ISMS Business Case Builder - The Return on Investment from Information Security Management
What is the ROI from Information Security Management?
For those who take the topic seriously, the RoI from better information security and privacy can be very attractive too but it takes a strategic approach to the subject. Whether that is a real return on the bottom line, future cost avoidance or better risk management is something this paper can help you consider.
We have set out to help determine the RoI and included the following aspects which you can build on for your own organisation’s business case:
- What an ISMS is and how the combination of people and technology that deliver it are crucial for achieving an optimal RoI. The people and technology can come from internal sources or be complemented by external resources too.
- Why you should have an ISMS. If you or your leadership don’t already believe then this will help you determine where the benefits can materialise, including: – Financial and reputational threats, areas for future cost avoidance. – Opportunities for growth and material gain.
- Who the stakeholders are and what their expectations might include. That will help form your ISMS scope and consider how far to go with the solution, ranging from basic GDPR, into cyber hygiene through to more comprehensive standards-based methodologies like ISO 27001:2013.
- To build or to buy, and whether to use your own people, complement them with external resources and how to evaluate the technology component of the ISMS.
The equation for RoI from an ISMS is simply as follows:
Forces driving for change + powerful stakeholder expectations + benefits from the ISMS
Resisting forces + costs of people & technology for the ISMS during implementation and ongoing management.
As with any business case analysis, increasing the numerator is great, and decreasing the denominator is also likely to be of value in reducing risk, cost and time to get work done.
Depending on your value at risk and the size of the opportunity or threat, the document may lead towards an immediate decision to do something, or perhaps involve much more planning and analysis before decisions are taken.
Whatever the size enterprise, the return will almost certainly outweigh the investment of people and technology, assuming the resisting forces can be addressed.
You can download it now to share with colleagues or work through the considerations online using the index below.
What are the key considerations when building the business case for an ISMS?
- A growing challenge
- Three reasons why nothing happens
- The return on investment from information security management
- A point on people
- In considering the technology
- What is an ISMS?
- What are the components of an ISMS?
- Why do organisations need an ISMS?
- Is your organisation leadership ready to support an ISMS?
- Developing the business case for an ISMS
- Benefits to realise - Achieving returns from the threats and opportunities
- Evaluating the threats
- Identifying the opportunities
- Stakeholder expectations for the ISMS given their relative power and interest
- Scoping the ISMS to satisfy stakeholder interests
- GDPR focused work
- Doing other work for broader security confidence and assurance with higher RoI
- Work to get done for ISO 27001:2013/17
- Build or buy - Considering the best way to achieve ISMS success
- Understanding the components of an ISMS solution
- The people involved in the ISMS
- The characteristics of a good technology solution for your ISMS
- Whether to build or buy the technology part of the ISMS
- The core competences of the organisation, costs and opportunity costs
- In conclusion