We hear a lot about ROI – Is the investment paying off?
It’s what drives most boardroom decisions.
Indeed, to ensure we can judge correctly whether anything is effective, we need to measure performance against a set of key objectives and use that data to inform good decision making.
If you are implementing ISO 27001:2013 and are struggling on the requirements of 6.2, consider it in terms of ROI.
Without these important controls you have an ISMS that you’ve invested heavily in but have no idea whether it is being effective in reducing the risk of an information security breach (and its related cost!).
You have no defined goals, no system metrics and no data to base decisions.
The whole ISO 27001 implementation boils down to, are we meeting our information security objectives and how do we know we are? Oh, and of course, if we’re not then what are we doing about it?
In 6.2, just as with any business process, it’s necessary to:
- Set your information security objectives
- Establish your metrics
- Define your process for evaluation.