportunities, but also complications in terms of security. Among the complications, we include the increased scope of digital assets, as organizations manage more data scattered across different systems and platforms, which complicates ensuring confidentiality and integrity; increased vulnerability due to the interconnection of systems and external suppliers, which increases the attack surface; and finally, the faster development and deployment of technologies, which can lead to neglect of security standards and insufficient training of employees (Susanto et al., 2018; Duc & Chirumamilla, 2019; Krúpová et al., 2025).
Therefore, it is essential that digital transformation is not just about technology, but also about creating a strong security culture that enables the organization to proactively manage these new threats and challenges across the entire ISMS.
The security culture in digitally transformed organizations must be flexible and adaptive to manage the dynamic cyber threat landscape. According to Ahmad et al. (2019) and NIST (2021), the key benefits of a strong information security culture include increased resilience to cyberattacks (employees with the right security awareness are better able to recognize and respond to potential risks, reducing the likelihood of a successful attack); support for continuous improvement (a culture that supports open communication about security risks and incidents allows the organization to quickly identify weaknesses and implement measures to eliminate them, which is also one of the core principles of ISMS according to ISO/IEC 27001); better cooperation between departments (the digital need for cross-functional cooperation, i.e., a strong security culture helps break down isolation and ensure coordination of security measures across all teams) and, last but not least, increased trust among customers and partners (organizations that can demonstrate a high standard of information security and a properly functioning ISMS will gain a competitive advantage and better access to the market).
While the importance of a security culture is obvious, its development during digital transformation is not without challenges. The most common challenges include resistance to change (employee skepticism and reluctance to accept new rules), insufficient training (insufficient training when implementing new technologies), unclearly defined responsibilities (overlooking important tasks), or the complexity of the technologies themselves (difficult to understand for some employees).
In the era of digital transformation, information security culture is becoming one of the key pillars of the effective and secure functioning of organizations. It is inextricably linked to the implementation and maintenance of the ISMS, as defined by the ISO/IEC 27001 standard. While technologies form the backbone of the digital world, it is people and their behavior that determine whether these technologies will be used safely and responsibly. Building a strong security culture is therefore not a one-time activity, but a long-term process that requires commitment from all levels of the organization—from management to ordinary employees.
To empirically verify the relationships between ISMS, safety culture and innovation, a multiple case study was used, which allowed for a detailed analysis of several organizations with different levels of ISMS implementation and safety culture. Thanks to this, it was possible to better compare and understand the interrelationships between processes in the organization, the established safety culture and innovations (Yin, 2018). For a better understanding, we also used an example of mixed methods, which combine quantitative measurement (questionnaires) and qualitative measurement (interviews). According to Creswell and Plano Clark (2018), this method allows capturing the interrelationships between organizational factors and safety culture and provides empirical conclusions.
The theoretical framework links the practices of ISMS implementation (PDCA cycle and risk management) with cultural mechanisms that influence organizational adaptability and strategic alignment. The integration of ISMS into the overall strategy of the organization is therefore understood not only as a matter of compliance with standards, but as a systemic element of management that affects employee behavior, the organization’s ability to respond to threats, and its approach to innovation (Figure 2).
The model shows that digital resilience and the ability to innovate arise from a combination of strategic management, a sufficiently developed security culture within the organization, and a proper and adequately implemented information security management system.
The first part of the model is Strategic Integration Corporate Governance. This represents the management of the organization, which determines the direction, priorities, policies, and responsibilities within the organization that relate to ISMS. This also ensures that security is part of the organization’s strategy and not just a technical issue.
Another common one is ISMS Implementation. The ISMS is based on the ISO/IEC 27001 standard, and the PDCA cycle can be used for its implementation. The implementation of ISMS ensures risk management, the introduction of measures, and continuous improvement of processes within the organization. As for the Enables Alignment relationship, it ensures that ISMS links strategy and practice.
Next is Security Culture, Employee Behavior & Awareness. This element states that people are the strongest but also the weakest link. It discusses the need for regular employee training and education, raising awareness of potential threats and risks, and shows best practices for behavior in the workplace. This includes, for example, how to set a password, how to detect phishing, and so on. When employees understand the importance of security in an organization, it encourages new innovations.
The last part is Digital Resilience Innovation & Adaptation. This is the result of implementing ISMS into the organization. Thanks to this, the organization can withstand new security and cyber threats and incidents, quickly return to its original functioning after an incident, adapt to changes, and implement new innovations safely.
Overall, the model suggests that security cannot be viewed in isolation, but rather as an entire collaborative ecosystem. It is important to realize that management sets the direction for security, ISMS provides control and systems, employees create a security culture, and as a result, the organization can withstand threats.
The existing literature provides extensive knowledge on ISMS implementation, cultural factors influencing information security, and the challenges arising from digital transformation. However, research remains fragmented: most studies focus on ISMS from a compliance or risk management perspective, while others focus on cultural aspects separately from strategic management. Only a limited amount of research examines ISMS as a strategic management mechanism that simultaneously shapes security culture and supports innovation in a digitally transformed environment. This article addresses this gap by conceptually linking the PDCA-based ISMS framework with cultural and strategic factors and presents an integrated model explaining how security culture mediates the strategic impact of ISMS.
The literature review was structured, including defining the search strategy and inclusion criteria. The search was conducted in the scientific databases Scopus, Web of Science, IEEE Xplore and Google Scholar using the following keywords: “information security management system”, “ISMS”, “security culture”, “cybersecurity risk management”, “digital transformation”, and “innovation adoption”. We included the following criteria: Publications from 2008 to 2025 provide empirical or theoretical foundations. Studies focused on keywords, i.e., ISMS, culture security, risk management, and innovation in organizations. Publications written in English or Slovak.
Attention was not paid to articles focused solely on technical aspects of security without a connection to organizational culture. Also, articles without a peer-reviewed process were not included.
The literature is divided into three parts. The first is the information security management system, where ISMS can be defined as a systematic approach to protecting an organization’s information from threats (ISO, 2022; Whitman & Mattord, 2017; NIST, 2020). The main processes of ISMS include risk assessment, employee competency support, audit, incident management, implementation of risk elimination measures and continuous improvement (Haufe et al., 2016). To implement ISMS in an organization, it is necessary to define the competencies and responsibilities of management positions—CISO, CSO, CIO and CRO (Jawaharrani et al., 2023; Ford et al., 2022). ISMS is implemented through a process (steps) and system (coordination and integration of components) approach (Green, 2024; von Solms & van Niekerk, 2013).
The second part is security culture in the era of digital transformation, where security culture is key to the functioning of an ISMS in an organization and consists of the values, attitudes, and habits of employees, as they influence their behavior in the field of information security (Tolah et al., 2021; Da Veiga et al., 2020). Digital transformation affects the security of the environment but also expands the possibilities for organizations to obtain data. In addition, it accelerates the implementation of digital technologies, which can pose new threats to organizations (AlHogail, 2015; Susanto et al., 2018). A strong security culture can adapt employees and support the overall resilience of the organization to cyber-attacks (Ahmad et al., 2019; NIST, 2021).
The final third section is the nexus between ISMS, safety culture, and innovation, as most articles examine ISMS from the perspective of compliance with standards and frameworks but rarely focus on how they affect strategic management and innovation support (Yin, 2018; Creswell & Plano Clark, 2018). This manuscript addresses this research gap by conceptually connecting the ISMS framework, which is based on the PDCA cycle, with cultural and strategic mechanisms. Thanks to this comprehensive connection, it is possible to better explain to readers how security culture mediates the impact of ISMS and how it supports the innovation environment of the organization.
The manuscript identified research gaps that included a lack of linkage between the ISMS process and security culture with organizational strategic management and innovation. The relationship between ISMS, security culture, and organizational resilience during digital transformation has also not been explored.
This subchapter can be divided into two parts—Culture of Information Security and Digital Transformation and Linking ISMS, Security Culture and Innovation. The first part of the chapter focuses directly on culture as a key element for the functioning of information security. It also discusses the link between culture and digital transformation. This part is directly linked to research question 2, as it discusses the impact of digital transformation on the development of security culture. It is also linked to research question 3, as it states that without a functioning security culture, it is not possible to ensure a functional ISMS.
The second part of the chapter discusses the interconnection between strategy, ISMS implementation, and security culture, which enables organizations to adapt to new developments in a rapidly changing world. This part is linked to research question 3 and also indirectly follows on from research questions 1 and 2.

