Benefits of ISO27001:2013

My team was recently asked to produce a case for actually implementing ISO 27001:2013 or other standards.  One of the problems with information assurance / cyber security is the discussion of when to stop.  It is very easy to spend money on cyber security, however how do you know that what you are spending is worthwhile or correctly targeted?

While we were researching this problem we looked into the benefits of ISO 27001:2013 as a way of deciding how much cost we could justify, and how that would benefit top level stakeholders. Part of the way we did this was by breaking down a document by the BSI on the benefits of ISO 27001 to give us the benefits, and linking these to core actions within the standard itself to see how each part of the standard gave value rather than increased security.  The map that we produced is currently available for free on StratNav. 

The top level benefits of ISO 27001:2013 are partially what you'd expect

• Better protection of information
• Enhanced business reputation
• Better understanding of threats to the business
• Clearer alignment of IS procedures to business objectives

What is more interesting is the way that these are achieved.  Clearer alignment comes from better understanding of what the business is using information to achieve coupled with better focused spending on IS.  Enhanced business reputation is of course less incidents, however it is also better focused and more efficient operations allowing you to win and maintain more business.

I'd argue that a strong benefits focus is needed to ensure that IS spending and policy is focused on supporting the business use of information, rather than the traditional IS tells the business how to "safely" use information.  Getting IT and IS to agree that they should enable rather than protect could be a challenge in some organisations, however it is a challenge well worth taking on.