ISO/IEC TR 27016
Go home

ISO/IEC TR 27016 — IT Security — Security techniques — Information security management – Organizational economics [DRAFT]

Introduction

An Australian contribution to the New Work Item Proposal for this standard noted:

    “Information security professionals, whether working as specialist consultants or working as employees of organisations, commonly report difficulty justifying the expenditure of money on information security controls to managers with a primary focus on financial matters concerning the core business of that organization.  In many cases, this problem arises because there is no agreed way to relate matters concerning economics and information security.  The proposed standard will reduce such problems. 

    The objective of the proposed standard is to present guidelines based on commonly accepted good practice that can be used and understood by both information security professionals and general managers to discuss information security programme initiatives and alternatives in terms of the financial outcomes that are expected.”

Scope and purpose of the standard

The technical report is intended to:

  • Help management appreciate and understand the financial impacts of information security in the context of an ISO27k ISMS, along with political, social, compliance and other potential impacts on the organization that collectively influence how much it needs to invest in protecting its information assets;
  • Support the CISO or ISM in proposing corporate investment in an ISMS to senior management, and justifying the budget;
  • Cover the valuation of information assets plus the corresponding information security risks and information security controls, and hence will help management determine the appropriate level of resources needed to implement and operate an ISMS.  The idea being, basically, to invest just the right amount in the ISMS, neither too little nor too much;
  • Extend to the level of determining appropriate investment in various parts or elements of an ISMS, for example how much to invest in information security risk assessment activities versus information security controls;
  • Supplement other ISO27k standards by providing the financial perspective, providing guidance on the fundamentals of economics in this field and showing how to apply useful economic or financial models to information security through descriptions and examples, perhaps including a cost-benefit statement or business case and suggesting financial metrics;
  • Be generic: each user organisation will have to develop its own customised business case for the ISMS investment, reflecting its particular circumstances and needs.  Each organization is unique.  However, the standard may provide a general framework or structure as a starting point, along with some ‘donor text’ that might be quoted or adapted by users where applicable, for example laying out the fundamentals and suggesting common ways to value and justify an ISMS.

Risks relating to the standard

While it is early in the development process, the technical report will hopefully address risks such as:

  • Management under-valuing and hence under-appreciating information security and deprioritizing it relative to other business initiatives and imperatives;
  • Management over-valuing information security and perhaps over-spending on the controls, diverting funds unnecessarily from other projects and operations;
  • Information security investments or budgets being determined on potentially inappropriate bases (such as allocating a certain percentage of total IT expenditure, a specific increase or decrease on last year’s budget, or some notional ‘industry benchmark’ that fails to take due account of the organization’s specific situation and needs);
  • Information security investments and expenditure being constrained or determined inappropriately by external bodies (such as head office in a typical group structure) lacking sufficient visibility of the organization’s true needs;
  • Application of inappropriate or inaccurate economic models and/or investment appraisal techniques (including those commonly used to assess conventional investments in facilities, plant and machinery), giving misleading results when applied in this risk management field;
  • Failing to take full account of frequent changes in the information security risk environment and necessary controls, such as novel threats, newly-recognized vulnerabilities, changes in the way the organization uses and depends on information,  and changes to external compliance obligations (such as new privacy laws and regulations); and
  • Setting inappropriate management expectations regarding the projected costs and benefits arising from the ISMS.

Status of the standard

Wider national body involvement is helping to progress the project.  This is a developing field of study so the final product may be a Technical Report rather than a full International Standard.

Publication is anticipated by the end of 2013 (roughly).

The 4th WD is available to SC27 for comment.  Gradually the rather academic and generic approach from the field of economics is being interpreted for application to the development of business cases for investments in information security.  Some of the draft text may be more appropriate in the ISO27k overview sections of 27000.

Copyright © 2013 IsecT Ltd.