3. Methodology

This article uses a conceptual research design aimed at theoretical synthesis of knowledge on information security management, security culture and digital transformation. The aim of the methodological approach is not to empirically test hypotheses, but to create an integrated framework linking strategic management, ISMS, and cultural factors.
The aim of the article is to analyze how the integration of an information security management system (ISMS) into the strategic management of an organization affects security culture and the organization’s ability to implement new technologies. The research article identified 3 research questions:
RQ1: What is the importance of security culture in the implementation of an information security management system (ISMS) according to the ISO/IEC 27001 standard?—linking the human factor, employee behavior and attitudes with the technical-process framework of the ISMS
RQ2: How does digital transformation affect the need to build and develop a security culture in organizations?—the reason why it is necessary to strengthen the security culture in an environment of rapid technological change and how this context affects organizational behavior
RQ3: To what extent is building a strong security culture a prerequisite for the successful functioning of ISMS in digitally transformed organizations?—the relationship between security culture, ISMS performance and the organization’s ability to adapt to digital challenges.
The questions could be answered both by analyzing the theoretical foundations, but also by the analysis presented in the results, where the ISMS process was viewed as a PDCA cycle.
This study uses a conceptual approach that connects the information security management system (ISMS) with aspects of strategic management and security culture in the context of digital transformation. The analytical framework of the research is the PDCA (Plan–Do–Check–Act) model, which is the basic principle of the ISO/IEC 27001 standard. This model allows interpreting the ISMS as a dynamic management cycle that is not only focused on compliance with the standard, but also on continuous improvement of security processes and their integration into strategic decision-making.
The methodological approach consists of a systematic synthesis of theoretical sources that deal with information security, organizational culture, digital transformation, and system management of organizations. The literature was analyzed to identify key variables influencing the implementation of ISMS and the mechanisms through which security culture affects the effectiveness of the security management system.
This approach allows for the creation of a new integrative conceptual framework that considers both process and cultural factors and provides a basis for subsequent empirical verification. The research uses social science theoretical research methods that were applied in the individual stages of processing as follows:
Analysis: used to identify individual ISMS elements, PDCA processes, digital transformation factors and safety culture elements, e.g., in the “PLAN” phase, the requirements of ISO/IEC 27001:2022, risk factors, as well as the strategic objectives of the organizations were systematically evaluated.
Synthesis: used to combine findings into a coherent conceptual model that connects ISMS, organizational strategy, and culture. It was a combination of literature focused on technical measures and socio-behavioral aspects of culture into a unified framework.
Comparison: applied to compare different approaches to ISMS implementation (compliance-based vs. governance-based; technical vs. cultural approaches), and to compare theoretical sources on the impact of digital transformation on security culture.
Induction: used to formulate conclusions arising from literature and theoretical sources, e.g., identification of safety culture as a key prerequisite for the effective functioning of ISMS.
Deduction: used to derive the consequences and implications of the proposed model for organizational management, e.g., how the integration of ISMS into strategic management and the connection to the PDCA cycle enables continuous improvement of security processes and support for digital transformation.
These methods were used complementary, with the resulting output being a theoretical model explaining the relationships between safety culture, strategic ISMS integration and the organization’s ability to adapt to digital challenges.
The methodological approach is directly linked to the formulated research questions and allows them to be answered as follows:
RQ1 was answered by analyzing the literature on safety culture, organizational behavior, and ISMS standard-defined processes, with emphasis on the role of the human factor in the PDCA cycle.
RQ2 was addressed by comparing theoretical sources focused on digital transformation with the mechanisms of safety culture formation, which made it possible to identify how technological changes affect the need to develop a safety culture.
RQ3 was answered by synthesizing the results of the previous two questions and creating a conceptual model that captures the feedback between safety culture and ISMS performance in the context of digital transformation.
Such a connection ensures that the research questions are not just a thematic framework but directly determines the structure of the analysis and the resulting model.
The article uses a conceptual framework of research due to the high fragmentation and isolation of the main constructs—ISMS, security culture and digital transformation. Previous studies almost do not address their connection at all, focusing mainly on the technical area of ISMS, or on the socio-behavioral aspects of security culture in the organization. Current research looks at these concepts statically, but in today’s era of frequent changes it is important to perceive these concepts from a dynamic perspective. That is why a gap has arisen focused on the functioning of security culture as a result but also a forming element of security management.
Through the PDCA cycle based on ISO (2022), it is possible to integrate process logic with strategy, culture and organizational security behavior of employees. Thanks to it, causal mechanisms between the organization’s management, security and employees are explained in a structured way.
The model therefore represents a theoretical framework that can serve as a starting point for future empirical research, for quantitative studies testing its individual variables, as well as for qualitative research aimed at verifying its applicability in different organizational contexts.
The main limitation of this study is its conceptual nature, which does not provide empirical data to verify the proposed model in practice. As a result, it is not possible to directly test the causal relationships between security culture, ISMS, and digital resilience of the organization, nor to generalize the findings to specific types of organizations.

