The financial implications

of implementing ISO/IEC 27001 & 27002:

a generic cost-benefit moel
Gary Hinson, IsecT Ltd., 15
th
January 2008
E!ec"ti#e s"mmar$
Introduction
Organizations intending to adopt ISO/IEC 27002 (the international standard code of practice for
information security management) and ISO/IEC 2700 (the information security management
system certification standard) usually organize the associated !or" as an implementation pro#ect$
%his generic financial model outlined in this paper e&plains the financial implications of
implementing ISO/IEC 2700 ' 27002 as a set of typical (enefit and cost categories$ %he model
may (e used (oth as the (asis for a (usiness case to #ustify the pro#ect to senior management)
and as a frame!or" for measuring and optimising the net *alue of the in*estment o*er the long
term$
Copyright + 200, Isec% -td$ .age of /
%enefits
0educes information security ris"s
0educes pro(a(ility and impacts of infosec incidents
Certification to an international standard
1ar"eting ad*antages etc$
Structured) coherent approach
Comprehensi*e ris" assessment
2ocuses infosec spend to greatest ad*antage
3emonstra(le go*ernance
Costs
.ro#ect management) pro#ect resources
Organizational change re4uires organizational resources
3esign) de*elopment) testing) implementation
Certification ' sur*eillance *isits
Ongoing operation ' maintenance
Benefits
Reduces information security risks
Strengthens e&isting information security control en*ironment (y (re5)emphasizing (usiness
information security control re4uirements) upgrading current information security policies)
controls etc$ ' pro*iding stimulus to re*ie! ' update information security controls periodically &
ris' re"ction
Comprehensi*eness reduces pro(a(ility of unrecognized information security threats or
*ulnera(ilities & ris' re"ction
.rofessional) standardized ' rational ris" management approach gi*es consistency across
multiple (all6) systems o*er time) ' addresses information security ris"s consistently (ris" (ased
approach focuses on highest ris" areas) & ris' re"ction
Increases a(ility to transfer ris"s selecti*ely to insurer) and ena(les negotiation to reduce
insurance premiums as controls are implemented & cost sa#ing
1anagers ' staff !ill (ecome increasingly familiar !ith information security terms ' controls &
ris' re"ction
Benefits of standardization
.ro*ides a 7common denominator89 a strong (asis on !hich to (uild system5specific additional
controls as appropriate !ithout ha*ing to constantly re*isit the (asic controls & cost sa#ing
:*oids need to separately5specify) implement ' re*ie! common (aseline control re4uirements '
controls on each system & cost sa#ing
Is generally applica(le ' therefore directly re5usa(le across multiple departments) functions '
organizations !ithout change & cost sa#ing
:llo!s organization to concentrate its effort ' resources on identifying ' satisfying supra5(aseline
control re4uirements & cost sa#ing
;enerally accepted ' !ell esta(lished (<S 77== ISO/IEC 77== ISO/IEC 27002) !ith increasing
a!areness ' upta"e !orld5!ide
0ecognized em(odiment of accepted good information security practice > !hy re5in*ent? & cost
sa#ing
Sa*es time ' money (y directly adopting good practice & cost sa#ing
.ro*ides common terminology to discuss) specify) de*elop ' assess information security
re4uirements ' controls
1ay e*en allo! some controls to (e rela&ed & cost sa#ing
Benefits of having a structured approach
ISO/IEC 27002 is a logical frame!or" for disparate information security controls) and forms a
rational (asis for assessing ris"s ' implementing appropriate controls$ It is internally consistent
and reasona(ly comprehensi*e) !ithout (eing o*erly prescripti*e (especially if users focus on
the (roader control o(#ecti*es)$ It is customiza(le and forms a good (asis on !hich to (uild
organization/industry5specific e&tensions as re4uired & general benefits
.ro*ides the impetus to re*ie! systems) data and information flo!s !ith potential to reduce
o*erhead of duplicated ' other unnecessary systems/data/processes and impro*e the 4uality of
information ((usiness process re5engineering) & cost sa#ing
.ro*ides a mechanism for measuring performance and incrementally raising the information
security (aseline & long term benefits
@a*ing implemented ISO/IEC 2700 and 27002) the organization !ill ha*e a comprehensi*e set
