National information security policy and its implementation: A case study in Taiwan

Cheng-Yuan Ku, Yi Wen Chang, David C. Yen*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

28 Scopus citations


Cyberspace is no longer safe. From business organizations to countries, the requirements of information security and assurance have become one of the most important functions to ensure continued operations. The goal of this study is twofold. First, we introduce the information security policy of the Taiwanese government and its current status. Then we present a successful example of governmental institute that self-adopted the information security management system (ISMS), British Standard 7799 (ISO27001). The results of this research indicate that past successful experiences, availability of documents, cost constraints, organization learning and organizational culture are important motivations of self-implementation of ISMS. Past experience of other standards, level of documentation and standardization, degree of understanding the clauses, procedures of risk management, top management support, culture of organization, existing auditing infrastructure, awareness of information security, education and compatibility with the existing procedures are the key factors of successful self-implementation of ISMS.

Original languageEnglish
Pages (from-to)371-384
Number of pages14
JournalTelecommunications Policy
Issue number7
StatePublished - 1 Aug 2009


  • BS7799
  • Information security
  • Information security management system (ISMS)
  • ISO27001
  • National information security policy


Dive into the research topics of 'National information security policy and its implementation: A case study in Taiwan'. Together they form a unique fingerprint.

Cite this