Abstract—The goal of this study is to identify success factors that could influence the ISMS self-implementation in government sector from qualitative perspective. This study is based on a case study in one of the Malaysian government agency. Semi-structured interviews involving five key informants were conducted to examine factors addressed in the conceptual framework. Subsequently, thematic analysis was executed to describe the influence of each factor on the success implementation of ISMS. The result of this study indicates that management commitment, implementer commitment and implementer competency are part of the success factors for ISMS self-implementation in Malaysian Government Sector. Keywords—ISMS Success Factors, IT Project Management, IS Success, Information Security. I. INTRODUCTION HE emergence of technology has broadened the information security threats to business organization. Many information security management models have been developed to help organization managing their information security practices. The commonly applied practices are COBIT, BS 17799, ISO/IEC 27001:2005 [1]. Currently, the only auditable information security management system is the International Organization of Standardization (ISO), Information Security Management System (ISMS) standard which provides an adequate information security control for managing business risk [2]. The ISMS implementation benefits the organizations in many ways. Some of the identified benefits of implementing ISO 27001 based on business risk are fewer incidents and disruption of services, more effective and faster incident response management, focus on proactive measures, lower client audit requirements, less time and money spent on damage limitation measures, less resource spent on finding new customers and investors, greater productivity, better understanding of business information processes and better able to reassure customers and internal parties [3], [4]. The cognizance in preserving and securing the critical and Nurazean Maarop and Rasimah Che Yusoff are senior lecturers at the Universiti Teknologi Malaysia (phone: 603-22031341; e-mail: nurazean.kl@utm.my, rasimah.kl@utm.my). Noorjan Mustaffa is a Senior IT Officer at the Public Service Department of Malaysia (e-mail: janoki02@yahoo.com) Roslina Ibrahim is a senior lecturer at the Universiti Teknologi Malaysia (phone: 603-603-21805215; e-mail: iroslina.kl@utm.my). Norziha Megat Mohd Zainuddin is a senior lecturer at the Universiti Teknologi Malaysia (phone: 603-21805221; e-mail:norziha.kl@utm.my). sensitive information, weaknesses in managing secure information as well as the increasing threat of gathering information discovery in government website have derived the Malaysian government to adopt this standard [5]. The implementation of ISMS standard in government sector started in 2006 [5]. The National Registration Department (NRD) was certified for ISMS in 2008 [5]. Subsequently the government had directed some public agencies to be engaged in CNII certified ISMS MS ISO/IEC 27001:2007 February 2013 which then led to the effort for self-implement [5]. All agencies were directed to self-implement the ISMS due to budget constraint [6]. One of the motivation factors of ISMS self- implementation is appointment of high cost of consulting firm [6]. NRD was directed to guide and help the Internal Affairs Agencies to get the certification within the time given. Unfortunately, to the authors’ knowledge through problem background study, none of the agencies were able to be certified as scheduled. It becomes a burden to the government agencies if the implementation has to consume more time to be implemented. Therefore, in order to ensure the success of ISMS implementation in government agencies, there is a need to identify what are the success factors and issues affecting the success of ISMS implementation. II. BACKGROUND Ku et al. [7] indicate factors that influence the ISMS self- implementation are past experience of other standards, level of documentation, understanding the clause, understanding risk assessment procedure, top management support, culture of organization, auditing function, awareness and education and compatibility with existing procedure. The establishment and development of ISMS in an organization requires an in-depth understanding of the standard clause [7]. Hence, during the development of ISMS, the ISMS implementer must follow the PDCA cycle which provide an overall guidance in implementing ISMS. The most challenging process is the risk assessment because the process requires a comprehensive understanding and considerable knowledge in information security [8]. Risk assessment is done by the ISMS implementer team because they are the ones facing difficulties in engaging the asset owner in the risk assessment team.. The other challenge in the ISMS implementation is at organizational level [9]. ISMS implementation requires managerial awareness and commitment [9], [10]. The management commitment can be shown by providing Understanding Success Factors of an Information Security Management System Plan Phase Self-Implementation T Nurazean Maarop, Noorjan Mohd Mustapha, Rasimah Yusoff, Roslina Ibrahim, Norziha Megat Mohd Zainuddin World Academy of Science, Engineering and Technology International Journal of Computer and Information Engineering Vol:9, No:3, 2015 884 International Scholarly and Scientific Research & Innovation 9(3) 2015 scholar.waset.org/1307-6892/10000838 International Science Index, Computer and Information Engineering Vol:9, No:3, 2015 waset.org/Publication/10000838