在台灣,2006年5月已經有84家組織導入BS7799資訊安全管理系統。近年來,相關的研究都是以探討單一行業、個別領域與個案公司方面為主,目前較缺乏探討各不同行業別、不同領域的組織導入BS7799後,其成效分析之實證研究。因此,本研究探討的就是當ISMS(Information Security Management System)導入組織一段時間後,資訊安全管理上的成效議題,即BS7799導入組織後在資訊安全管理上的成效。 本研究是透過2005年12月底中華民國台灣地區在ISMS國際機構業已註冊,通過BS7799認證的組織共計66家來進行問卷調查。研究BS7799導入後,其不同組織行業別、導入部門範圍別間,資訊安全管理上實施的成效。最後歸納出的結果顯示:1.導入後,74%的組織資訊安全事件有減少;2.各組織的資訊安全控制領域皆有改善,當中以「資訊安全政策」、「營運持續管理」與「實體與環境安全」改善成效較高,「資訊安全政策」領域內的控制措施A5.1.2改善成效最佳;3.「資訊安全事件管理」與「資訊系統取得開發及維護」是改善成效比較偏低的領域,可作爾後組織導入BS7799時的參考。 Eighty four organizations in Taiwan have implementted BS 7799 information security management system in May, 2006. The relative researches in the recent years mostly discuss the topic of one industry field, specific doman or case study. It is lack to investigate in the effectiveness of imple- menting information security management system (ISMS) among the orga- nizations in different fields. This paper focuses on the effectiveness after BS 7799 is implemented into organizations. Based on the survey of the sixty six organizations in Taiwan which have registered in the ISMS international user group, this paper brings us to look into the better and worse domans and controls while implementing BS 7799. The discovery of this paper is as follows: in general, after organizations implement BS 7799, the information security events of seventy four percent- ages in these organizations have decreased. It shows most organiza- tions have improved the environment of information security. Furthermore, the organizations gain improvement in most control objectives, and are remark- ablely secured in “Security policy, business continuity management ,and physical and environmental security.” Implementing A5.1.2 control makes outstanding effecttiveness. Neverthrless, the other outcome shows the lower implementational effectiveness in “information security incident management” and “information systems acquisition, development and maintenance.”