ISO 27016

What’s the history of ISO/IEC TR 27016:2014?

The International Organisation for Standardisation (ISO) published ISO 27016 in 2014. ISO created ISO 27016 to give guidance to both information security professionals and general managers, helping them:

• Understand where to invest their information security budget
• Discuss the financial outcomes of their information security choices

How does ISO 27016 relate to other standards?

ISO 27016 supports other ISO 27k standards. The Technical Report gives you guidance on the economics of information security, showing you how to apply economic or financial models to your infosec decisions. It gives descriptions and examples, including:

• Cost-benefit statements
• Business cases
• Suggested financial metrics

Economic considerations must inform all of your infosec management decisions. Thinking through the financials is particularly important when deciding how you’ll:

• Manage risk (as laid out in ISO/IEC 27005)
• Measure:
  • How secure your information is
  • How well your Information Security Management System (ISMS) is working as laid out in ISO/IEC 27004

Who can implement ISO 27016?

Any kind or size of organisation can implement ISO/IEC TR 27016:2014. The technical report will be particularly helpful if you’re a senior manager responsible for infosec decisions.

It’s aimed at:

• Chief Executive Officers (CEOs)
• Chief Information Officers (CIOs)
• Chief Information Security Officers (CISOs)
• Information Security Managers (ISM)

You’ll find ISO 27016 useful when you’re:

• Defining your information security management strategy
• Implementing your information security policies
• Keeping your information assets secure

Why should we implement ISO 27016?

ISO 27016 will help you introduce financial considerations into the infosec decision making process, creating a unique business case to justify infosec investment.

Your organisation will understand that it should treat information security policies as valuable assets in themselves.

To help you understand and explain the financial impact of infosec decisions, the document includes:

• A general starting point framework
• Sample text for you to adapt and use

Information security policies need a wide range of controls to be effective. Your organisation will have to invest in those controls. ISO 27016 will help you make a clear financial case for each control. You’ll show that each of them creates a clearly-defined return on investment.

How much does information security cost?

Asking ‘how much does infosec cost?’ is like asking ‘how long is a piece of string?’. The cost of securing your information will depend on your organisation’s type and scale. To set your infosec budget, you’ll need to think through:

• How much your organisation turns over
• How costly an infosec breach could be

ISO 27016 will help you understand how much your organisation can and should spend on information security.

What are the benefits of ISO 27016?

ISO 27016 helps you decide how much you want to invest to safeguard your information assets. The report will help you justify your infosec budget and make infosec investment recommendations.

The report encourages you to make broad economic arguments and set wide-ranging goals. It might ask you to consider setting up an ISO 27k information security management system (ISMS), or exploring the potential political, social and legal impacts of your infosec choices.

The report will also guide you through the fine detail of its infosec recommendations. For example, it will help you:

• Spend the right amount on your ISMS, not too little or too much
• Choose between investing in information risk management and security controls
• Assess the value of your information assets and the potential costs of threats to them

What are the requirements for ISO 27016?

ISO 27016 has eight clauses and four annexes. Clauses 1 to 5 establish the standard’s context and references. Clause 6 defines economic factors to consider when implementing your information security controls. You’ll need to think through:

• Management Decisions
• Business Cases
• Stakeholder Interests
• Economic Decision Review

Clause 7 tells you which economic objectives your organisation should consider and how to estimate the value of your information assets. Clause 8 asks you to balance the costs of information security with its potential benefits. The report ends with four Annexes that help you think through the bigger economic, social and political picture.

Here’s the full list of everything ISO 27016 includes: