A Socio-Technical approach to address the Information security: Using the 27001 Manager Artefact

In general, the perspective customer / supplier followed by organizations, regarding information security management, is based mainly on management controls based on standards such as ISO / IEC 27001: 2015, resulting in the production of especially technical analysis reports, rather than a socio-technical approach. This leads to the perception by the customer of the delivery of a product instead of a service.The product concerned is reduced to a set of prescriptions, sometimes unrelated, which materialize in a descriptive and static view of client security management. As a result, the client can hardly use the product continuously, following the dynamics of changes in their organization, therefore recognizing value in the provision made by the supplier. The use of the paradigm Service Dominant Logic (LDS), in the development of a range of security management information, helps to change the focus of tangible resources to the intangible assets. The aspects of tangibility, materialized in a document that describes the client’s vulnerabilities and attack vectors are referred to a secondary level, given the importance of the intangible aspects, such as the interaction that is established between the customer specialists and supplier. In this article we propose to analyze in the perspective of a socio-technical theory, the Activity Theory, the service provided by an artifact called 27001 Manager, designed to assist the entire cycle of analysis, development and maintenance of an information security management system (ISMS). The analysis aims at observing the existing interaction between customer / supplier, considering that the service is inherently dynamic and inter-subjective, ie the result of a compromise between the customer and the supplier.

💡 Research Summary

The paper critiques the prevailing product‑oriented approach to information security management, which relies heavily on ISO/IEC 27001:2015 controls and delivers static technical reports that customers perceive as one‑off deliverables. This model fails to accommodate the dynamic nature of organizational change, resulting in low perceived value and limited continuous use. To address this gap, the authors adopt Service‑Dominant Logic (SDL) and frame security management as a service that emphasizes intangible assets—knowledge exchange, co‑creation, and ongoing interaction—rather than merely tangible artifacts.

A socio‑technical lens is provided by Activity Theory, which models a work system through six interrelated components: subject, tool, object, rules, community, and division of labor. Within this framework, the “27001 Manager” artifact is examined not just as a risk‑assessment and control‑implementation tool, but as a mediating instrument that orchestrates collaboration between client and supplier throughout the entire ISMS lifecycle (risk identification, control design, implementation, monitoring, and continual improvement).

The 27001 Manager embeds a service contract mechanism that allows both parties to jointly define objectives, expectations, and performance metrics, and to share real‑time progress updates. This shifts the relationship from a post‑audit, deliver‑once paradigm to a continuous service flow where adjustments can be made promptly in response to emerging threats or business changes.

Through a case‑study comparison of pre‑ and post‑implementation environments, the authors identify several contradictions that arise during service co‑creation: (1) tension between rule‑based, compliance‑driven procedures and the emergent, collaborative practices encouraged by the tool; (2) ambiguity in role allocation between security specialists and IT operations staff; and (3) misalignment between the supplier’s standardized methodology and the client’s need for customization. By applying Activity Theory’s expansive learning cycle, these contradictions are systematically resolved, enabling the organization to transform its security management from a static product into a dynamic, service‑centric system.

Key findings include: (i) the 27001 Manager functions primarily as a platform for knowledge flow and relationship building rather than as a repository of documents; (ii) clients can continuously leverage the platform to adapt their security posture to evolving business contexts; (iii) suppliers benefit from value‑based contracts that foster long‑term partnerships and allow reuse of insights across multiple clients; and (iv) Activity Theory proves effective for surfacing structural and cultural tensions in service design, guiding systematic improvement.

In conclusion, the study demonstrates that information security management should be reconceptualized as a service characterized by ongoing client‑supplier interaction, co‑creation of value, and adaptability. The 27001 Manager artifact, when embedded within an SDL and Activity Theory‑informed framework, offers a practical roadmap for organizations seeking to maintain and enhance security while remaining responsive to change. Future research is recommended to broaden empirical validation across diverse industries and to develop quantitative metrics for assessing service value in security management.