International diffusion of the information security management system standard ISO/IEC 27001: Exploring the role of culture

In the wake of digitalization, organizations are increasingly exposed to risks associated with security breaches and must take measures to preserve the confidentiality, integrity, and availability of information, and to ensure business continuity. The international standard ISO/IEC 27001 assists organizations in setting up, maintaining and continuously improving their information security management systems. However, despite high growth rates, its international diffusion rates are quite heterogeneous. This paper explores why the diffusion of the international management system standard ISO/IEC 27001 differs across countries. We classify the adoption of ISO/IEC 27001 as a 'preventive organizational innovation' and draw from diffusion studies of other management system standards and information security research to develop a set of hypotheses. These relate to the impact of cultural dimensions and national ICT development. We use a negative binomial regression model with panel data covering 57 countries over a 12-year period from 2006 to 2017 to test our hypotheses. We find that the cultural dimensions future orientation, power distance, and institutional collectivism as well as high ICT development are driving factors for the diffusion of ISO/IEC 27001. We derive policy recommendations and avenues for future research.