While we were researching this problem we looked into the benefits of ISO 27001:2013 as a way of deciding how much cost we could justify, and how that would benefit top level stakeholders. Part of the way we did this was by breaking down a document by the BSI on the benefits of ISO 27001 to give us the benefits, and linking these to core actions within the standard itself to see how each part of the standard gave value rather than increased security. The map that we produced is currently available for free on StratNav.
The top level benefits of ISO 27001:2013 are partially what you'd expect
- Better protection of information
- Enhanced business reputation
- Better understanding of threats to the business
- Clearer alignment of IS procedures to business objectives
I'd argue that a strong benefits focus is needed to ensure that IS spending and policy is focused on supporting the business use of information, rather than the traditional IS tells the business how to "safely" use information. Getting IT and IS to agree that they should enable rather than protect could be a challenge in some organisations, however it is a challenge well worth taking on.