Insight: Information Security Failures Measured and ISO/IEC 27001:202

About the Authors and This Research

This paper was co-authored by Petri Helo and Mikko Suorsa and presented at the IEEE CITSM 2023 international conference, with the full text available on the arXiv academic platform. Petri Helo brings extensive interdisciplinary expertise spanning information security management and industrial engineering within the Finnish academic community. Mikko Suorsa specializes in empirical research on information security compliance and regulatory adherence mechanisms. The research has been cited twice since its publication—a modest but meaningful indicator for a highly applied, practitioner-oriented study published in 2023.

The study's most significant methodological contribution lies in its application of Root Cause Analysis to a regulatory dataset. The research team systematically collected and analyzed all 81 GDPR penalty cases issued under Article 32 ("Security of Processing") during the calendar year 2020, mapping each violation's root cause to specific ISO/IEC 27001:2022 control identifiers. This produced two distinct, actionable ranked lists: the top 10 most frequently failing controls, and the top 10 controls associated with the highest penalty amounts.

Core Findings: What 81 GDPR Penalty Cases Reveal About ISO/IEC 27001:2022 Control Failures

The most powerful insight from this research is that information security failures are not random—they cluster predictably around a small set of control weaknesses. For enterprise risk managers and compliance officers, this concentration means that targeted investment in the highest-risk controls delivers disproportionate risk reduction.

Finding 1: High-Frequency Failures Expose Foundational Gaps in Basic Security Hygiene

The "most frequent failures" ranking is dominated by controls related to access management, cryptographic controls, and technical safeguards for personal data processing. These recurring failures reveal a systemic pattern: many organizations obtain ISO/IEC 27001 certification but subsequently underinvest in the ongoing maintenance, monitoring, and validation of their controls. Certification becomes a point-in-time achievement rather than a sustained operational posture. This finding directly mirrors Taiwan's judicial practice: both the Kaohsiung High Administrative Court and the Taipei High Administrative Court have upheld regulatory penalties against enterprises on the grounds that their security measures "did not meet prevailing technological standards and industry norms"—precisely the same benchmark that ISO/IEC 27001:2022 controls are designed to establish.

Finding 2: Highest-Penalty Failures Reflect Systemic Governance Deficiencies

The "highest penalty amount" ranking reveals a different profile: the controls associated with the most expensive violations tend to involve systemic governance failures rather than isolated technical gaps. These include information security policy design and implementation, supplier and third-party risk management, and incident response processes. Critically, the study also illustrates significant correlations between control failures—high-frequency failures and high-penalty failures share substantial overlap, confirming that information security weaknesses are rarely isolated. This correlation finding has direct implications for Data Protection Impact Assessment (DPIA) methodology: organizations must assess control failures as interconnected systems, not independent checkboxes. IBM research corroborates this systemic view, reporting that the average cost of a data breach reaches USD 3.92 million, with a pronounced long-tail effect extending two to three years beyond the initial incident.

Implications for Taiwan Enterprises: PIMS, GDPR, and the Personal Data Protection Act

This research carries three layers of direct practical implication for Taiwan enterprises currently evaluating or advancing toward ISO 27701 certification.

First, from the perspective of Taiwan's Personal Data Protection Act (PDPA): Article 27 of the PDPA requires enterprises to implement "appropriate security maintenance measures" for personal data. The critical legal question—as established by Taiwan's administrative courts in multiple penalty cases, including a NTD 2 million fine upheld against an e-commerce platform—is whether the measures adopted meet "prevailing technological standards and industry norms." The ISO/IEC 27001:2022 controls identified by this study as the most frequent failure points provide a concrete, internationally recognized reference for what those norms require.

Second, from the perspective of GDPR cross-border compliance: Taiwan enterprises with data flows involving EU customers or partners face direct extraterritorial application of GDPR Article 32's "Security of Processing" requirements. The study's ranked list of the 81 most penalized control failures provides a quantifiable risk prioritization tool, directly addressing the enterprise decision-making challenge of "which controls deserve the most urgent investment."

Third, from the perspective of ISO 27701 and DPIA integration: ISO 27701 functions as a privacy extension to ISO 27001, and its control framework is highly dependent on the precision of underlying risk assessments. The data-driven rankings from this study can serve directly as a risk identification reference within DPIA processes—ensuring that impact assessments address the controls most empirically associated with regulatory penalties, rather than relying solely on theoretical risk frameworks. This approach aligns with the principles of systematic literature review methodology, which prioritizes evidence-based decision-making over assumption-driven analysis.

The broader international enforcement context is also relevant: analysis of GDPR's three-year implementation record (CSIS) confirms that the European Commission's enforcement intensity has continued to increase, with penalty amounts trending upward. Taiwan enterprises with EU exposure should treat this research's control rankings as a dynamic compliance tool requiring annual review, not a one-time reference.

