在全球數位化進程加速的背景下，資訊安全已成為企業競爭力與永續發展的重要基石。隨著法規要求日益嚴格、客戶稽核壓力加大，以及資訊安全事件頻發，企業面臨保障資訊資產與穩定營運的嚴峻挑戰。本研究以台灣一家航太及蘋果供應鏈企業為研究案例，聚焦其在制度理論框架下，如何因應經濟、社會及政治壓力導入 ISO/IEC 27001 資訊安全管理系統（ISMS）的背景與動機，進而探討其導入過程及實施成效。
研究採用質性研究方法，結合文獻回顧、深度訪談及文件分析，深入分析該企業在應對強制性、規範性及模仿性壓力時，設計與實施 ISMS 的策略與措施。研究結果顯示，該企業成功構建了一套符合 ISO/IEC 27001 標準的資訊安全管理體系，不僅提升了法規合規性、風險控制能力及市場競爭力，還在內部流程優化、員工意識培養與技術基礎強化方面取得顯著成效。導入過程中的關鍵成功因素包括高層支持、跨部門協作、員工培訓及定期稽核，而主要挑戰集中於資源分配不足、文化轉型困難及持續改善壓力。
本研究不僅提供導入過程的詳細分析，還提出管理與理論上的重要意涵。結果顯示，導入 ISO/IEC 27001 有助於企業在動盪的經濟與地緣政治環境中提升韌性與市場信任度，同時促進內部治理的現代化。研究亦針對導入過程中的挑戰提出應對建議，並提供對其他企業及未來研究的啟示，為類似背景下的資訊安全管理系統實施提供實務與理論參考。

In the context of increasing global digitalization and growing challenges in information security,the adoption of an Information Security Management System has become a critical measure for businesses to enhance competitiveness and ensure business continuity. This study focuses on a Taiwanese aerospace and Apple supply chain company, exploring the background, motivations,implementation process, and outcomes of its ISO/IEC 27001 adoption in response to regulatory compliance, client audits, information security threats, and geopolitical pressures.
The findings reveal that the company successfully established an ISO/IEC 27001-compliant information security framework, improving regulatory compliance, risk management capabilities,and market trust. Furthermore, it achieved significant enhancements in internal process optimization and employee security awareness. The study also identifies challenges, success factors, and improvement recommendations during the implementation process, offering valuable insights for other organizations.

林佩璇. (2000). 個案研究及其在教育研究上的應用. 質的研究方法 (頁 239-262). 高雄: 麗文.
邱憶惠. (1999). 個案研究法: 質化取向. 教育研究, 7, 113-127.
英國標準協會. (2022). ISO/IEC 27002. https://www.bsigroup.com/zh-TW/iso-27002-information-security-controls/
陳萬淇. (1995). 個案研究法, 華泰書局.
蓋亞資訊. (2024). ISO 27002:2022 改版重點解析.https://www.gaia.net/tc/news_detail/1/234
謝君豪. (2022). 從ESG 角度著手企業資安管理已成全球共識─從高階支持資安才能真正落實ESG. https://www.bsigroup.com/zh-TW/blog/Cybersecurity-and-Information-Resilience-Blog/2022/esg-csir/
魏銪志, 洪韻茹, 陳昇智, & 祝亞琪. (2020). 隱私資訊管理系統標準 ISO27701 於GDPR 適用性評估. 電腦稽核(42), 40-51.
Baraldi, E., Gressetvold, E., & Harrison, D. (2012). Resource interaction in inter-organizational networks: Foundations, comparison, and a research agenda. Journal of Business Research, 65(2), 266-276.
Becker, H. S. (1999). The Chicago school, so-called. Qualitative sociology, 22, 3-12.
Bergen, N., & Labonté, R. (2020). “Everything is perfect, and we have no problems”:detecting and limiting social desirability bias in qualitative research. Qualitative health research, 30(5), 783-792.
Bernard, H. R. (1988). Research methods in cultural anthropology.
Bjorck, F. (2004). Institutional theory: A new perspective for research into IS/IT security in organisations. 37th Annual Hawaii International Conference on System Sciences,2004. Proceedings of the,
Calder, A. (2020). Information Security based on ISO 27001/ISO 27002. Van Haren.
Carter, N. (2014). The use of triangulation in qualitative research. Number 5/September 2014, 41(5), 545-547.