of formally5appro*ed information security policies ' procedures !hich are easier for staff '
managers to follo! consistently & long term benefits
Copyright + 200, Isec% -td$ .age 2 of /
Benefits of certification
Aill satisfy re4uests to partners/suppliers to su(stantiate information security controls !ithout
ha*ing to ser*ice indi*idual en4uiries or pro*ide confidential information - cost sa#ing & ris'
re"ction
.ro*ides a rational ' independent information security standard against !hich to assess 4uality of
controls at partners/suppliers - cost sa#ing & ris' re"ction
.otentially offers a mar"eting ad*antage for early5adopters (7(adge of honor8 similar to ISO =000
4uality standard) & mar'eting/sales benefit
0eluctance to demonstrate ISO/IEC 2700/2 compliance may (e ta"en as a sign of *ulnera(ility$
Certified compliance can promote the company image as a secure (usiness partner &
competiti#e a#antage
@elps assure sta"eholders) auditors) industry regulators etc$ that organization is acti*ely
minimizing information security ris"s (y demonstrating organizational commitment to
information security (corporate go*ernance or due diligence issue gi*en the potential for
information security e&posures) - cost sa#ing & ris' re"ction
Cost avoidance
Organization may (e forced do!n this route e*entually in any e*ent (y mar"et pressures)
especially if third parties start demanding ISO/IEC 27002 compliance or ISO/IEC 2700
certificates as a prere4uisite to eCommerce lin"s etc$ <y implementing it to their o!n
timescales) organizations can choose the most cost5effecti*e se4uence of actions & cost
a#oiance
;o*ernments ' industry regulators may insist on ISO/IEC 27002 compliance as a rule$ It may (e
re4uired to demonstrate compliance !ith data protection/pri*acy and similar legislation >
legal/reg"lator$ re("irement to a#oi penalties
.otentially reduces or narro!s B
rd
party claims in case of information security failures - cost
sa#ing & ris' re"ction
Costs
Costs relating to organizational change
Ceed to raise organizational (staff ' management) a!areness
:daptation/rationalization of e&isting information security standards) procedures) practices etc$
1ay need to 7let certain staff go8 for not complying !ith policies etc$
Design & development costs
0e*ie!/update of e&isting information security standards) guidelines) procedures etc$
.reparation of (some) ne! information security standards) guidelines) procedures etc$
(0e5)design of controls architecture
Implementation costs
One5off costs to upgrade and/or supplement *arious e&isting controls to meet the standard
:!areness ' training costs
Certification costs
Initial pre5certification ' certification *isits (y accredited ISO/IEC 2700 certification (ody (a fe!
D")
Copyright + 200, Isec% -td$ .age B of /
0is" of failing to achie*e certification at first application (any items that caused failure !ould
themsel*es represent unaccepta(le information security ris"s > delayed certification more li"ely
than complete failure)
Staff/management time e&pended during annual sur*eillance *isits
%ri5annual re5certification (more thorough re*ie! ' hence !ider impact) (ut still relati*ely minor)
:ll these costs !ill all (e minimized if !e achie*e high 4uality implementation through our o!n
efforts
Ongoing maintenance costs
:nnual re*ie!/maintenance of information security policies) guidelines) procedures etc$ to
maintain compliance !ith standard
1inor costs to maintain registration (a fe! D") > may perhaps (e reduced (y com(ining ISO/IEC
2700 !ith ISO =000 certification
Conclusion
Eou are *ery !elcome to use this generic paper as a (asis for your o!n (usiness case) using hard
data and realistic estimates from your organization to firm5up the num(ers$ <y all means contact
the author (;aryFisect$com) or *isit !!!$ISO2700security$com for more information and ad*ice
from other ISO/IEC 2700/2 implementers$ ;ood luc"6
Copyright
%his !or" is copyright + 200,) Isec% -td$) some
rights reser*ed$ It is licensed under the Creati*e
Commons :ttri(ution5Concommercial5Share :li"e
B$0 -icense$ Eou are !elcome to reproduce) circulate) use and
create deri*ati*e !or"s from this provided that (a) it is not sold or
incorporated into a commercial product) (() it is properly
attri(uted to Isec% -td$) and (c) deri*ati*e !or"s are shared under
the same terms as this$
Copyright + 200, Isec% -td$ .age / of /