a generic cost-benefit moel Gary Hinson, IsecT Ltd., 15 th January 2008 E!ec"ti#e s"mmar$ Introduction Organizations intending to adopt ISO/IEC 27002 (the international standard code of practice for information security management) and ISO/IEC 2700 (the information security management system certification standard) usually organize the associated !or" as an implementation pro#ect$ %his generic financial model outlined in this paper e&plains the financial implications of implementing ISO/IEC 2700 ' 27002 as a set of typical (enefit and cost categories$ %he model may (e used (oth as the (asis for a (usiness case to #ustify the pro#ect to senior management) and as a frame!or" for measuring and optimising the net *alue of the in*estment o*er the long term$ Copyright + 200, Isec% -td$ .age of / %enefits 0educes information security ris"s 0educes pro(a(ility and impacts of infosec incidents Certification to an international standard 1ar"eting ad*antages etc$ Structured) coherent approach Comprehensi*e ris" assessment 2ocuses infosec spend to greatest ad*antage 3emonstra(le go*ernance Costs .ro#ect management) pro#ect resources Organizational change re4uires organizational resources 3esign) de*elopment) testing) implementation Certification ' sur*eillance *isits Ongoing operation ' maintenance Benefits Reduces information security risks Strengthens e&isting information security control en*ironment (y (re5)emphasizing (usiness information security control re4uirements) upgrading current information security policies) controls etc$ ' pro*iding stimulus to re*ie! ' update information security controls periodically & ris' re"ction Comprehensi*eness reduces pro(a(ility of unrecognized information security threats or *ulnera(ilities & ris' re"ction .rofessional) standardized ' rational ris" management approach gi*es consistency across multiple (all6) systems o*er time) ' addresses information security ris"s consistently (ris" (ased approach focuses on highest ris" areas) & ris' re"ction Increases a(ility to transfer ris"s selecti*ely to insurer) and ena(les negotiation to reduce insurance premiums as controls are implemented & cost sa#ing 1anagers ' staff !ill (ecome increasingly familiar !ith information security terms ' controls & ris' re"ction Benefits of standardization .ro*ides a 7common denominator89 a strong (asis on !hich to (uild system5specific additional controls as appropriate !ithout ha*ing to constantly re*isit the (asic controls & cost sa#ing :*oids need to separately5specify) implement ' re*ie! common (aseline control re4uirements ' controls on each system & cost sa#ing Is generally applica(le ' therefore directly re5usa(le across multiple departments) functions ' organizations !ithout change & cost sa#ing :llo!s organization to concentrate its effort ' resources on identifying ' satisfying supra5(aseline control re4uirements & cost sa#ing ;enerally accepted ' !ell esta(lished (<S 77== ISO/IEC 77== ISO/IEC 27002) !ith increasing a!areness ' upta"e !orld5!ide 0ecognized em(odiment of accepted good information security practice > !hy re5in*ent? & cost sa#ing Sa*es time ' money (y directly adopting good practice & cost sa#ing .ro*ides common terminology to discuss) specify) de*elop ' assess information security re4uirements ' controls 1ay e*en allo! some controls to (e rela&ed & cost sa#ing Benefits of having a structured approach ISO/IEC 27002 is a logical frame!or" for disparate information security controls) and forms a rational (asis for assessing ris"s ' implementing appropriate controls$ It is internally consistent and reasona(ly comprehensi*e) !ithout (eing o*erly prescripti*e (especially if users focus on the (roader control o(#ecti*es)$ It is customiza(le and forms a good (asis on !hich to (uild organization/industry5specific e&tensions as re4uired & general benefits .ro*ides the impetus to re*ie! systems) data and information flo!s !ith potential to reduce o*erhead of duplicated ' other unnecessary systems/data/processes and impro*e the 4uality of information ((usiness process re5engineering) & cost sa#ing .ro*ides a mechanism for measuring performance and incrementally raising the information security (aseline & long term benefits @a*ing implemented ISO/IEC 2700 and 27002) the organization !ill ha*e a comprehensi*e set of formally5appro*ed information