ISO 27016

Information security management – Organisational economics

Book a demo

female,manager,mentor,teach,help,male,intern,trainee,new,employee

What is ISO/IEC TR 27016:2014?

Information security professionals often need to justify investment in information security controls. But there’s still no universal way of assessing the economic impact of information security decisions. ISO/IEC TR 27016:2014 aims to solve this. ISO 27016 helps organisations decide how much to invest in protecting their information. Both information security professionals and general managers can use and understand ISO 27016. The report will help you:

ISO 27016 helps you think about how economic factors interact with other resources, including:

  • People
  • Equipment
  • Facilities
  • Materials
  • Finances

You should also note that ISO 27016 is a technical report, not a standard. An ISO technical report gives guidance on a subject using information obtained from other sources. These sources include:

  • Surveys
  • Other reports
  • Generally available information
See our platform in action

What’s the history of ISO/IEC TR 27016:2014?

The International Organisation for Standardisation (ISO) published ISO 27016 in 2014. ISO created ISO 27016 to give guidance to both information security professionals and general managers, helping them:

  • Understand where to invest their information security budget
  • Discuss the financial outcomes of their information security choices

How does ISO 27016 relate to other standards?

ISO 27016 supports other ISO 27k standards. The Technical Report gives you guidance on the economics of information security, showing you how to apply economic or financial models to your infosec decisions. It gives descriptions and examples, including:

Economic considerations must inform all of your infosec management decisions. Thinking through the financials is particularly important when deciding how you’ll:

Who can implement ISO 27016?

Any kind or size of organisation can implement ISO/IEC TR 27016:2014. The technical report will be particularly helpful if you’re a senior manager responsible for infosec decisions.

It’s aimed at:

  • Chief Executive Officers (CEOs)
  • Chief Information Officers (CIOs)
  • Chief Information Security Officers (CISOs)
  • Information Security Managers (ISM)

You’ll find ISO 27016 useful when you’re:

Find out just how affordable your ISMS could be

Why should we implement ISO 27016?

ISO 27016 will help you introduce financial considerations into the infosec decision making process, creating a unique business case to justify infosec investment.

Your organisation will understand that it should treat information security policies as valuable assets in themselves.

To help you understand and explain the financial impact of infosec decisions, the document includes:

  • A general starting point framework
  • Sample text for you to adapt and use

Information security policies need a wide range of controls to be effective. Your organisation will have to invest in those controls. ISO 27016 will help you make a clear financial case for each control. You’ll show that each of them creates a clearly-defined return on investment.

How much does information security cost?

Asking ‘how much does infosec cost?’ is like asking ‘how long is a piece of string?’. The cost of securing your information will depend on your organisation’s type and scale. To set your infosec budget, you’ll need to think through:

  • How much your organisation turns over
  • How costly an infosec breach could be

ISO 27016 will help you understand how much your organisation can and should spend on information security.

What are the benefits of ISO 27016?

ISO 27016 helps you decide how much you want to invest to safeguard your information assets. The report will help you justify your infosec budget and make infosec investment recommendations.

The report encourages you to make broad economic arguments and set wide-ranging goals. It might ask you to consider setting up an ISO 27k information security management system (ISMS), or exploring the potential political, social and legal impacts of your infosec choices.

The report will also guide you through the fine detail of its infosec recommendations. For example, it will help you:

  • Spend the right amount on your ISMS, not too little or too much
  • Choose between investing in information risk management and security controls
  • Assess the value of your information assets and the potential costs of threats to them

What are the requirements for ISO 27016?

ISO 27016 has eight clauses and four annexes. Clauses 1 to 5 establish the standard’s context and references. Clause 6 defines economic factors to consider when implementing your information security controls. You’ll need to think through:

Clause 7 tells you which economic objectives your organisation should consider and how to estimate the value of your information assets. Clause 8 asks you to balance the costs of information security with its potential benefits. The report ends with four Annexes that help you think through the bigger economic, social and political picture.

Here’s the full list of everything ISO 27016 includes:

See our platform features in action

A tailored hands-on session based on your needs and goals

Book your demo

ISO/IEC TR 27016:2014 clauses

Clause 1: Scope

Clause 2: Normative references

Clause 3: Terms and definitions

Clause 4: Abbreviated terms

Clause 5: Structure of the document

Clause 6: Information security economic factors

Clause 7: Economic objectives

Clause 8: Balancing information security economics for ISM

  • 8.1 Introduction
  • 8.2 Economic Benefits
  • 8.3 Economic Costs
  • 8.4 Applying Economic Calculations to ISM
    • 8.4.1 Overview
    • 8.4.2 Guidance
    • 8.4.3 A Business Case Based on an Organization-Wide Approach(Category A)
    • 8.4.4 A Business Case Based on a Part of the Organization (Category B)

ISO/IEC TR 27016:2014 annex clauses

Annex A: Identification of stakeholders and objectives for setting values

  • A.1 Overview
  • A.2 Critical Public or Private Sectors
  • A.3 Public Health and Safety
  • A.4 Societal and Community
  • A.5 Personal Information
  • A.6 Environmental
  • A.7 Competition

Annex B: Economic decisions and key decision factors

Annex C: Economic models appropriate for information security

  • C.1 General information
  • C.2 Basic Value Model (BVM)
  • C.3 Negative to Positive Model
  • C.4 Generic Balance Investment for Protection Cost vs. Value Theory
  • C.5 Generic Investment Calculation — Cost Benefit Calculation

Annex D: Business cases calculation examples

  • D.1 Organizational Business Case Calculation Example (Ref. A)
  • D.2 Partial Organizational Business Case Calculation Example (Ref. B)
  • D.3 Asset/Control Case Example (Ref. B)

Explore other standards within the ISO 27k family

  • 1The ISO 27000 family
  • 2ISO 27002
  • 3ISO 27003
  • 4ISO 27004
  • 5ISO 27005
  • 6ISO 27008
  • 7ISO 27009
  • 8ISO 27010
  • 9ISO 27014
  • 11ISO 27013
  • 12ISO 27016
  • 13ISO 27017
  • 14ISO 27018
  • 15ISO 27019
  • 16ISO 27038
  • 17ISO 27039
  • 18ISO 27040
  • 19ISO 27050
  • 20ISO 27102
See the ISMS.online platform in action

Explore ISMS.online's platform with a self-guided tour - Start Now