ISO 27016

Information security management – Organisational economics

What is ISO/IEC TR 27016:2014?

Information security professionals often need to justify investment in information security controls. But there’s still no universal way of assessing the economic impact of information security decisions. ISO/IEC TR 27016:2014 aims to solve this. ISO 27016 helps organisations decide how much to invest in protecting their information. Both information security professionals and general managers can use and understand ISO 27016. The report will help you:

  • Discuss your information security management initiatives
  • Predict the financial outcomes of your information security decisions

ISO 27016 helps you think about how economic factors interact with other resources, including:

  • People
  • Equipment
  • Facilities
  • Materials
  • Finances

You should also note that ISO 27016 is a technical report, not a standard. An ISO technical report gives guidance on a subject using information obtained from other sources. These sources include:

  • Surveys
  • Other reports
  • Generally available information
See our platform in action

What’s the history of ISO/IEC TR 27016:2014?

The International Organisation for Standardisation (ISO) published ISO 27016 in 2014. ISO created ISO 27016 to give guidance to both information security professionals and general managers, helping them:

  • Understand where to invest their information security budget
  • Discuss the financial outcomes of their information security choices

How does ISO 27016 relate to other standards?

ISO 27016 supports other ISO 27k standards. The Technical Report gives you guidance on the economics of information security, showing you how to apply economic or financial models to your infosec decisions. It gives descriptions and examples, including:

  • Cost-benefit statements
  • Business cases
  • Suggested financial metrics

Economic considerations must inform all of your infosec management decisions. Thinking through the financials is particularly important when deciding how you’ll:

Who can implement ISO 27016?

Any kind or size of organisation can implement ISO/IEC TR 27016:2014. The technical report will be particularly helpful if you’re a senior manager responsible for infosec decisions.

It’s aimed at:

  • Chief Executive Officers (CEOs)
  • Chief Information Officers (CIOs)
  • Chief Information Security Officers (CISOs)
  • Information Security Managers (ISM)

You’ll find ISO 27016 useful when you’re:

  • Defining your information security management strategy
  • Implementing your information security policies
  • Keeping your information assets secure
Find out just how affordable your ISMS could be

Why should we implement ISO 27016?

ISO 27016 will help you introduce financial considerations into the infosec decision making process, creating a unique business case to justify infosec investment.

Your organisation will understand that it should treat information security policies as valuable assets in themselves.

To help you understand and explain the financial impact of infosec decisions, the document includes:

  • A general starting point framework
  • Sample text for you to adapt and use

Information security policies need a wide range of controls to be effective. Your organisation will have to invest in those controls. ISO 27016 will help you make a clear financial case for each control. You’ll show that each of them creates a clearly-defined return on investment.

How much does information security cost?

Asking ‘how much does infosec cost?’ is like asking ‘how long is a piece of string?’. The cost of securing your information will depend on your organisation’s type and scale. To set your infosec budget, you’ll need to think through:

  • How much your organisation turns over
  • How costly an infosec breach could be

ISO 27016 will help you understand how much your organisation can and should spend on information security.

What are the benefits of ISO 27016?

ISO 27016 helps you decide how much you want to invest to safeguard your information assets. The report will help you justify your infosec budget and make infosec investment recommendations.

The report encourages you to make broad economic arguments and set wide-ranging goals. It might ask you to consider setting up an ISO 27k information security management system (ISMS), or exploring the potential political, social and legal impacts of your infosec choices.

The report will also guide you through the fine detail of its infosec recommendations. For example, it will help you

  • Spend the right amount on your ISMS, not too little or too much
  • Choose between investing in information risk management and security controls
  • Assess the value of your information assets and the potential costs of threats to them

What are the requirements for ISO 27016?

ISO 27016 has eight clauses and four annexes. Clauses 1 to 5 establish the standard’s context and references. Clause 6 defines economic factors to consider when implementing your information security controls. You’ll need to think through:

  • Management Decisions
  • Business Cases
  • Stakeholder Interests
  • Economic Decision Review

Clause 7 tells you which economic objectives your organisation should consider and how to estimate the value of your information assets. Clause 8 asks you to balance the costs of information security with its potential benefits. The report ends with four Annexes that help you think through the bigger economic, social and political picture.

Here’s the full list of everything ISO 27016 includes:

ISO/IEC TR 27016:2014 clauses

Clause 1: Scope

Clause 2: Normative references

Clause 3: Terms and definitions

Clause 4: Abbreviated terms

Clause 5: Structure of the document

Clause 6: Information security economic factors

Clause 7: Economic objectives

Clause 8: Balancing information security economics for ISM

  • 8.1 Introduction
  • 8.2 Economic Benefits
  • 8.3 Economic Costs
  • 8.4 Applying Economic Calculations to ISM
    • 8.4.1 Overview
    • 8.4.2 Guidance
    • 8.4.3 A Business Case Based on an Organization-Wide Approach(Category A)
    • 8.4.4 A Business Case Based on a Part of the Organization (Category B)

ISO/IEC TR 27016:2014 annex clauses

Annex A: Identification of stakeholders and objectives for setting values

  • A.1 Overview
  • A.2 Critical Public or Private Sectors
  • A.3 Public Health and Safety
  • A.4 Societal and Community
  • A.5 Personal Information
  • A.6 Environmental
  • A.7 Competition

Annex B: Economic decisions and key decision factors

Annex C: Economic models appropriate for information security

  • C.1 General information
  • C.2 Basic Value Model (BVM)
  • C.3 Negative to Positive Model
  • C.4 Generic Balance Investment for Protection Cost vs. Value Theory
  • C.5 Generic Investment Calculation — Cost Benefit Calculation

Annex D: Business cases calculation examples

  • D.1 Organizational Business Case Calculation Example (Ref. A)
  • D.2 Partial Organizational Business Case Calculation Example (Ref. B)
  • D.3 Asset/Control Case Example (Ref. B)

Explore other standards within the ISO 27k family

  • 1

    The ISO 27000 family

  • 2

    ISO 27002

  • 3

    ISO 27003

  • 4

    ISO 27004

  • 5

    ISO 27005

  • 6

    ISO 27008

  • 7

    ISO 27009

  • 8

    ISO 27010

  • 9

    ISO 27014

  • 11

    ISO 27013

  • 12

    ISO 27016

  • 13

    ISO 27017

  • 14

    ISO 27018

  • 15

    ISO 27019

  • 16

    ISO 27038

  • 17

    ISO 27039

  • 18

    ISO 27040

  • 19

    ISO 27050

  • 20

    ISO 27102