Information security professionals often need to justify investment in information security controls. But there’s still no universal way of assessing the economic impact of information security decisions. ISO/IEC TR 27016:2014 aims to solve this. ISO 27016 helps organisations decide how much to invest in protecting their information. Both information security professionals and general managers can use and understand ISO 27016. The report will help you:
ISO 27016 helps you think about how economic factors interact with other resources, including:
You should also note that ISO 27016 is a technical report, not a standard. An ISO technical report gives guidance on a subject using information obtained from other sources. These sources include:
The International Organisation for Standardisation (ISO) published ISO 27016 in 2014. ISO created ISO 27016 to give guidance to both information security professionals and general managers, helping them:
ISO 27016 supports other ISO 27k standards. The Technical Report gives you guidance on the economics of information security, showing you how to apply economic or financial models to your infosec decisions. It gives descriptions and examples, including:
Economic considerations must inform all of your infosec management decisions. Thinking through the financials is particularly important when deciding how you’ll:
Any kind or size of organisation can implement ISO/IEC TR 27016:2014. The technical report will be particularly helpful if you’re a senior manager responsible for infosec decisions.
It’s aimed at:
You’ll find ISO 27016 useful when you’re:
ISO 27016 will help you introduce financial considerations into the infosec decision making process, creating a unique business case to justify infosec investment.
Your organisation will understand that it should treat information security policies as valuable assets in themselves.
To help you understand and explain the financial impact of infosec decisions, the document includes:
Information security policies need a wide range of controls to be effective. Your organisation will have to invest in those controls. ISO 27016 will help you make a clear financial case for each control. You’ll show that each of them creates a clearly-defined return on investment.
Asking ‘how much does infosec cost?’ is like asking ‘how long is a piece of string?’. The cost of securing your information will depend on your organisation’s type and scale. To set your infosec budget, you’ll need to think through:
ISO 27016 will help you understand how much your organisation can and should spend on information security.
ISO 27016 helps you decide how much you want to invest to safeguard your information assets. The report will help you justify your infosec budget and make infosec investment recommendations.
The report encourages you to make broad economic arguments and set wide-ranging goals. It might ask you to consider setting up an ISO 27k information security management system (ISMS), or exploring the potential political, social and legal impacts of your infosec choices.
The report will also guide you through the fine detail of its infosec recommendations. For example, it will help you:
ISO 27016 has eight clauses and four annexes. Clauses 1 to 5 establish the standard’s context and references. Clause 6 defines economic factors to consider when implementing your information security controls. You’ll need to think through:
Clause 7 tells you which economic objectives your organisation should consider and how to estimate the value of your information assets. Clause 8 asks you to balance the costs of information security with its potential benefits. The report ends with four Annexes that help you think through the bigger economic, social and political picture.
Here’s the full list of everything ISO 27016 includes:
A tailored hands-on session based on your needs and goals
Clause 1: Scope
Clause 2: Normative references
Clause 3: Terms and definitions
Clause 4: Abbreviated terms
Clause 5: Structure of the document
Clause 6: Information security economic factors
Clause 7: Economic objectives
Clause 8: Balancing information security economics for ISM
Annex A: Identification of stakeholders and objectives for setting values
Annex B: Economic decisions and key decision factors
Annex C: Economic models appropriate for information security
Annex D: Business cases calculation examples