What is ISO/IEC TR 27016:2014?
Information security professionals often need to justify investment in information security controls. But there’s still no universal way of assessing the economic impact of information security decisions. ISO/IEC TR 27016:2014 aims to solve this. ISO 27016 helps organisations decide how much to invest in protecting their information. Both information security professionals and general managers can use and understand ISO 27016. The report will help you:
- Discuss your information security management initiatives
- Predict the financial outcomes of your information security decisions
ISO 27016 helps you think about how economic factors interact with other resources, including:
You should also note that ISO 27016 is a technical report, not a standard. An ISO technical report gives guidance on a subject using information obtained from other sources. These sources include:
- Other reports
- Generally available information
What’s the history of ISO/IEC TR 27016:2014?
The International Organisation for Standardisation (ISO) published ISO 27016 in 2014. ISO created ISO 27016 to give guidance to both information security professionals and general managers, helping them:
- Understand where to invest their information security budget
- Discuss the financial outcomes of their information security choices
How does ISO 27016 relate to other standards?
ISO 27016 supports other ISO 27k standards. The Technical Report gives you guidance on the economics of information security, showing you how to apply economic or financial models to your infosec decisions. It gives descriptions and examples, including:
- Cost-benefit statements
- Business cases
- Suggested financial metrics
Economic considerations must inform all of your infosec management decisions. Thinking through the financials is particularly important when deciding how you’ll:
- Manage risk (as laid out in ISO/IEC 27005)
- How secure your information is
- How well your Information Security Management System (ISMS) is working (as laid out in ISO/IEC 27004)
Who can implement ISO 27016?
Any kind or size of organisation can implement ISO/IEC TR 27016:2014. The technical report will be particularly helpful if you’re a senior manager responsible for infosec decisions.
It’s aimed at:
- Chief Executive Officers (CEOs)
- Chief Information Officers (CIOs)
- Chief Information Security Officers (CISOs)
- Information Security Managers (ISM)
You’ll find ISO 27016 useful when you’re:
- Defining your information security management strategy
- Implementing your information security policies
- Keeping your information assets secure
Why should we implement ISO 27016?
ISO 27016 will help you introduce financial considerations into the infosec decision making process, creating a unique business case to justify infosec investment.
Your organisation will understand that it should treat information security policies as valuable assets in themselves.
To help you understand and explain the financial impact of infosec decisions, the document includes:
- A general starting point framework
- Sample text for you to adapt and use
Information security policies need a wide range of controls to be effective. Your organisation will have to invest in those controls. ISO 27016 will help you make a clear financial case for each control. You’ll show that each of them creates a clearly-defined return on investment.
How much does information security cost?
Asking ‘how much does infosec cost?’ is like asking ‘how long is a piece of string?’. The cost of securing your information will depend on your organisation’s type and scale. To set your infosec budget, you’ll need to think through:
- How much your organisation turns over
- How costly an infosec breach could be
ISO 27016 will help you understand how much your organisation can and should spend on information security.
What are the benefits of ISO 27016?
ISO 27016 helps you decide how much you want to invest to safeguard your information assets. The report will help you justify your infosec budget and make infosec investment recommendations.
The report encourages you to make broad economic arguments and set wide-ranging goals. It might ask you to consider setting up an ISO 27k information security management system (ISMS), or exploring the potential political, social and legal impacts of your infosec choices.
The report will also guide you through the fine detail of its infosec recommendations. For example, it will help you
- Spend the right amount on your ISMS, not too little or too much
- Choose between investing in information risk management and security controls
- Assess the value of your information assets and the potential costs of threats to them
What are the requirements for ISO 27016?
ISO 27016 has eight clauses and four annexes. Clauses 1 to 5 establish the standard’s context and references. Clause 6 defines economic factors to consider when implementing your information security controls. You’ll need to think through:
- Management Decisions
- Business Cases
- Stakeholder Interests
- Economic Decision Review
Clause 7 tells you which economic objectives your organisation should consider and how to estimate the value of your information assets. Clause 8 asks you to balance the costs of information security with its potential benefits. The report ends with four Annexes that help you think through the bigger economic, social and political picture.
Here’s the full list of everything ISO 27016 includes:
ISO/IEC TR 27016:2014 clauses
Clause 1: Scope
Clause 2: Normative references
Clause 3: Terms and definitions
Clause 4: Abbreviated terms
Clause 5: Structure of the document
Clause 6: Information security economic factors
Clause 7: Economic objectives
Clause 8: Balancing information security economics for ISM
- 8.1 Introduction
- 8.2 Economic Benefits
- 8.3 Economic Costs
- 8.4 Applying Economic Calculations to ISM
- 8.4.1 Overview
- 8.4.2 Guidance
- 8.4.3 A Business Case Based on an Organization-Wide Approach(Category A)
- 8.4.4 A Business Case Based on a Part of the Organization (Category B)
ISO/IEC TR 27016:2014 annex clauses
Annex A: Identification of stakeholders and objectives for setting values
- A.1 Overview
- A.2 Critical Public or Private Sectors
- A.3 Public Health and Safety
- A.4 Societal and Community
- A.5 Personal Information
- A.6 Environmental
- A.7 Competition
Annex B: Economic decisions and key decision factors
Annex C: Economic models appropriate for information security
- C.1 General information
- C.2 Basic Value Model (BVM)
- C.3 Negative to Positive Model
- C.4 Generic Balance Investment for Protection Cost vs. Value Theory
- C.5 Generic Investment Calculation — Cost Benefit Calculation
Annex D: Business cases calculation examples
- D.1 Organizational Business Case Calculation Example (Ref. A)
- D.2 Partial Organizational Business Case Calculation Example (Ref. B)
- D.3 Asset/Control Case Example (Ref. B)