The ISO/IEC 27001 standard provides organizations with guidelines to help them evaluate, document, and improve their information security processes. In practice, however, the generality of the standard can create a conflict between its requirements and the adopters’ expectations. To better understand how an organization manages such conflicts, we conduct a case study in a Finnish corporation during the standard’s implementation in one of its units. Two critical conflicts emerged: Conflict I reflects a tension between the standard requirement for disciplinary measures vis-à-vis the organization’s punishment-averse culture. Conflict II reflects a tension between the organization’s aspiration for concrete code reviewing instructions vis-à-vis the lack thereof in the standard. Our findings reveal that whereas the conflict resolution process was similar in managing both conflicts, their content was radically different. Specifically, whereas conflict I’s resolution was paradoxical, conflict II’s resolution was dialectical. We discuss the theoretical and practical implications of our findings
