What is the ROI from Information Security Management?
For those who take the topic seriously, the RoI from better information security and privacy can be very attractive too but it takes a strategic approach to the subject. Whether that is a real return on the bottom line, future cost avoidance or better risk management is something this paper can help you consider.
We have set out to help determine the RoI and included the following aspects which you can build on for your own organisation’s business case:
- What an ISMS is and how the combination of people and technology that deliver it are crucial for achieving an optimal RoI. The people and technology can come from internal sources or be complemented by external resources too.
- Why you should have an ISMS. If you or your leadership don’t already believe then this will help you determine where the benefits can materialise, including: – Financial and reputational threats, areas for future cost avoidance. – Opportunities for growth and material gain.
- Who the stakeholders are and what their expectations might include. That will help form your ISMS scope and consider how far to go with the solution, ranging from basic GDPR, into cyber hygiene through to more comprehensive standards-based methodologies like ISO 27001:2013. To build or to buy, and whether to use your own people, complement them with external resources and how to evaluate the technology component of the ISMS.
- To build or to buy, and whether to use your own people, complement them with external resources and how to evaluate the technology component of the ISMS.
The equation for RoI from an ISMS is simply as follows:
Forces driving for change + powerful stakeholder expectations + benefits from the ISMS
less Resisting forces + costs of people & technology for the ISMS during implementation and ongoing management.
As with any business case analysis, increasing the numerator is great, and decreasing the denominator is also likely to be of value in reducing risk, cost and time to get work done.
Depending on your value at risk and the size of the opportunity or threat, the document may lead towards an immediate decision to do something, or perhaps involve much more planning and analysis before decisions are taken.
Whatever the size enterprise, the return will almost certainly outweigh the investment of people and technology, assuming the resisting forces can be addressed.
An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
The key considerations when building the business case for an ISMS?
- 1Building the business case for an ISMS
- 3The Challenge is Growing
- 4Three Reasons Why Nothing Happens
- 5Planning the business case for an ISMS
- 6A Point on People
- 7In Considering The Technology
- 8What is an ISMS?
- 9Understanding the Components of an ISMS
- 10The People Involved in the ISMS
- 11Why Do Organisations Need An ISMS?
- 12Is Your Organisation Leadership Ready to Support an ISMS?
- 13Developing the Business Case for an ISMS
- 14Achieving Returns from the Threats and Opportunities
- 15Stakeholder Expectations for the ISMS given their Relative Power and Interest
- 16Scoping the ISMS to Satisfy Stakeholder Interests
- 17GDPR Focused Work
- 18The Return on Investment from Information Security Management
- 19Doing Other Work for Broader Security Confidence & Assurance with Higher RoI
- 20Build or Buy – Considering the Best Way to Achieve ISMS Success
- 21The characteristics of a good technology solution for your ISMS
- 22Whether to Build or Buy the Technology Part of the ISMS
- 23The Core Competences of the Organisation, Costs and Opportunity Costs
- 24Evaluating The Threats
- 25Identifying The Opportunities
- 26Work To Get Done for ISO 27001
- 27In Conclusion