The business case for ISO27k

As part of January's awareness module, I'm compiling a generic business case laying out the costs and benefits of implementing the ISO27k standards and seeking an ISO/IEC 27001 certificate.

Well, that was the cunning plan anyway.  

So far, I have a long list of benefits and a small handful of costs - just the obvious ones to do with managing an implementation project, reviewing information risks, improving governance arrangements, writing and updating the documentation such as policies, and contracting with an accredited certification body. There may be additional costs to implement information security controls ... but not necessarily: it all depends on the information risks and decisions arising. 

Patently I'm a big fan of ISO27k but I honestly didn't expect the business case to be so overwhelmingly positive. It's quite a surprise.

If management is willing to accept the organization's current information risk status, there's no need to splash out on additional security, at least not yet, not purely for certification anyway. The situation may change, later, once the ISMS is running sweetly and shortcomings with the risk treatments come to light, perhaps through incidents or a growing appreciation of the evolving information risks ... but that's a way down the track, post-certification. Possible future costs are not part of the business case, nor are possible future benefits.

It's not entirely plain sailing though, as the implementation process involves systematically reviewing the infosec controls catalogued in ISO/IEC 27001 Annex A to be sure that nothing important has been neglected. An organization that is lacking in near-universal controls such as identification and authentication, access controls, backups, antivirus and firewalls would be hard-pressed to justify to the certification auditors that they are inapplicable. It can be done, but it's not easy.

As a consequence, it is clearly vital for third parties to consider a certified organization's ISMS scope and Statement of Applicability carefully if they depend on its information security arrangements - and that, too, is a matter of information risk. The information risks associated with the supply of commodity goods are lower than for specialist goods and services, especially professional services with a strong information content or with legal and regulatory compliance implications - IT/cloud, finance/accounting/tax, legal and HR services for instance. The stakes are higher and so are the expectations, with implications for the assurance measures, supplier evaluation, contractual clauses and relationship management. 

It cuts both ways: suppliers of goods and services with a strong information content should anticipate more thorough information risks evaluation by prospective, ongoing or renewing customers. For them, customer requirements may eclipse those in ISO27k, and yet the ISO27k ISMS provides a sound governance and management framework to help them do what needs to be done. The costs may be higher but so too are the benefits. Like I said, the business case remains overwhelmingly positive.

UPDATE Jan 3rd: I have just published the business case paper - 18 pages in total with a smattering of quotations from the standards and some graphics from January's awareness module.