4. Results

The Information Security Management System (ISMS) model can be illustrated as a PDCA cycle (Figure 3), with the individual steps and activities included and performed in it divided into quadrants of this cycle. The PDCA cycle is a strategic tool that helps organizations set goals, align strategies, and continuously improve, and is consistent with the CIA triad—confidentiality, integrity, and availability (Velasco et al., 2018; Z. Sun et al., 2020; Realyvásquez-Vargas et al., 2018; Naughton et al., 2024).
The PLAN phase of an information security management system represents the strategic foundation for implementation, which determines the direction, scope, and requirements of the entire framework. The primary output of this phase is the definition of the system boundaries, identification of stakeholders and establishment of legislative, regulatory, and organizational requirements that determine the structure of security management. As stated by Uchendu et al. (2021) a clear definition of the scope of the ISMS is a key prerequisite for the effective integration of security into the processes of the organization, as it eliminates ambiguities in responsibilities and asset identification. A critical element of the PLAN phase is systematic risk management, which includes the identification of information assets, analysis of threats, vulnerabilities, assessment of impact and probability of their occurrence. This procedure reflects the approaches recommended in the ISO/IEC 27005 and NIST SP 800-30 standards. The result is a classification of risks into acceptable, mitigable or intolerable categories, with intolerable risks requiring immediate intervention (Brezavšček & Baggia, 2025). The planning phase also includes the formulation of an information security policy and the setting of objectives, which must be formalized as documented information available to all relevant actors. At the end of the PLAN phase, control measures are selected from Annex A of the ISO/IEC 27001:2022 standard, and their application must be contextualized according to the needs of the organization and supplemented with additional measures where specific threats or regulatory requirements require it (Ahmad et al., 2019). The first phase of the PDCA cycle is linked to the established research questions RQ1 and RQ2. This is the planning phase, in which security objectives and strategies are defined, risk management is planned, or the importance of security culture is tested. In addition, digital transformation also increases the need for clearly defined security objectives in advance, i.e., why it is necessary to strengthen security culture in organizations. Among the measurable indicators within this part of the PDCA cycle, it is possible to propose, for example: the presence of security objectives in the organizational strategy, a documented ISMS policy available to all employees, or the number of identified and classified risks according to ISO/IEC 27005.
The DO phase represents the implementation level of the ISMS, within which the organizational and technical measures defined in the planning phase are implemented and transformed into the operational processes of the organization. Implementation of controls is a continuous process that reflects changes in the environment, technologies, and organizational risks, which is in line with the principle of adaptive security management (Ahmad et al., 2019). Controls can take the form of technical mechanisms (e.g., authentication, encryption) or organizational measures (e.g., access policies, segregation of duties), while their selection and scope must be in line with the identified risks and strategic goals of the organization (Vroom & Solms, 2004). The implementation of controls is also related to the creation of ISMS documentation, which includes security guidelines, procedural rules, and operational standards. Documented policies represent the basis of formal security management, ensure consistency of practice, and enable auditability of the system (Uchendu et al., 2021; Bell et al., 2025). A critical element of the phase is also increasing security awareness and training of employees, which is a basic mechanism for forming a security culture and preventing socio-technical incidents. Research shows that the success of an ISMS is determined by the degree to which employees internalize security behaviors, not just technical measures (Hillman et al., 2023; R. F. Ali et al., 2021). Effective approaches include training, behavioral interventions, and simulated attacks, such as phishing campaigns, that allow testing of human factor vulnerabilities in real-world conditions (Colabianchi et al., 2025). The Do phase is therefore a key element in linking ISMS to security culture, with organizational behavior playing a key role in transforming strategic security goals into everyday practice. The Do phase is linked to research questions RQ1 and RQ3, because within the Do phase, the organization focuses on implementing various measures, such as training, controls, or changes and innovations in organizational processes. The actual behavior of employees within security procedures is monitored and analyzed. Digital technologies influence the creation and implementation of security measures in organizations and place emphasis on strengthening security culture. Within the DO section, it is possible to determine such measurable indicators: the number and frequency of training and simulated attacks (e.g., phishing), the percentage of employees who successfully completed security awareness tests, or the number of technical and organizational controls implemented in accordance with the plan (Alheadary, 2023).
The CHECK phase represents the control and evaluation layer of the information security management system, the aim of which is to monitor the performance of implemented measures, verify compliance with standards, and identify deviations that may reduce the effectiveness of the system. A key element is the systematic monitoring of security events and incidents, which must be recorded, analyzed, and retrospectively evaluated to identify the causes of failure and propose preventive measures. The incident response process thus takes on the character of an organizational learning mechanism, which is also confirmed by L. Sun et al. (2021), who point out the importance of incident data in iterative improvement of security policies. The phase also includes the definition and ongoing evaluation of key performance indicators (KPIs) and metrics that allow an objective assessment of the effectiveness of controls and the overall maturity of the ISMS. Performance quantification is the basis of evidence-based security management, with properly defined indicators allowing to assess the effectiveness not only of technical measures, but also of user behavior (Bernik & Prislan, 2016; Prislan et al., 2020). An important element of the Check phase is the audit—both internal and external—which verifies the system’s compliance with the requirements of ISO/IEC 27001 and related legislative frameworks. The audit must be planned, performed at regular intervals, and the results must be documented, including identified non-conformities and recommendations for corrective actions. For example, GAP analysis can be used to assess compliance, which identifies differences between the current state and the requirements of the standard. The audit outputs form the input for the next phase of the cycle (Act) and enable iterative improvement of the system (Antunes et al., 2024). An important part of the phase is also the ongoing reassessment of risks, as their severity and probability change depending on technological changes, threats, and the strategic situation of the organization. Risk reassessment ensures that measures remain relevant and appropriate to the current environment. If the assessment shows that the implemented measures are ineffective or outdated, they must be modified or replaced with more appropriate ones. Regular feedback thus serves as a mechanism for continuous improvement, which is essential for an adaptive security culture (Shojaie et al., 2014; Monev, 2020). The third phase of the cycle is again linked to RQ1 and RQ3, as the effectiveness of measures is assessed, incidents are monitored, KPIs are tracked and set within the ISMS. This phase determines how the security measure supports the operation of the ISMS and how it affects the organization’s adaptation to new threats within cyberspace. Measurable indicators include: the number of internal and external audits and identified deficiencies, KPIs for the effectiveness of technical measures and employee behavior, frequency, and consequences of security incidents.
The ACT phase represents the adaptive and transformative component of the PDCA cycle, within which the organization implements corrective actions, revises policies and updates security mechanisms based on the results of monitoring, auditing, and incidents. The main objective of this phase is to ensure that the ISMS does not remain static, but reflects changing risks, technologies, and organizational priorities, thereby supporting the long-term strategic sustainability of security (Meglaras et al., 2020). The first step is to reassess existing measures and adapt them according to the findings of the previous phases. Implemented measures must be either confirmed, modified, or removed if they prove to be ineffective. Reviewing controls is crucial, especially in a rapidly changing cyber threat environment, where static measures lose their effectiveness (Cheimonidis & Rantos, 2023). An important part of the Act phase is also the review of the information security policy, which must reflect new knowledge about risks, regulatory changes, organizational priorities, and audit results. The policy, as a management document, represents the basic governance framework and its regular updating is essential to maintain consistency between the strategic direction of the organization and the implemented security practice. Part of the adaptation system is also the formal management of security incidents, where measures are taken to prevent recurrence. Incident response is transformed from a reactive process into a strategic element of organizational learning in this phase, thereby supporting the maturity of the security culture (Patterson et al., 2023). The final element of the Act phase is the systematic incorporation of feedback from all phases of the cycle, which allows for a closed loop of iterative improvement. Feedback is not just an operational input, but an organizational adaptation mechanism that allows the ISMS to evolve in line with the evolution of the digital environment. The last phase of Act is helpful in answering questions RQ2 and RQ3. This phase ensures that the ISMS is prepared for new threats in cyberspace, also updates the security policy and leads to continuous process improvement. The need for a flexible culture that regulates employee behavior is also emphasized here. Measurable indicators for the last phase of the PDCA cycle are the number of ISMS policy revisions and corrective actions implemented, the success of introducing new technologies without security incidents, or the improvement of audit results and KPIs compared to previous periods.
When an information security management system goes through the entire PDCA cycle, all the steps are repeated. The cycle is repeated, which provides the organization with the opportunity to continuously improve its information security management system (de la Paz et al., 2023; Mohamad et al., 2024; Jankal, 2014).
Among the key findings is that a well-established information security management system strengthens the trust not only of customers in the organization, but also of all other stakeholders. If an organization has a well-established information security management system, it sends a signal that all data that enters the organization will be protected and will not be misused or altered (Arredondo-Soto et al., 2021).
If an organization gradually goes through all the steps of this model, it can increase its compliance with the ISO (2022) standard and thus meet its requirements more and more. Thanks to this, it will be able to obtain certification to this standard and maintain it over the years. It is also possible to assume that an organization that has a properly set up information security management system may be more open to trying new things and adopting new innovations. If it manages information security correctly, it has a greater chance of implementing new technologies without any security incidents. Similarly, a properly set up ISMS supports digital transformation and helps in the implementation of new technologies (Qusef et al., 2018).
It is important to emphasize that the entire information security management system is not just a management tool, but it is a strategic part of the entire organization. Thanks to proper information security management, the organization can meet its goals and also align them with the requirements of stakeholders. Also, thanks to the proper ISMS, the organization can respond quickly and accurately to changes that come and not jeopardize the integrity of the entire system.
The culture of the organization is very important. From the perspective of information security, we are talking about a security culture that must exist in an organization if it wants to address its information security well enough. If the security culture is well-established, it supports innovation in the organization, as employees know the principles and rules, understand them and are sufficiently motivated to comply with them and thus improve the entire information security management system. It also allows you to try new things and introduce new technologies, such as artificial intelligence, as there is no risk of dangerous manipulation of these technologies. Finally, it certainly reduces the risk of human error. Thanks to education, employees can detect fraudulent emails or prevent dangerous behavior from an information security perspective (Da Veiga et al., 2020; AlHogail, 2015; Dornheim & Zarnekow, 2024).
Recommendations for practice and for organizational management are also emerging. The first is certainly the introduction of the ISMS itself into the strategic management of the organization. As mentioned, it is necessary to involve it in the entire strategic management and planning in the organization. It is also about building a security culture from top to bottom. Management must set an example for employees, if management is not willing to operate in a way that meets the requirements of the information security management system, employees will not be willing either. Another recommendation is to link ISMS with digital transformation and thus ensure that new technologies that will be introduced into the organization are subsequently evaluated from an information security perspective. This will prevent security incidents and support the digital transformation of the organization itself. Another recommendation, which is based on the information security management system model, is that given that the individual quadrants contain activities such as audits, determining KPIs, and the like, it is appropriate to measure the maturity of the entire information security management system. Thanks to this, the organization will know what state its security is in and what it needs to improve (Brezavšček & Baggia, 2025; Domínguez et al., 2023; Magnusson et al., 2025; Schmitz et al., 2021).
When implementing an information security management system in an organization, there is also a transformation of processes, people, and technologies. As for processes, this mainly concerns the introduction of standardized procedures that serve for planning, supporting the implementation of new technologies, checking compliance with requirements, and improving the entire system. When it comes to people, it mainly concerns education and raising awareness in the field of information security. Sufficiently educated people in this area are key to the proper functioning of the ISMS. Thanks to regular training, but also, for example, thanks to simulated attacks, awareness increases, and trust is strengthened. When it comes to technologies, this mainly concerns new technologies, such as artificial intelligence, cloud or IoT devices, which become part of the information security management system and, thanks to a functional system, their deployment and use are safe and controlled (Parsons et al., 2017; Kitsios et al., 2023; Nurbojatmiko et al., 2025; Kamil et al., 2023).
The maturity of the information security management system is directly related to the success of the digital transformation in the organization. If the ISMS is at a high level, the organization has a better ability to manage and adopt changes, new innovations and is also able to better manage risks. The higher the level of the ISMS, the better the ability to manage all this. Likewise, organizations that have their information security management system at a high level can adopt new technologies faster and respond to security risks and incidents. It can also be said that a mature information security management system can ensure that the digital transformation is sustainable and in accordance with legal and ethical standards.
The following section presents the causal impact of the model in relation to questions RQ1 to RQ3. The causal relationship between employee and management engagement, ISMS policies, safety culture, and innovation was depicted in Figure 3, which depicts and is based on current models of organizational cultures and ISMS.
The model assumes that manager engagement is the primary factor influencing the quality and consistency of ISMS policies and processes implemented in the organization (PDCA—plan phase). ISMS policies and processes are further translated into safety measures in the form of rules of conduct for the organization’s employees (PDCA—do phase). Raising employee awareness contributes to compliance with the organization’s general safety rules and to reducing the number of safety incidents (PDCA—check phase). Safety culture is influenced by managerial decisions, but also by formal ISMS rules and, of course, employee behavior. On the other hand, if an organization has a strong security culture in place, it supports the functioning of the ISMS and the adoption of changes in the form of the introduction of new modern technologies (PDCA—act phase).
The result is an increase in the organization’s innovation potential, strengthening of employees’ security awareness, willingness to implement new digital technologies and perceiving them as an opportunity, not as a threat.
Research shows that an information security management system based on the PDCA cycle is a functional framework that can link an organization’s strategy, employee behavior, and security culture with continuous improvement, thereby enabling continuous development. It has also been confirmed that an organization’s information security management cannot be viewed solely as technical security or compliance with standard requirements. It is about involving people and their understanding of the importance of information security for the proper functioning of the organization. The individual phases of the PDCA cycle play an important role in the functioning of information security. Plan refers to clearly defined objectives and systematic risk management. Do refers to the fact that people are an important decisive factor for the functioning of ISMS. Check refers to the fact that regular control and monitoring of risks and security incidents are not only for prevention but also serve as a learning tool. Act states that documents within an organization, such as policies or plans, are living documents and need to be worked continuously. Overall, research has shown that a mature ISMS has a positive impact on stakeholder confidence in the organization and strengthens competitiveness. It also increases digital resilience and connects new technologies. Finally, it has been shown that security culture and employee understanding are key to functioning ISMS.

