ISO/IEC TR 27016
ISO/IEC TR 27016:2014 — Information technology — Security techniques — Information security management — Organisational economics
(first edition)
Abstract
“ISO/IEC TR 27016:2014 provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources. ISO/IEC TR 27016:2014 is applicable to all types and sizes of organisations and provides information to enable economic decisions in information security management by top management who have responsibility for information security decisions.”
[Source: ISO/IEC TR 27016:2014]
Introduction
There are substantial economic, financial and resourcing aspects to the management of information risks and security controls.
Scope
The ISO catalogue page says this standard “provides guidelines on how an organisation can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources.”
Structure
Main sections:
6: Information security economic factors
7: Economic objectives
8: Balancing information security economics for information security management
Annex A: Idenitifcation of stakeholders and objectives for setting values
Annex B: Economic decisions and key cost decision factors
Annex C: Economic models appropriate for information security
Annex D: Business cases calculation examples
Status
The current first edition was published in 2014 as a Technical Report since this was deemed a developing field of study.
Evidently the field has not developed significantly (and the first edition did such a good job) since work on a second edition ground to a halt due to lack of inputs from committee members.
Commentary
Some of the more generic parts of the text may be more appropriate in the ISO27k overview sections of ISO/IEC 27000.