ISO27001是一個近年來十分受到矚目的資訊安全管理制度(ISMS)標準,但實務上還很欠缺關於其效益的相關研究。因此,為了填補這個研究缺口,本研究採用事件研究法為主要研究方法,以財務指標探討ISO27001在取得認證的事件發生後,是否會帶來異常報酬。透過456家在台通過認證的組織,我們篩選出23家公開上市公司,並以統計方法驗證他們的股價和總資產報酬率(ROA) 在短期與長期上的表現。實驗結果指出,ISO27001的認證並無法帶來任何異常的財務表現,因此我們建議組織應重新評估導入認證的必要性,以找出更有效率的資訊安全管理方法,同時建議未來研究可更深入瞭解ISO27001對內部流程改善的效益,並擴展研究標的至其他層面的指標。
ISO27001 is a popular certification on Information Security Management System (ISMS). However, there are very few empirical studies investigating the market impact of ISO27001. In this research, we employed event study to analyze the financial impact of organizations after obtaining ISO 27001 certification in Taiwan. Among 456 certified organizations, we selected 23 public firms as samples and tested their stock price as well as ROA performance in both short-term and long-term. The results indicate that ISO27001 certification did not lead to significant abnormal performance. Hence, we argue that the necessity of certification should be reconsidered and future research can pay more attention on ISO27001 certification’s value in other dimensions and its contribution on internal improvement.