5. Discussion

Research confirms that the information security management system according to ISO (2022) cannot be understood only as a technical-process framework, but as a strategic management tool. ISMS contributes to strengthening trust between stakeholders, supports transparency and creates conditions for the safe introduction of innovations (Mirtsch et al., 2021; Cho & Cho, 2025). At the same time, a properly set ISMS increases resilience to threats in the digital economy environment and allows organizations to systematically identify, assess and manage risks associated with technologies, data use and operational processes (Aftabi et al., 2025; Gschwandtner et al., 2019).
Compliance with regulatory and legislative requirements, as well as with the expectations of customers or partners, increases the competitiveness of the organization in the market and at the same time strengthens its reputation (Brunner et al., 2020; Kanaan et al., 2025; Cho & Cho, 2025). From this perspective, ISMS represents a strategic management element that affects the overall performance of the organization and its ability to function effectively in the digital environment (Horne et al., 2017; Wang et al., 2025).
Security culture represents the human and behavioral dimension of an information security management system. For an ISMS to function successfully, it is essential that security principles and behaviors are integrated into the organization’s daily operations. Although standards define processes, documents, and technical measures, their actual effect depends on user behavior, level of responsibility, and employee willingness to participate in protecting information assets (Paek & Lee, 2025; Nurse et al., 2025).
A strong security culture leads to a reduction in human error, supports incident reporting, and increases the organization’s ability to respond to threats. Research by Da Veiga et al. (2020) and Hassan et al. (2025) shows that organizations with a developed security culture exhibit higher ISMS performance and higher information resilience. Culture is thus a prerequisite for a functioning ISMS because it allows processes to be linked to the human factor.
This directly answers RQ1, as it confirms that culture is a fundamental determinant of system effectiveness and has a decisive impact on ISMS implementation.
Digital transformation fundamentally changes the way organizations operate by introducing new technologies, such as artificial intelligence, cloud services, and IoT devices. The rapid introduction of these technologies introduces new security risks and often outpaces organizational readiness to manage them. In this context, security culture serves as a stabilizing element that ensures that innovations do not compromise security and that the organization can handle changes without fundamentally disrupting the integrity of systems (Stewart, 2023; Vasiel’ev et al., 2018; Jin et al., 2025).
Digital transformation also increases the need for risk communication, an emphasis on testing new solutions, and the adoption of security principles in the early stages of technology projects. According to Saeed et al. (2020) and Susanto et al. (2018), culture connects agility with security and differentiates organizations that successfully implement innovations from those that fail to respond to cyber threats.
This answers RQ2, as digital transformation not only increases the need for building culture, but also shapes its character as a dynamic, adaptive element of organizational management.
Research confirms that a security culture is a prerequisite for the successful implementation and operation of ISMS in organizations undergoing digital transformation. A strong culture reduces the number of incidents, accelerates the response to emerging threats, and supports cross-functional collaboration, creating an environment in which security measures support innovation rather than hinder it (Azmi et al., 2021; Astakhova, 2020).
As Dornheim and Zarnekow (2024) state, a security culture acts as a catalyst for innovation, as it allows technologies to be implemented in a way that is consistent with risk management principles. Organizations with developed cultures show higher digital maturity, as well as a higher ability to use ISMS as a strategic management tool (Bagaryakov & Nikulina, 2012).
The above also answers RQ3, as it confirms the functional dependence between cultural maturity and ISMS performance.

