近年來網際網路的進步使人們對電腦依賴逐漸增加,影響也愈來愈大,而企業面臨到全球化競爭下資訊技術及電子的進步與發達,進而制訂e化策略以及所需要的安全政策,來因應資安威脅。所以許多企業組織紛紛規畫導入資訊安全系統,可是導入的經費規模龐大,使企業在導入上不知其門而入,或者在導入上浪費許多資源,本研究將焦點放在於國內通過ISO 27001認證之企業,將專家問卷發放給企業,希望利用AHP層級分析法來找出ISO 27001的關鍵成功之因素。 本研究利用發放專家問卷的方法,請各企業針對各層級之權重,進行資料填答回饋,再使用AHP層級分析法找出導入ISO 27001關鍵成功因素,研究結果,多為認同企業內部的高階主觀是導入ISO 27001關鍵成功因素的第一關鍵,而全體員工的參與與共事也是企業中較重要的關鍵成功因素指標;資訊安全政策上的宣導與推廣也在排名上有較高的影響。電信服務業性質的公司,比較倚重有一個良好的營運目標的資訊安全政策,所以在與半導體產業性質的公司差別比較上,數據上會比較強烈,而半導體產業性質的公司會比較注重在制度面,在關鍵因素的項目中制度設計的合理性與適用性會比符合營運目標的資訊安全政策還要強烈,本研究所分析出來的數據與結果以期能對未導入ISO 27001企業組織提供經驗之分享及建議方向。最後,本研究依據研究結果進行探討,並提出後續研究建議。
In recent years, advances in Internet so that people rely on computers increasing influence is also growing, and companies face global competition under the information technology and electronics progress and development, and further the development of e-policy and security policy needed to respond to information security threats. So many organizations have been planning to import information security systems, but large-scale import of funds, so that enterprises in importing do not know the door into the room, or waste a lot of resources on the import, the study will focus on the country through ISO 27001 certification enterprise, the expert questionnaire distributed to businesses, hoping to use AHP level analysis to identify the factors critical to success of ISO 27001. In this study, the experts issued questionnaire method, for all enterprises at all levels of the heavy weight carried feedback information respondents had to identify critical success factors for introducing ISO 27001 re-use AHP AHP, research results, mostly for high-end subjective identity within the enterprise ISO 27001 is the first key to import critical success factors, and with the participation of all employees working in the enterprise is more important critical success factors indicators; advocacy and promotion of IT security policies also have a higher impact on the ranking. The nature of the telecommunications services company, has relied on a relatively good operational goals of information security policy, so the difference in the company compared with the nature of the semiconductor industry, the data would be more intense, and the nature of the semiconductor industry companies will pay more attention to the institutional side , rationality and applicability of the project a key factor in the design of the system will be stronger than information security policy in line with operational objectives, analyzed in this study and the results from the data in order to provide the experience of not introducing ISO 27001 organization Share directions and recommendations. Finally, according to the results of this study were discussed, and the follow-up study suggests.