Collier, D., & Mahoney, J. (1996). Insights and pitfalls: Selection bias in qualitative research. World politics, 49(1), 56-91.
Creswell, J. W., & Poth, C. N. (2016). Qualitative inquiry and research design: Choosing among five approaches. Sage publications.
Delmas, M. A., & Toffel, M. W. (2010). Institutional pressures and organizational characteristics: Implications for environmental strategy. Harvard Business School Technology & Operations Mgt. Unit Working Paper(11-050).
Denzin, N. K., & Lincoln, Y. S. (2008). Introduction: The discipline and practice of qualitative research.
Eisenhardt, K. M. (1989). Building theories from case study research. Academy of management review, 14(4), 532-550.
Fenz, S., Goluch, G., Ekelhart, A., Riedl, B., & Weippl, E. (2007). Information security fortification by ontological mapping of the ISO/IEC 27001 standard. 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007),
Fiske, M., Kendall, P. L., & Merton, R. (1956). The focused interview. A Manual of Problems and Procedures.
Forza, C., & Salvador, F. (2008). Application support to product variety management.International Journal of Production Research, 46(3), 817-836.https://doi.org/10.1080/00207540600818278
Guo, H., Wei, M., Huang, P., & Chekole, E. G. (2021). Enhance enterprise security through implementing iso/iec 27001 standard. 2021 IEEE International Conference on Service Operations and Logistics, and Informatics (SOLI),
Hawley, A. H. (1986). Human ecology: A theoretical essay. University of Chicago Press.
International Organization for Standardization. (2022). Information Security, Cybersecurity and Privacy Protection: Information Security Controls. International Organization for Standardization.
Kauppi, K., & Luzzini, D. (2022). Measuring institutional pressures in a supply chain context: scale development and testing. Supply Chain Management: An International Journal, 27(7), 79-107.
Khare, S. R., & Vedel, I. (2019). Recall bias and reduction measures: an example in primary health care service utilization. Family Practice, 36(5), 672-676.
Klapwijk, N. (2010). Boeije, H. 2010. Analysis in Qualitative Research. Sage Publications Ltd. Per Linguam, 26(2).
Liang, H., Saraf, N., Hu, Q., & Xue, Y. (2007). Assimilation of enterprise systems: the effect of institutional pressures and the mediating role of top management. MIS quarterly, 59-87.
March, J. G. (1963). A behavioral theory of the firm. Englewood Cliffs, NJ: Prentice-Hall.
Merriam, S. B. (1988). Case study research in education: A qualitative approach. Jossy-Bass Publishers.
Myers, P. S. (2009). Knowledge management and organisational design. Routledge.
Oswald, D., Sherratt, F., & Smith, S. (2014). Handling the Hawthorne effect: The challenges surrounding a participant observer. Review of social studies, 1(1), 53-73.
Powell, W. W., & DiMaggio, P. J. (2012). The new institutionalism in organizational analysis. University of Chicago press.
Robinson, W. N. (2006). A requirements monitoring framework for enterprise systems.Requirements Engineering, 11(1), 17-41. https://doi.org/10.1007/s00766-005-0016-3
Rodríguez, A., Fernández-Medina, E., & Piattini, M. (2007). A BPMN extension for the modeling of security requirements in business processes. Ieice Transactions on Information and Systems, E90D(4), 745-752. https://doi.org/10.1093/ietisy/e90-d.4.745
Roulston, K., & Shelton, S. A. (2015). Reconceptualizing Bias in Teaching Qualitative Research Methods. Qualitative Inquiry, 21(4), 332-342.https://doi.org/10.1177/1077800414563803
Scott, W. R. (2005). Institutional theory: Contributing to a theoretical research program.Great minds in management: The process of theory development, 37(2), 460-484.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International journal of information management, 36(2), 215-225.
Stake, R. (1995). Case study research. Springer.
Teo, H.-H., Wei, K. K., & Benbasat, I. (2003). Predicting intention to adopt interorganizational linkages: An institutional perspective. MIS quarterly, 19-49.
Weill, P. (1992). The relationship between investment in information technology and firm performance: A study of the valve manufacturing sector. Information systems research, 3(4), 307-333.
Yin, R. K. (2009). Case study research: Design and methods (Vol. 5). sage.