security policies ' procedures !hich are easier for staff ' managers to follo! consistently & long term benefits Copyright + 200, Isec% -td$ .age 2 of / Benefits of certification Aill satisfy re4uests to partners/suppliers to su(stantiate information security controls !ithout ha*ing to ser*ice indi*idual en4uiries or pro*ide confidential information - cost sa#ing & ris' re"ction .ro*ides a rational ' independent information security standard against !hich to assess 4uality of controls at partners/suppliers - cost sa#ing & ris' re"ction .otentially offers a mar"eting ad*antage for early5adopters (7(adge of honor8 similar to ISO =000 4uality standard) & mar'eting/sales benefit 0eluctance to demonstrate ISO/IEC 2700/2 compliance may (e ta"en as a sign of *ulnera(ility$ Certified compliance can promote the company image as a secure (usiness partner & competiti#e a#antage @elps assure sta"eholders) auditors) industry regulators etc$ that organization is acti*ely minimizing information security ris"s (y demonstrating organizational commitment to information security (corporate go*ernance or due diligence issue gi*en the potential for information security e&posures) - cost sa#ing & ris' re"ction Cost avoidance Organization may (e forced do!n this route e*entually in any e*ent (y mar"et pressures) especially if third parties start demanding ISO/IEC 27002 compliance or ISO/IEC 2700 certificates as a prere4uisite to eCommerce lin"s etc$ <y implementing it to their o!n timescales) organizations can choose the most cost5effecti*e se4uence of actions & cost a#oiance ;o*ernments ' industry regulators may insist on ISO/IEC 27002 compliance as a rule$ It may (e re4uired to demonstrate compliance !ith data protection/pri*acy and similar legislation > legal/reg"lator$ re("irement to a#oi penalties .otentially reduces or narro!s B rd party claims in case of information security failures - cost sa#ing & ris' re"ction Costs Costs relating to organizational change Ceed to raise organizational (staff ' management) a!areness :daptation/rationalization of e&isting information security standards) procedures) practices etc$ 1ay need to 7let certain staff go8 for not complying !ith policies etc$ Design & development costs 0e*ie!/update of e&isting information security standards) guidelines) procedures etc$ .reparation of (some) ne! information security standards) guidelines) procedures etc$ (0e5)design of controls architecture Implementation costs One5off costs to upgrade and/or supplement *arious e&isting controls to meet the standard :!areness ' training costs Certification costs Initial pre5certification ' certification *isits (y accredited ISO/IEC 2700 certification (ody (a fe! D") Copyright + 200, Isec% -td$ .age B of / 0is" of failing to achie*e certification at first application (any items that caused failure !ould themsel*es represent unaccepta(le information security ris"s > delayed certification more li"ely than complete failure) Staff/management time e&pended during annual sur*eillance *isits %ri5annual re5certification (more thorough re*ie! ' hence !ider impact) (ut still relati*ely minor) :ll these costs !ill all (e minimized if !e achie*e high 4uality implementation through our o!n efforts Ongoing maintenance costs :nnual re*ie!/maintenance of information security policies) guidelines) procedures etc$ to maintain compliance !ith standard 1inor costs to maintain registration (a fe! D") > may perhaps (e reduced (y com(ining ISO/IEC 2700 !ith ISO =000 certification Conclusion Eou are *ery !elcome to use this generic paper as a (asis for your o!n (usiness case) using hard data and realistic estimates from your organization to firm5up the num(ers$ <y all means contact the author (;aryFisect$com) or *isit !!!$ISO2700security$com for more information and ad*ice from other ISO/IEC 2700/2 implementers$ ;ood luc"6 Copyright %his !or" is copyright + 200,) Isec% -td$) some rights reser*ed$ It is licensed under the Creati*e Commons :ttri(ution5Concommercial5Share :li"e B$0 -icense$ Eou are !elcome to reproduce) circulate) use and create deri*ati*e !or"s from this provided that (a) it is not sold or incorporated into a commercial product) (() it is properly attri(uted to Isec% -td$) and (c) deri*ati*e !or"s are shared under the same terms as this$ Copyright + 200, Isec% -td$ .age / of /