Information Security Management in a Connected and Evolving Digital Environment

As digital ecosystems expand and supply chains become more interconnected, managing information security has become a structured business discipline rather than a purely technical function. Organizations today operate in environments shaped by cloud adoption, remote access, third-party dependencies, privacy expectations, and emerging technologies. In this context, information security management requires governance, internal capability, and continuous adaptation.

Drawing on findings from DNV’s global ViewPoint survey of nearly 1,000 professionals, it is possible to examine how organizations assess their own information security maturity and where they are focusing improvement efforts. The survey highlights both progress and persistent gaps in how companies build and sustain effective information security management systems.

While many organizations report gradual improvements in maturity, fewer than half consider themselves mature or leading in information security management. Even among those identifying as leaders, the proportion remains relatively limited. This indicates that, despite increased awareness and investment, information security remains an evolving capability for many businesses.

The findings reinforce an important reality: strengthening information security is not a one-time initiative, but an ongoing management process that requires leadership commitment, defined responsibilities, and structured oversight.

A Shift Toward Governance and Internal Capability

A notable change observed in the survey is the growing emphasis on people and governance as foundational elements of information security. Among the most frequently cited initiatives were:

  • Assigning qualified personnel to manage information security
  • Establishing management-approved security policies
  • Providing structured information security training

Compared to earlier patterns that prioritized physical or technical controls, organizations increasingly recognize that effective security depends on informed decision-making, accountability, and clearly defined processes across the organization.

Training and competence development, in particular, play a central role. As digital systems become more integrated into everyday operations, employees across functions interact with data, systems, and external stakeholders. Strengthening awareness and capability reduces reliance on reactive measures and supports more consistent risk management practices.

Responsiveness in Structured Management Systems

Organizations operating certified information security management systems (ISMS) report higher levels of responsiveness to changes in their digital environments. A significant majority indicate they have fully or partially aligned their management systems to address evolving digital risks.

When asked which actions were most relevant in addressing risks linked to digital transformation, such as system integration, testing, staff training, or automation, training ranked highest among both certified and non-certified organizations. This underscores a consistent theme: structured systems provide a framework, but effective implementation relies on internal competence.

Cloud Adoption and Emerging Security Practices

Cloud migration is now a common component of digital transformation strategies. Among organizations with certified information security management systems, a substantial portion report partially or fully moving infrastructure to cloud environments. While cloud platforms offer scalability and flexibility, they also require reassessment of access controls, shared responsibility models, and monitoring practices.

To address these considerations, many organizations supplement ISO/IEC 27001 frameworks with additional guidance, such as ISO/IEC 27017 for cloud security controls, or other recognized best practices. This layered approach reflects the need to adapt structured management systems to new operating environments while maintaining consistency in governance and oversight.

Evolving Security Models and Expanding Access Points

The Zero Trust security model, based on continuous verification of users, devices, and access requests, is increasingly adopted as organizations reassess traditional perimeter-based approaches. A notable share of organizations with structured management systems report implementing or moving toward Zero Trust principles, reflecting a broader shift toward identity-centric security strategies.

At the same time, the growing use of mobile devices and connected technologies expands the potential attack surface. Smartphones, remote access systems, and connected operational devices increase flexibility but require disciplined access management, monitoring, and lifecycle control.

The continued growth of the Internet of Things (IoT) introduces further complexity. Network-connected devices integrated into operational environments require careful configuration management, firmware oversight, and clear accountability to reduce unintended exposure.

Managing Risk Across the Supply Chain

Information security risks increasingly extend beyond organizational boundaries. Suppliers, service providers, and digital partners can introduce vulnerabilities if security practices are inconsistent or insufficiently aligned.

Survey respondents identified three common approaches to addressing supplier-related information security risks:

  • Document-based qualification processes
  • Verification and testing of purchased goods and services
  • Requiring third-party certifications

Organizations operating certified management systems are more likely to rely on structured third-party certification as part of supplier risk mitigation. This reflects growing recognition that information security is interconnected across supply chains and that customer expectations increasingly include demonstrable security practices.

Business Drivers Behind Information Security Management

When asked about the benefits of implementing a certified information security management system, respondents most frequently cited:

  • Meeting customer expectations
  • Improving information security performance
  • Supporting compliance with legal and regulatory requirements

These were closely followed by improved risk identification and competitive positioning. Together, these findings indicate that organizations increasingly view structured information security management not only as a protective measure, but as a contributor to operational stability, market credibility, and long-term resilience.

Strengthening Resilience Through Structured Management

As organizations navigate cloud adoption, supplier interdependencies, privacy considerations, and emerging technologies, managing information security becomes increasingly complex. Structured management systems provide a framework for identifying risks, defining controls, monitoring performance, and supporting continuous improvement.

Organizations seeking to formalize their approach often begin by evaluating their current maturity and alignment with ISO/IEC 27001 requirements.

While technologies and threat patterns will continue to evolve, the underlying principles of governance, competence, and systematic risk management remain central. Organizations that embed these principles into daily operations are generally better positioned to adapt as digital expectations, customer requirements, and technologies evolve.

Reference:
DNV ViewPoint Survey, How are companies tackling enterprise risk? Information security.

2/9/2026 9:05:00 PM