How Winners Consulting Services Co. Ltd. Translates These Findings into Executable Action

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) assists Taiwan enterprises in implementing ISO 27701, establishing personal data protection mechanisms compliant with both GDPR and Taiwan's Personal Data Protection Act, and conducting DPIA (Data Protection Impact Assessment). Based on the core findings of this research, Winners recommends the following three-phase action framework:

1. Months 1–3: Data-Driven Control Inventory and Gap Analysis. Map the enterprise's existing ISO/IEC 27001:2022 controls against the study's "Top 10 Most Frequent Failure" list. Conduct targeted gap analysis focusing on access control management, cryptographic controls, and third-party risk management—the highest-frequency failure categories. Simultaneously initiate a preliminary ISO 27701 gap assessment to establish the integration baseline between the existing ISMS and the target PIMS framework.
2. Months 4–8: Systemic Governance Strengthening and DPIA Execution. Prioritize remediation of controls associated with the "highest penalty amount" ranking, including comprehensive information security policy updates, supplier contract security clause reinforcement, and incident response procedure simulation exercises. Execute DPIA using this study's risk rankings as a primary risk identification reference, ensuring assessment outputs meet the requirements of GDPR Article 35 and Taiwan PDPA Article 27.
3. Months 9–12: ISO 27701 Certification Preparation and Continuous Monitoring Establishment. Complete ISO 27701 management system documentation, internal audit, and certification application. Establish KPI-based continuous monitoring mechanisms tracking the execution status of high-risk controls identified by this study. The objective is to ensure the enterprise can provide concrete evidence of "due diligence as a prudent manager" in the event of regulatory inspection or administrative litigation—the standard explicitly required by Taiwan's administrative courts.

Frequently Asked Questions

How do the study's "Top 10 Most Frequent ISO/IEC 27001:2022 Control Failures" directly relate to Taiwan PDPA enforcement?

Taiwan's Personal Data Protection Act Article 27 requires enterprises to implement "appropriate security maintenance measures." Taiwan's administrative courts assess whether measures are "appropriate" against the standard of prevailing technological norms and industry practice—the same benchmark that ISO/IEC 27001:2022 controls are designed to codify. This study systematically identified the controls most frequently failing in 81 GDPR Article 32 penalty cases, including access control, cryptographic mechanisms, and third-party risk management. Multiple Taiwan court rulings have upheld NTD 2 million or higher penalties against enterprises deemed not to meet industry norms. Enterprises can use this study's ranked list as a self-assessment tool to identify and remediate their highest-risk control gaps before a regulatory incident occurs.

What are the most common compliance challenges Taiwan enterprises face when implementing ISO 27701?

Three core challenges consistently emerge in ISO 27701 implementation for Taiwan enterprises. First, integration complexity between existing ISO 27001 ISMS controls and the additional ISO 27701 PIMS requirements—many enterprises find overlapping but misaligned control structures. Second, insufficient capability to execute DPIA as required by GDPR Article 35, due to a lack of systematic risk identification tools; this study's ranked control failure list directly addresses this gap. Third, dual-track compliance burden: Taiwan PDPA Article 27's "appropriate measures" requirement must be met alongside GDPR Article 32's "Security of Processing" requirements simultaneously, but the two frameworks have meaningful differences in their detailed specifications. A data-driven prioritization approach—as enabled by this research—helps enterprises focus limited resources on the controls with the highest combined regulatory risk.

What are ISO 27701's core requirements, and how should Taiwan enterprises structure their implementation timeline?

ISO 27701 is a privacy extension to ISO 27001, with core requirements including: establishment of a Privacy Information Management System (PIMS), fulfillment of both data controller and data processor responsibilities, execution of DPIA, and implementation of mechanisms to fulfill data subject rights. Winners recommends a three-phase 7-to-12-month implementation: Months 1–3 focus on current-state diagnosis and ISO 27001 gap assessment alongside initial PIMS architecture design; Months 4–8 involve systematic control strengthening, DPIA execution, and staff training; Months 9–12 cover ISO 27701 management documentation completion, internal audit, and certification application. Throughout all phases, the high-risk controls identified by Helo and Suorsa's research should serve as tracking benchmarks to verify ongoing control effectiveness.

How should enterprises evaluate the cost and expected benefits of ISO 27701 implementation?

Several concrete reference figures inform this evaluation. IBM research reports an average data breach cost of USD 3.92 million with a long-tail effect extending 2–3 years post-incident. Taiwan's administrative court cases demonstrate that a single personal data breach can result in NTD 2 million in administrative penalties, with subsequent litigation costs and reputational damage often exceeding the penalty itself. By contrast, ISO 27701 implementation costs—including consulting, training, and certification fees—are typically a fraction of a single incident's total cost. From a benefit perspective, certification provides: measurable reduction in regulatory penalty risk; enhanced client and partner trust (particularly for EU-facing operations under GDPR); and documented evidence of due diligence that has direct legal weight in Taiwan's administrative court proceedings.

Why should Taiwan enterprises choose Winners Consulting Services Co. Ltd. for PIMS-related advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) brings deep practical expertise in information security and privacy compliance within Taiwan, with specialized focus on building integrated management systems compliant with ISO 27701, GDPR, and Taiwan's Personal Data Protection Act. Our distinctive capability is translating academic research findings—such as Helo and Suorsa's ranked control failure analysis—into immediately executable enterprise action frameworks, with clear 7-to-12-month implementation roadmaps and measurable compliance milestones. We also possess integrated dual-track compliance advisory capability, enabling enterprises to simultaneously satisfy Taiwan PDPA and GDPR requirements within a single management framework—reducing complexity and total compliance cost. We invite you to request a complimentary PIMS Mechanism Diagnostic to begin your compliance journey.

日本語版

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、台湾における隱私資訊管理（PIMS）の専門機関として、2020年の全GDPR制裁事例81件を分析し、最も頻繁に失敗するISO/IEC 27001:2022コントロール項目を特定した研究に注目しています。このデータ駆動型の優先順位付けは、ISO 27701認証取得を目指す台湾企業に対し、限られたリソースを最大限活用するための実行可能なロードマップを提供します。