6. Conclusions

Research confirms that an information security management system according to ISO (2022) is a strategic management tool for an organization, not just a technical and process framework. ISMS supports building stakeholder trust, increases resilience to security threats, enables controlled innovation, and contributes to transparent and systematic risk management. Organizations that integrate ISMS into their corporate strategy show higher levels of compliance with legislative and regulatory requirements, higher reputation, and better ability to adapt to technological changes.
RQ1: Security culture is a critical factor in the functionality of an ISMS, as it ensures that security measures are implemented and lived in everyday practice. A strong culture reduces the number of incidents, supports proactive employee behavior, and is a fundamental prerequisite for information resilience.
RQ2: Digital transformation increases the importance of security culture and at the same time changes its character to a dynamic element of organizational management. When introducing new technologies, culture is a stabilizing mechanism that reduces the risk of both technical and human failures.
RQ3: A developed security culture is a prerequisite for the successful functioning of an ISMS in digitally transformed organizations. Organizations with a higher level of culture show higher digital maturity, faster responses to incidents, and more effectively link strategic goals with security practices.
Overall findings confirm that information security in a digital transformation environment function as a strategic pillar of organizational resilience and its long-term competitiveness.
Organizations can use ISMS by aligning ISMS objectives with their own objectives, making ISMS part of management. It is also possible to use the PDCA cycle for continuous improvement and use activities such as audits or review of measures. Organizations can also use ISMS in digital transformation and use it as a framework for the safe implementation and deployment of new technologies. ISMS also improves the competitiveness and reputation of the organization in the eyes of stakeholders, as it increases their trust in knowing that their data is well taken care of. Finally, it is about creating a safe environment for new innovations, where the organization can manage and eliminate its risks, not just suppress them (Hohan et al., 2015).
We list several managerial implications that can help organizations successfully implement an ISMS. The proposed recommendations are based on best practices from other organizations and case studies (Barton et al., 2016; Willie, 2023; Kö et al., 2023; Guzmán et al., 2025; Rusu & Mantulescu, 2025; IteraSec, 2025). In addition, the recommendations are based on the results of this article, which shows that implementing an ISMS according to the requirements of ISO (2022) recommends integrating the system into the organization’s strategy:
It is recommended for organizations to consider the ISMS as a strategic tool, not a technical framework, because the involvement and integration of the information security management system into the strategic management of the organization and linking the ISMS with the goals of the organization, i.e., ISMS should be perceived as a strategic element of the organization’s management and not as a technical-process mechanism.
It is also necessary to systematically manage risks as part of strategic management. Organizations that have an ISMS based on relevant and detailed risk analysis are much more able to identify, monitor and mitigate risks arising from the digital environment.
Organizations are also recommended to build a security culture as one of the priorities of managers, because it is managers who should motivate employees and be an example of how to comply with security regulations, operate according to a security culture and communicate problems. Research clearly confirms that security culture is a key factor for the successful process of implementing an ISMS in an organization.
Strategic human resource management with an emphasis on security behavior is also important for organizations, when investing in education and awareness-raising and information security, as people are a key factor in building a security culture and the functioning of the entire information security management system.
Finally, continuous improvement should be considered a management imperative, as the connection of people, technologies and processes is key to the success of the entire information security management system and the functioning of the implemented measures. Similarly, the depiction of the ISMS process as a PDCA cycle speaks of continuous improvement, when risks should be regularly reassessed, internal audits should be carried out with the aim of improvement (not control) and activities leading to the adaptation of security measures to new threats should be supported.
It is important to regularly measure the maturity of the information security management system and the culture so that the organization knows what stage its system is, and it is appropriate to use tools such as audits or KPIs for this.
To support managerial implication from a practical point of view, it is also possible to propose a simple assessment tool that can be used in practice without the need for analytical tools. The model consists of five levels. At the ad hoc level, the ISMS system is only formal or partially implemented. Security policies exist, but they are not communicated at all to employees who behave reactively. The second phase, defined, says that security policies are documented and implemented in the organization, which also results in regular but formal employee training. As for the security policy, it is implemented in the organization as a strict rule. The third phase, driven, characterizes organizations that have the ISMS system integrated into strategic goals so that security initiatives are actively supported, while employee security behavior is viewed through KPIs. The fourth phase, integrated, defines organizations that support digital transformation and innovation and in which a security culture is part of the values and goals, while employees adjust their behavior so that when using technology, they contribute to the security and resilience of the organization. The last phase, adaptive, is the highest level where organizations have dynamic and proactive ISMS in place. This includes organizations that can flexibly respond to a changing environment, including new threats, which also results from a comprehensive security culture.
The research results are subject to several limitations that affect their generalizability. First, this is the conceptual and theoretical nature of the research, which is mainly based on the analysis of literature, standards, and theoretical models. The absence of empirical data means that the conclusions are not supported by quantitative measurements of organizational behavior or comparisons of real case studies.
The originality of the article lies in the extensive knowledge about the process of implementing the ISMS system in an organization. In addition, the use of materials from the ISO (2022) standard, which, among other things, talks about security culture in organizations, is also beneficial. Part of the theoretical background focuses on the procedural and normative dimension of the ISMS system, i.e., so that the entire system follows the standards, so that organizations carry out risk management and audits. And part of the literature is devoted to the issue of security culture, which represents a separate socio-behavioral phenomenon. The greatest benefit is therefore the combination of two previously separate perspectives that connect the management of the ISMS system in the form of the PDCA cycle with security culture. The article conceptualizes how the proposed framework examines the causal relationships between the ISMS system and the security culture of the organization. Thanks to it, security culture cannot be a supporting factor, it should be an active mechanism.
The article has set three research questions:
RQ1: What is the importance of security culture in the implementation of an information security management system (ISMS) according to the ISO/IEC 27001 standard?
RQ1 focused on the possibilities of quantifying and analyzing safety culture in individual phases of digital transformation. So far, research studies have focused on a static view of safety culture, but the model in the article links safety culture to the logic of the PDCA cycle, ensuring that developments are tracked over time and in response to changes (technological and organizational). This also fills a gap in the literature and can make the article more attractive to other readers.
RQ2: How does digital transformation affect the need to build and develop a security culture in organizations?
RQ2 clarifies the role of organizational strategy in the context of safety culture. Current studies address the importance of organizational managers’ commitment but rarely explain how their decisions influence employees’ safety-related behavior.
RQ3: To what extent is building a strong security culture a prerequisite for the successful functioning of ISMS in digitally transformed organizations?
RQ3 investigated the relationship between ISMS performance and security culture, whether it is a prerequisite or an outcome. The model in the article answers this question in the sense that security culture is a bidirectional element (input element for Do and Check; output element for Act).
Another limitation is the variability of the organizational contexts in which ISMS is implemented. Factors such as the size of the organization, the sector, legislative requirements, or the level of technological maturity can significantly influence how the security culture is formed and how it affects the resulting performance of the ISMS. Future research should focus on empirical verification of the relationship between culture and ISMS performance, e.g., through quantitative models or statistical methods; case studies of organizations in different stages of digital transformation; the development of metrics to measure security culture and ISMS maturity; supplementing the model with economic indicators, e.g., incident costs and return on security investments; and the verification of the proposed theoretical model in practice.
These research directions can develop knowledge about how security culture influences the strategic functioning of ISMS and what factors determine its effectiveness in digitally transformed organizations.

Author Contributions

Conceptualization N.S. and M.K.; methodology N.S. and D.D.; validation D.D.; formal analysis N.S.; investigation M.K. and N.S.; resources N.S. and D.D.; data curation D.D.; writing—original draft preparation N.S., D.D. and M.K.: writing—review and editing, D.D., N.S.; visualization N.S. and D.D.; project administration N.S., funding acquisition, N.S., M.K. All authors have read and agreed to the published version of the manuscript.

Funding

This research was supported by the European Union NextGenerationEU through the Recovery and Resilience Plan for Slovakia under the project No.17R05-04-V01-00005.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

In manuscript no new data were created, however, all data are available in the article.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Aftabi, N., Moradi, N., Mahroo, F., & Kianfar, F. (2025). SD-ABM-ISM: An integrated system dynamics and agent-based modeling framework for information security management in complex information systems with multi-actor threat dynamics. Expert Systems with Applications, 263, 125681. [Google Scholar] [CrossRef]
  2. Ahmad, A., Maynard, S. B., & Park, S. (2019). Information security strategies for digital transformation: The role of ISMS. Journal of Information Security and Applications, 48, 102345. [Google Scholar] [CrossRef]
  3. Alheadary, W. G. (2023). Towards development of a security risk assessment model for Saudi Arabian business environment based on the ISO/IEC 27005 ISRM standard. Journal of Information Security, 14(3), 195–211. [Google Scholar] [CrossRef]
  4. AlHogail, A. (2015). Design and validation of information security culture framework. Computers in Human Behavior, 49, 567–575. [Google Scholar] [CrossRef]
  5. Ali, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information security behavior and information security policy compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Applied Sciences, 11(8), 3383. [Google Scholar] [CrossRef]
  6. Ali, S. E. A., Lai, F. W., Hassan, R., & Shad, M. K. (2021). The long-run impact of information security breach announcements on investors’ confidence: The context of efficient market hypothesis. Sustainability, 13(3), 1066. [Google Scholar] [CrossRef]
  7. Alzahrani, L., & Seth, K. P. (2021). The impact of organizational practices on the information security management performance. Information, 12(10), 398. [Google Scholar] [CrossRef]
  8. Antunes, M., Maximiano, M., & Gomes, R. (2024). A client-centered information security and cybersecurity auditing framework. Applied Sciences, 12(9), 4102. [Google Scholar] [CrossRef]
  9. Arredondo-Soto, K. C., Blanco-Fernandez, J., Miranda-Ackerman, M. A., Solis-Quinteros, M. M., Realyvasquez-Vargas, A., & Garcia-Alcaraz, J. L. (2021). A plan-do-check-act based process improvement intervention for quality improvement. IEEE Access, 9, 1. [Google Scholar] [CrossRef]
  10. Astakhova, L. V. (2020). A corporate employee as a subject of corporate information security management. Scientific and Technical Information Processing, 47(2), 113–118. [Google Scholar] [CrossRef]
  11. Azmi, N. A. A. M., Teoh, A. P., Vafaei-Zadeh, A., & Hanifah, H. (2021). Predicting information security culture among employees of telecommunication companies in an emerging market. Information and Computer Security, 29(5), 866–882. [Google Scholar] [CrossRef]
  12. Bagaryakov, A. V., & Nikulina, N. L. (2012). Investigation of economic security in terms of relations “innovation security—Innovation culture”. Ekonomika Regiona-Economy of Region, 4, 179–515. [Google Scholar] [CrossRef]
  13. Barton, K. A., Tejay, G., Lane, M., & Terrell, S. (2016). Information system security commitment: A study of external influences on senior management. Computers & Security, 59, 9–25. [Google Scholar] [CrossRef]
  14. Bell, J., Cooper, L., Nelson, A., & Qureshi, K. (2025). Human-centered cybersecurity: Building a culture of data protection in the digital era. Available online: https://www.researchgate.net/publication/396774678_Human-Centered_Cybersecurity_Building_a_Culture_of_Data_Protection_in_the_Digital_Era (accessed on 9 September 2025).
  15. Bernik, I., & Prislan, K. (2016). Measuring information security performance with 10 by 10 model for holistic state evaluation. PLoS ONE, 11(9), e0163050. [Google Scholar] [CrossRef] [PubMed]
  16. Blasková, M., Tumová, D., & Miciak, M. (2022). Taxonomy of factors involved in decision-making to sustain organization members’ creativity. Administrative Sciences, 12(1), 39. [Google Scholar] [CrossRef]
  17. Brezavšček, A., & Baggia, A. (2025). Recent trends in information and cyber security maturity assessment: A systematic literature review. Systems, 13(1), 52. [Google Scholar] [CrossRef]
  18. Brunner, M., Sauerwein, C., Felderer, M., & Breu, R. (2020). Risk management practices in information security: Exploring the status quo in the DACH region. Computers & Security, 92(1), 101776. [Google Scholar] [CrossRef]
  19. Cheimonidis, P., & Rantos, K. (2023). Dynamic risk assessment in cybersecurity: A systematic literature review. Future Internet, 15(10), 324. [Google Scholar] [CrossRef]
  20. Cho, H., & Cho, K. (2025). Impact of security management activities on corporate performance. Systems, 13(8), 633. [Google Scholar] [CrossRef]
  21. Colabianchi, S., Costantino, F., Nonino, F., & Palombi, G. (2025). Transforming threats into opportunities: The role of human factors in enhancing cybersecurity. Journal of Innovation & Knowledge, 10(3), 100695. [Google Scholar] [CrossRef]
  22. Creative Solution. (2025). ISMS|CeMS|Slovník pojmov. Cems.sk. Available online: https://www.cems.sk/clanok/796-isms (accessed on 28 August 2025).
  23. Creswell, J. W., & Plano Clark, V. L. (2018). Designing and conducting mixed methods research (3rd ed.). SAGE Publications. ISBN 9781483344379. Available online: https://bayanbox.ir/view/236051966444369258/9781483344379-Designing-and-Conducting-Mixed-Methods-Research-3e.pdf (accessed on 28 August 2025).
  24. Da Veiga, A., Astakhova, L. V., Botha, A., & Herselman, M. E. (2020). Defining organisational information security culture—Perspectives from academia and industry. Computers & Security, 92, 101713. [Google Scholar] [CrossRef]
  25. de la Paz, J. V. B., Picón, L. A. R., Rocha, V. M., & Argüelles, S. V. T. (2023). A Systematic review of risk management methodologies for complex organizations in industry 4.0 and 5.0. Systems, 11(5), 218. [Google Scholar] [CrossRef]
  26. Domínguez, R. D., Flores, O. A., & Sánchez-Valdez, J. A. (2023). Exploratory analysis of a measurement scale of an information security management system. arXiv. [Google Scholar] [CrossRef]
  27. Dornheim, P., & Zarnekow, R. (2024). Determining cybersecurity culture maturity and deriving verifiable improvement measures. Information and Computer Security, 32(2), 179–196. [Google Scholar] [CrossRef]
  28. Duc, A. N., & Chirumamilla, A. (2019, September 18–20). Identifying security risks of digital transformation—An engineering perspective [Lecture notes in computer science]. Conference on e-Business, e-Services and e-Society, Trondheim, Norway. [Google Scholar] [CrossRef]
  29. Ford, A., Al-Nemrat, A., Ghorashi, S. A., & Davidson, J. J. (2022, March 17–18). Impact of CISO appointment announcements on the market value of firms. International Conference on Cyber Warfare and Security, Albany, NY, USA. [Google Scholar] [CrossRef]
  30. Green, J. (2024). Information security management principles (4th ed.). O’Reilly. ISBN 9781780176932. [Google Scholar]
  31. Gschwandtner, M., Demetz, L., Gander, M., & Maier, R. (2019, August 27–30). Integrating threat intelligence to enhance an organization’s information security management. 13th International Conference on Availability, Reliability and Security (Ares 2018), Hamburg, Germany. [Google Scholar] [CrossRef]
  32. Guzmán, G. K. V., Chiquito-Penaranda, D. A., Vilche, A. E. A., Lozano, E. W. E., & Ferrer, S. J. C. (2025). Sustainable technological strategies for document management: Case study at the business technological university of Guayaquil. Revista Universidad Y Sociedad, 17(3), 1–10. [Google Scholar]
  33. Harris, J. D. (2011). Preparing to be the chief information officer. Journal of Leadership, Accountability, and Ethics, 8(5), 56–62. [Google Scholar]
  34. Hassan, Y., Ghazal, T. M., Yasir, S., Al-Adwan, A. S., Younes, S. S., Albahar, M. A., Ahmad, M., & Ikram, A. (2025). Exploring the mediating role of information security culture in enhancing sustainable practices through integrated systems infrastructure. Sustainability, 17(2), 687. [Google Scholar] [CrossRef]
  35. Haufe, K., Colomo-Palacios, R., Dzombeta, S., Brandis, K., & Stantchev, V. (2016). ISMS core processes: A study. Procedia Computer Science, 100, 339–346. [Google Scholar] [CrossRef]
  36. Hillman, D., Harel, Y., & Toch, E. (2023). Evaluating organizational phishing awareness training on an enterprise scale. Computer & Security, 132, 103364. [Google Scholar] [CrossRef]
  37. Hohan, A. I., Olaru, M., & Pirnea, I. C. (2015). Assessment and continuous improvement of information security based on TQM and business excellence principles. Procedia Economics and Finance, 32, 352–359. [Google Scholar] [CrossRef]
  38. Horne, C. A., Maynard, S. B., & Ahmad, A. (2017). Organisational information security strategy: Review, discussion and future research. Australasian Journal of Information Systems, 21. [Google Scholar] [CrossRef]
  39. ISO. (2022). Information security, cybersecurity and privacy protection—Information security management systems—Requirements (ISO/IEC Standard No. 27001:2022). ISO.
  40. IteraSec. (2025). ISO 27001 implementation: Comprehensive guide. online. Available online: https://iterasec.com/blog/iso-27001-implementation-guide-for-it-companies/ (accessed on 26 August 2025).
  41. Jankal, R. (2014). Software support of quality management in the service sector. Lumen 2014—From Theory to Inquiry in Social Sciences, 149, 443–448. [Google Scholar] [CrossRef]
  42. Jawaharrani, K., Lekshmi, R. S., Nirmala, G., & Dheenadhayalan, K. (2023, May 25–26). Role of CISO—Cyber security & risk management. 2023 International Conference on Advances in Computing, Communication and Applied Informatics (ACCAI), Chennai, India. [Google Scholar] [CrossRef]
  43. Jin, X. L., Cui, H. Z., Liu, F. W., Hu, Z. Q., & Cai, Y. H. (2025). Does cybersecurity regulation promote digital transformation? Evidence from the cyber security law in China. Finance Research Letters, 76, 1–9. [Google Scholar] [CrossRef]
  44. Kamil, Y., Lund, S., & Islam, M. S. (2023). Information security objectives and the output legitimacy of ISO/IEC 27001: Stakeholders’ perspective on expectations in private organizations in Sweden. Information Systems and E-Business Management, 21, 107041. [Google Scholar] [CrossRef]
  45. Kanaan, A., Mtair AL-Hawamleh, A., Aloun, M., Alorfi, A., & Abdalwahab Alrawashdeh, M. (2025). Fortifying organizational cyber resilience: An Integrated framework for business continuity and growth amidst escalating threat landscapes. International Journal of Computing and Digital Systems, 17(1), 1–14. [Google Scholar] [CrossRef]
  46. Kankanhalli, A., Teo, H. H., Tan, B. C., & Wei, K. K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2), 139–154. [Google Scholar] [CrossRef]
  47. Karlsson, M., Karlsson, F., Åström, J., & Denk, T. (2022). The effect of perceived organizational culture on employees’ information security policy compliance. Information and Computer Security, 30(3), 382–401. [Google Scholar] [CrossRef]
  48. Kitsios, F., Chatzidimitriou, E., & Kamariotou, M. (2023). The ISO/IEC 27001 information security management standard: How to extract value from data in the IT sector. Sustainability, 15(7), 5828. [Google Scholar] [CrossRef]
  49. Koman, G., Toamn, D., Jankal, R., & Borsos, P. (2023). Risk management in a human resource information system. Entrepreneurship and Sustainability Issues, 11(1), 331–352. [Google Scholar] [CrossRef] [PubMed]
  50. Kö, A., Tarján, G., & Mitev, A. Z. (2023). Information security awareness maturity: Conceptual and practical aspects in Hungarian organizations. Information Technology & People, 36(8), 174–195. [Google Scholar] [CrossRef]
  51. Krúpová, S., Koman, G., Soviar, J., & Holubcík, M. (2025). The role of business models in smart-city waste management: A framework for sustainable decision-making. Systems, 13(7), 556. [Google Scholar] [CrossRef]
  52. Linkov, I., Trump, B. D., & Keisler, J. (2013). Resilience metrics for cyber systems. Environment Systems and Decisions, 33(4), 471–476. [Google Scholar] [CrossRef]
  53. Magnusson, L., Iqbal, S., Elm, P., & Dalipi, F. (2025). Information security governance in the public sector: Investigations, approaches, measures, and trends. International Journal of Information Security, 24(4), 177. [Google Scholar] [CrossRef]
  54. Meglaras, L., Drivas, G., Chouliaras, N., Boiten, E., Lambrinoudakis, C., & Ioannidis, S. (2020, November 27–29). Cybersecurity in the era of digital transformation: The case of Greece. 2020 International Conference on Internet of Things and Intelligent Applications (ITIA), Zhenjiang, China. [Google Scholar] [CrossRef]
  55. Mirtsch, M., Blind, K., Koch, C., & Dudek, G. (2021). Information security management in ICT and non-ICT sector companies: A preventive innovation perspective. Computers & Security, 109, 102383. [Google Scholar] [CrossRef]
  56. Mohamad, M., Steghöfer, J.-P., Knauss, E., & Scandariato, R. (2024). Managing security evidence in safety-critical organizations. Journal of Systems and Software, 214, 112082. [Google Scholar] [CrossRef]
  57. Monev, V. (2020, September 17–18). Organisational information security maturity assessment based on ISO 27001 and ISO 27002. 2020 International Conference on Information Technologies (InfoTech), Varna, Bulgaria. [Google Scholar] [CrossRef]
  58. Namuduri, K., & Varanasi, M. R. (2011, March 23–25). The chief security officer problem. Annual Conference on Information Sciences and Systems, Baltimore, MD, USA. [Google Scholar] [CrossRef]
  59. Naughton, E., Moran, R., Kharub, M., Sa, J. C., & McDermott, O. (2024). A structured model for continuous improvement methodology deployment and sustainment: A case study. Heliyon, 10(21), e40034. [Google Scholar] [CrossRef] [PubMed]
  60. NIST. (2020). Security and privacy controls for information systems and organizations (NIST Standard No. SP 800-53). Revision 5. Available online: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf (accessed on 9 September 2025).
  61. NIST. (2021). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology. Available online: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (accessed on 9 September 2025).
  62. Nurbojatmiko, N., Karimiyah, M. S. K., Asnadi, N. M., & Anisyah, R. (2025). ISO 27001 as information security solution in society 5.0 Era: Systematic literature review. SinkrOn, 9(1), 484–492. [Google Scholar] [CrossRef]
  63. Nurse, J. R. C., Milward, J., & Alashe, O. (2025, June 22–27). From security awareness and training to human risk management in cybersecurity. HCI For Cybersecurity, Privacy and Trust, HCI-CPT 2025, PT I (Vol. 15814, pp. 86–104), Gothenburg, Sweden. [Google Scholar] [CrossRef]
  64. Paek, S. Y., & Lee, J. L. (2025). Promoting employees’ information security vigilance by enhancing awareness: The roles of organizational climate and deterrence measures. Security Journal, 38(1), 12. [Google Scholar] [CrossRef]
  65. Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., & Zwaans, T. (2017). The human aspects of information security questionnaire (HAIS-Q): Two further validation studies. Computers & Security, 66(66), 40–51. [Google Scholar] [CrossRef]
  66. Patterson, C. M., Nurse, J. R. C., & Franqueira, V. N. L. (2023). Learning from cyber security incidents: A systematic review and future research agenda. Computer & Security, 132, 103309. [Google Scholar] [CrossRef]
  67. Peltier, T. R. (2016). Information security policies, procedures, and standards: Guidelines for effective information security management (312p.). Auerbach Publications. ISBN 9780429114717. [Google Scholar] [CrossRef]
  68. Prislan, K., Mihelič, A., & Bernik, I. (2020). A real-world information security performance assessment using a multidimensional socio-technical approach. PLoS ONE, 15(9), e0238739. [Google Scholar] [CrossRef] [PubMed]
  69. Qusef, A., Arafat, M., & Al-Taher, S. (2018, June 26–27). Organizational management role in information security management system. 2nd International Conference on Future Networks and Distributed Systems, Amman, Jordan. [Google Scholar] [CrossRef]
  70. Randaliev, P., Roure, D. D., Nurse, J. R. C., Nicolescu, R., Huth, M., Cannady, S., & Montalvo, R. M. (2019). Cyber risk impact assessment—Assessing the RISC from the IoT to the digital economy. Future developments in standardisation of cyber risk in the Internet of Things (IoT). SN Applied Sciences, 169, 1–6. [Google Scholar] [CrossRef]
  71. Realyvásquez-Vargas, A., Arredondo-Soto, K., Carrillo-Gutiérrez, T., & Ravelo, G. (2018). Applying the plan-do-check-act (PDCA) cycle to reduce the defects in the manufacturing industry. A case study. Applied Sciences, 8(11), 2181. [Google Scholar] [CrossRef]
  72. Rogers, E. M. (2003). Diffusion of innovations (5th ed.). Free Press. Available online: https://teddykw2.wordpress.com/wp-content/uploads/2012/07/everett-m-rogers-diffusion-of-innovations.pdf (accessed on 29 August 2025).
  73. Rusu, D., & Mantulescu, M. (2025). Development of an application-based framework for information security management in SMEs. Sustainability, 17(18), 8314. [Google Scholar] [CrossRef]
  74. Saeed, S., Altamimi, S. A., Alkayyal, N. A., Alshehri, E., & Alabbad, D. A. (2020). Digital transformation and cybersecurity challenges for businesses resilience: Issues and recommendations. Sensors, 23(15), 6666. [Google Scholar] [CrossRef]
  75. Saeidi, P., Sofian, S., Rasid, S., & Saeid, S. P. (2012). The role of chief risk officer in adoption and implementation of enterprise risk management—A literature review. International Research Journal of Finance and Economics, 88, 18–123. [Google Scholar]
  76. Schein, E. H. (2010). Organizational culture and leadership (4th ed., 457p). Jossey-Bass a Wiley Imprint. ISBN 978-0-470-18586-5. [Google Scholar]
  77. Schmitz, C., Schmid, M., Harborth, D., & Pape, S. (2021). Maturity level assessments of information security controls: An empirical analysis of practitioners assessment capabilities. Computers & Security, 108, 102306. [Google Scholar] [CrossRef]
  78. Shojaie, B., Federrath, H., & Saberi, I. (2014, September 8–12). Evaluating the effectiveness of ISO 27001: 2013 based on annex A. 2014 Ninth International Conference on Availability, Reliability and Security, Fribourg, Switzerland. [Google Scholar] [CrossRef]
  79. Solomon, G., & Brown, I. (2021). The influence of organisational culture and information security culture on employee compliance behaviour. Journal of Enterprise Information Management, 34(4), 1203–1228. [Google Scholar] [CrossRef]
  80. Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215–225. [Google Scholar] [CrossRef]
  81. Stewart, H. (2023). Digital transformation security challenges. Journal of Computer Information Systems, 63(4), 919–936. [Google Scholar] [CrossRef]
  82. Sun, L., Zhang, H., & Fang, C. (2021). Data security governance in the era of big data: Status, challenges, and prospects. Data Science and Management, 2, 41–44. [Google Scholar] [CrossRef]
  83. Sun, Z., Zhang, J., Yang, H., & Li, J. (2020, June 12–14). Research on the effectiveness analysis of information security controls. 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), Chongqing, China. [Google Scholar] [CrossRef]
  84. Susanto, H., Almunawar, M. N., & Tuan, Y. C. (2018). Information security challenges in digital transformation: A review. Journal of Computer Science, 14(3), 360–370. [Google Scholar] [CrossRef]
  85. Tolah, A., Sas, A., & Furnell, S. (2021). An empirical analysis of the information security culture key factors framework. Computers & Security, 108, 102354. [Google Scholar] [CrossRef]
  86. Tornatzky, L., & Fleischer, M. (1990). The processes of technological innovation. Lexington Books. Available online: https://www.scribd.com/document/852057567/The-Processes-of-Technological-Innovation (accessed on 1 September 2025).
  87. Tu, C. Z., Yuan, Y., Archer, N., & Connelly, C. E. (2018). Strategic value alignment for information security management: A critical success factor analysis. Information and Computer Security, 26(2), 150–170. [Google Scholar] [CrossRef]
  88. Uchendu, B., Nurse, J. R. C., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: Current practices and future needs. Computer & Security, 109, 102387. [Google Scholar] [CrossRef]
  89. Varmus, M., Koman, G., & Holubcík, M. (2016). Globalization aspects of creating cooperation in sport environment with support of big data. In Globalization and its socio-economic consequences, 16th international scientific conference proceedings, PTS I-V (pp. 2307–2314). ZU–University of Zilina, The Faculty of Operation and Economics of Transport and Communications, Department of Economics, Published GEORG, Zilina, Slovakia. [Google Scholar]
  90. Vasiel’ev, Y. S., Zegzhda, D. P., & Poltavtseva, M. A. (2018). Problems of security in digital production and its resistance to cyber threats. Autoamtic Control and Computer Sciences, 52(8), 1090–1100. [Google Scholar] [CrossRef]
  91. Velasco, J., Ullauri, R., Pilicita, L., Jácome, B., Saa, P., & Moscoso-Zea, O. (2018, November 13–15). Benefits of implementing an ISMS according to the ISO 27001 standard in the Ecuadorian manufacturing industry. 2018 International Conference on Information Systems and Computer Science (INCISCOS), Quito, Ecuador. [Google Scholar] [CrossRef]
  92. von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. [Google Scholar] [CrossRef]
  93. Von Solms, R., & Von Solms, B. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371–376. [Google Scholar] [CrossRef]
  94. Vroom, C., & Solms, R. (2004). Towards information security behavioural compliance. Computer & Security, 23(3), 191–198. [Google Scholar] [CrossRef]
  95. Wang, Z. Y., Wang, N. X., & Ge, S. L. (2025). Cloud computing data security management strategy based on incremental update of data value. Journal of Enterprise Information Management, 38(5), 1579–1598. [Google Scholar] [CrossRef]
  96. Whitman, M. E., & Mattord, H. J. (2017). Principles of information security (6th ed., 750p). Kennesaw State University. ISBN 978-1-337-10206-3. [Google Scholar]
  97. Willie, M. M. (2023). The role of organizational culture in cybersecurity: Building a security-first culture. Social Science Research Network, 2, 179–198. [Google Scholar] [CrossRef]
  98. Yin, R. K. (2018). Case study research and application (6th ed.). SAGE Publications. ISBN 9781506336169. Available online: https://books.google.sk/books/about/Case_Study_Research_and_Applications.html?id=6DwmDwAAQBAJ&redir_esc=y (accessed on 3 November 2025).
Admsci 16 00026 g001
Figure 1. ISMS and cultural security reference model.
Figure 1. ISMS and cultural security reference model.
Admsci 16 00026 g001
Admsci 16 00026 g002
Figure 2. Conceptual model linked to research questions.
Figure 2. Conceptual model linked to research questions.
Admsci 16 00026 g002
Admsci 16 00026 g003
Figure 3. ISMS captured in the form of a PDCA cycle. Source: own processing according to (ISO, 2022).
Figure 3. ISMS captured in the form of a PDCA cycle. Source: own processing according to (ISO, 2022).
Admsci 16 00026 g003
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Staffenova, N.; Dupakova, D.; Kubina, M. Integration of ISMS into the Organization’s Strategy and Its Impact on Security Culture in the Digital Environment. Adm. Sci. 2026, 16, 26. https://doi.org/10.3390/admsci16010026

AMA Style

Staffenova N, Dupakova D, Kubina M. Integration of ISMS into the Organization’s Strategy and Its Impact on Security Culture in the Digital Environment. Administrative Sciences. 2026; 16(1):26. https://doi.org/10.3390/admsci16010026

Chicago/Turabian Style

Staffenova, Nikola, Dominika Dupakova, and Milan Kubina. 2026. "Integration of ISMS into the Organization’s Strategy and Its Impact on Security Culture in the Digital Environment" Administrative Sciences 16, no. 1: 26. https://doi.org/10.3390/admsci16010026

APA Style

Staffenova, N., Dupakova, D., & Kubina, M. (2026). Integration of ISMS into the Organization’s Strategy and Its Impact on Security Culture in the Digital Environment. Administrative Sciences, 16(1), 26. https://doi.org/10.3390/admsci16010026

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop