ISO/IEC TR 27016:2014

TECHNICAL ISO/IEC
REPORT TR
First edition
2014-03-01
Information technology — Security
techniques — Information security
management — Organizational
economics
Technologies de l’information — Techniques de sécurité —
Management de la sécurité de l’information — Économie
organisationnelle
Reference number
©
ISO/IEC 2014
© ISO/IEC 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2014 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Structure of this Document . 3
6 Information Security Economic Factors . 4
6.1 Management Decisions . 4
6.2 Business Cases . 4
6.3 Stakeholder Interests . 7
6.4 Economic Decision Review . 8
7 Economic Objectives . 8
7.1 Introduction . 8
7.2 Information Asset Valuations . 8
8 Balancing Information Security Economics for ISM .10
8.1 Introduction .10
8.2 Economic Benefits .11
8.3 Economic Costs .11
8.4 Applying Economic Calculations to ISM .12
Annex A (informative) Identification of Stakeholders and Objectives for Setting Values .17
Annex B (informative) Economic Decisions and Key Cost Decision Factors .19
Annex C (informative) Economic Models Appropriate for Information Security .22
Annex D (informative) Business Cases Calculation Examples .26
Bibliography .31
© ISO/IEC 2014 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
In exceptional circumstances, when the joint technical committee has collected data of a different kind
from that which is normally published as an International Standard (“state of the art”, for example), it
may decide to publish a Technical Report. A Technical Report is entirely informative in nature and shall
be subject to review every five years in the same manner as an International Standard.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 27016 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2014 – All rights reserved

Introduction
This Technical Report provides guidelines on information security economics as a decision making
process concerning the production, distribution, and consumption of limited goods and services. Actions
for the protection of an organization’s information assets require resources, which otherwise could be
allocated to alternative non-information security related uses. The reader of this Technical Report is
primarily intended to be executive management who have delegated responsibility from the governing
body for strategy and policy, e.g. Chief Executive Officers (CEOs), Heads of Government Organizations,
Chief Financial Officers (CFOs), Chief Operating Officers (COOs), Chief Information Officers (CIOs), Chief
Information Security Officers (CISOs) and similar roles.
Information security management is often seen as an information technology only approach using
technical controls (e.g. encryption, access and privilege management, firewalls, and intrusion and
malicious code eradication). However, any application of information security is not effective without
considering a broad range of other controls (e.g. physical controls, human resource controls, policies
and rules, etc.). A decision has to be made to allocate sufficient resources to support a broad range
of controls as part of information security management. This Technical Report supports the broad
objectives of information security as provided in the ISO/IEC 27000 family of standards by introducing
economics as a key component of the decision making process.
[5]
Coupled with a risk management approach (ISO/IEC 27005 ) and the ability to perform information
[4]
security measurements (ISO/IEC 27004 ), economic factors need to be considered as part of information
security management when planning, implementing, maintaining and improving the security of the
organization’s information assets. In particular, economic justifications are required to ensure spending
on information security is effective as opposed to using the resources in a less efficient way.
Typically, economic benefits of information security management concern one or more of the following:
a) minimizing any negative impact to the organization’s business objectives;
b) ensuring any financial loss is acceptable;
c) avoiding requirements for additional risk capital and contingency provisioning.
Information security management may also produce benefits that are not driven by financial concerns
alone. While these non-financial benefits are important, they are usually excluded from financial based
economic analysis. Such benefits need to be quantified and included as part of the economic analysis.
Examples include:
a) enabling the business to participate in high-risk endeavours;
b) enabling the business to satisfy legal and regulatory obligations;
c) managing customer expectations of the organization;
d) managing community expectations of the organization;
e) maintaining a trusted organizational reputation;
f) providing assurance of completeness and accuracy of financial reporting.
Negative financial and non-financial economic impacts as a result of a failure by the organization to
provide adequate protection of its information assets are increasingly becoming a business issue. The
value of information security management includes identifying a direct relationship between the cost of
controls to prevent loss, and the cost benefit of avoiding a loss.
Increasing levels of competition are resulting in the need for organizations to focus on the economics of
risk.
© ISO/IEC 2014 – All rights reserved v

This Technical Report supplements the ISO/IEC 27000 family of standards by overlaying an economic
perspective on protecting an organization’s information assets in the context of the wider societal
environment in which an organization operates.
vi © ISO/IEC 2014 – All rights reserved

TECHNICAL REPORT ISO/IEC TR 27016:2014(E)
Information technology — Security techniques —
Information security management — Organizational
economics
1 Scope
This Technical Report provides guidelines on how an organization can make decisions to protect
information and understand the economic consequences of these decisions in the context of competing
requirements for resources.
This Technical Report is applicable to all types and sizes of organizations and provides information
to enable economic decisions in information security management by top management who have
responsibility for information security decisions.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
3.1
annualized loss expectancy
ALE
monetary loss (3.13) that can be expected for an asset due to a risk over a one year period
Note 1 to entry: ALE is defined as: ALE = SLE × ARO, where SLE is the Single Loss Expectancy and ARO is the
Annualized Rate of Occurrence.
3.2
direct value
value that can be determined by a value of an identical replacement or substitute in the event of an
information asset or assets being harmed or lost
Note 1 to entry: This value is positive as long as the information asset is not harmed but seen as loss if the event
occurs.
3.3
economic factor
item or information that affects an asset’s value (3.22)
3.4
economic comparison
consideration of competing or alternative cases for the allocation of resource
© ISO/IEC 2014 – All rights reserved 1

3.5
economic justification
element of business case desiged to enable the allocation of resource
3.6
economic value added
measure that compares net operating profit to total cost of capital
3.7
economics
efficient use of limited resources
3.8
expected value
value estimated as an impact to the business by an information asset being harmed or lost
Note 1 to entry: This value is positive as long as the information asset is not harmed but seen as loss if the event
occurs.
3.9
extended value
expected value times the number of times that value might occur
3.10
indirect value
value that is estimated for the replacement or restoring in the event of an information asset or assets
being harmed or lost
Note 1 to entry: This value is positive as long as the information asset is not harmed but seen as negative if the
event occurs.
3.11
information security economics
efficient use of limited resources for information security management
3.12
information security management
ISM
managing the preservation of confidentiality, integrity and availability of information
3.13
loss
reduction in the value (3.22) of an asset
Note 1 to entry: In terms of information security economics (3.11), a loss may also be used in the context as a
positive value. In this document a cost is always negative unless otherwise stated.
3.14
market value
highest price that a ready, willing and able buyer will pay and the lowest price a seller will accept
3.15
net present value
sum of the present values (3.16) of the individual cash flows of the same entity
3.16
present value
current worth of a future sum of money or stream of cash flows given a specified rate of return
3.17
non economic benefit
benefit for which no payment has been made
2 © ISO/IEC 2014 – All rights reserved

3.18
opportunity cost
future estimated cost for a certain information security activity or activities
3.19
opportunity value
future estimated positive value gained from a certain information security activity or activities
3.20
regulatory requirements
mandatory resource demands associated with a specific market
3.21
return on investment
measurement per period rates of return on value invested in an economic entity
3.22
societal value
public distinction between right and wrong
3.23
value
relative worth of an asset to other objects or a defined absolute value
Note 1 to entry: In terms of information security economics (3.11) a value may be positive or negative. In this
document a value is always positive unless otherwise stated.
3.24
value-at-risk
VAR
summarizes the worst loss (3.13) over a target time that will not be exceeded with a given probability
Note 1 to entry: Target time for example could be 1 year and the given probability could also be referred to as
confidence level.
4 Abbreviated terms
BVM Basic Value Model
CIA Confidentiality–Integrity–Availability
ICT Information and Communications Technology
IRP Interest Rate Parity
ISMS Information Security Management System
ROI Return On Investment
5 Structure of this Document
Fundamental to the organizational economics of information security management is the ability to
enable economic values to be presented to management thereby enabling better factual based decisions
regarding the resources to be applied to the protection of the organization’s information assets.
In this Technical Report Clause 6 descibes information security economic factors and their relevance in
management decision making. Clause 7 describes the economic objectives in terms of asset evaluations.
Clause 8 describes how to apply an economic balance using information security benefits and costs in
an organizational context in general and using examples depending on the category of a business case.
© ISO/IEC 2014 – All rights reserved 3

These clauses are supported by a number of annexes:
— Annex A describes wide context objectives of stakeholders regarding the values of information
security.
— Annex B describes business objectives and related information security organizational cost issues.
— Annex C describes a set of models that can be used for information security organizational economics.
— Annex D describes examples of using models with example figures.
6 Information Security Economic Factors
6.1 Management Decisions
The ISO/IEC 27000 family of standards provides a number of business related objectives guiding
management decisions by which organizations formally and informally assess their need to invest in
information security. These management decisions will be made more effective if a relevant process is
devised to compare the net benefit of an information security investment with competing demands for
resource in other areas of the organization.
The information security decision process needs to include a clear basis in support of management
decision-making, taking into account appropriate factors with respect to the organization’s information
security economics. The economic value of an information security investment should take account of
the organization’s business objectives. With the business objectives directly linked, other factors such
as risks, costs and benefits can now be applied allowing their more effective measurement.
Determining a suitable economic justification for the allocation of resources to preserve the security of
information assets, in a way that allows economic comparison with other ways of using the resources,
needs to be considered by management. One principle is to apply an approach of resource allocation (e.g.
Net Present Value, Return On Investment, Economic Value Added) to an information security management
programme in order to produce results that can be compared for decision-making purposes.
a) Some benefits of an information security management programme may not be economic in nature
because it is difficult to objectively and consistently measure the benefits in economic terms. For
example, if there are regulatory requirements to protect or provide certain information, it may
not be possible to determine the economic value of this benefit. This is also referred to as value of
compliance.
b) Similarly, the societal value of an information security management programme cannot be objectively
determined in economic terms without an effective feedback mechanism from the community. Non-
economic benefits are an important part of the justification of an information security management
programme, however, they cannot be included in any form of financial economic analysis as it is
difficult to apply consistent measurement.
c) Information security can be applied to protect intangible assets such as brand, reputation, etc. The
extent of this protection needs to be calculated and presented in such a way that it relates to the
organization’s evaluation of such intangible assets. The economics applied of the evaluation should
be related to the effect of applying information security to the intangible asset. Economic values
should be sourced from business functions such as financial, risk management, sales and marketing,
etc. Costs for protection should be calculated based on information security.
6.2 Business Cases
An information security investment business case allows an organization to consider whether the
economic benefits outweigh the costs and if so by how much. When information security objectives are
presented to an organization’s management, usually in the form of a business case, economic aspects
should be considered. This should include the consequences resulting from considering the information
security aspects of a business proposition. For example, what will be the economic impact on the
4 © ISO/IEC 2014 – All rights reserved

organization’s ability to meet its objectives if an activity is (not) done? A business case should aim to
provide a clear answer to this question.
The business case should present a balanced cost–benefit-risk view so that the organization is aware
of the options and implications of any decision, thus enabling a basis upon which the desirability of
a given security investment can be considered to achieve the best outcomes. These implications and
options could be positive in terms of correct information security investments or negative if inadequate
investments are made.
The business case should be considered in terms of the information security investment costs against
any costs associated with risks. The key fundamental elements of the business case should provide
decision makers with sufficient information to understand:
a) The value of the information asset.
b) The potential risks to the information asset.
c) The known cost of protecting the information asset.
d) The reduction of risk in relation to applying protection.
At some point the protection costs applied to the value of the information asset will reach an optimum
balance point. This optimum point between the protection costs is when the reduction of risk that will
affect the value will be less than the cost of protection (see also model C.4).
Figure 1 symbolizes the need for the business case to include economic factors as part of the business
process.
Figure 1 — Information security organizational economics decision process using 27016
When preparing the business case the organization needs to be mindful that resources are always finite
and that areas of concern need to be considered and prioritised dependent on the organization’s needs.
In this context, information security aspects should be founded on facts and hard data where available
and calculations should be made based on best knowledge and experience, which may include:
e) Calculation with a time-span (maximum, minimum time period, etc.).
f) Cost estimates.
g) Quotations.
h) Predictions of market values.
© ISO/IEC 2014 – All rights reserved 5

i) Known or estimated noncompliance fees and penalties.
j) Legal consequences in direct or indirect economic terms.
k) Risk estimates that provide predictions of losses occurring.
l) Opportunity Value.
m) Opportunity Cost.
When making estimates based on a time-span, these could be gathered from statistics, risk assesments,
etc. When defining a time-span it is useful to consult experts from all relevant functions and areas.
Economics related to information security management should cover:
n) Activities and decisions during the whole information security management process.
o) Economic aspects supporting the decision on annual investments for the information security
management process.
[1]
p) Ensuring that information security management is undertaken in conformity with ISO/IEC 27001
(information security management system).
The complexity of a business case for information security management is dependent on scope which
in turn, is based on the context in which information security needs to be applied. In order to be able to
include information security organizational economics as part of a business case, a business rationale
based on a business description needs to be considered in combination with the actual information
security solution. Different economic models can be applied to business cases at different levels of the
organization. These levels could be as simple as using two categories: Category A - Organizational and
Category B - Part of the organization consisting of a process, function, etc. The organizational part can
contain a number of assets. From an information security management perspective, Category B could
also be an application business case for a control or controls.
6 © ISO/IEC 2014 – All rights reserved

Table 1 — Categorization of business cases
Business Type/Scope Description of type of ISM example Calculation char-
case cat- business case acteristics
egory
A Organization wide High level and more A typical case is an High level calcula-
conceptual. This means ISMS implementa- tion of opportu-
that the case describes tion or merger or nity values for the
information security acqusition of another organization and
applied to the whole organization. costs for imple-
or a major part of the menting and run-
It assumed that ISMS
organization. ning the business
‘organization wide’
case.
applies to the agreed
scope boundaries A range is recom-
mended for both
values and costs.
B Part of the organization such A case based on a A typical case is an There could be
as process/department/ func- business activity or an ICT outsourcing, several calculations
tion and/or asset/assets and/ information security computer centre and results may
or control/controls activity. and/or such items need to be aggre-
as secure web, gated. A calculation
The case concerns a
enhanced perimeter of values and costs
change to part of the
protection, computer is generally easy
business and describes
centre fire protec- to define but may
information security
tion, IDS deploy- need to be esti-
applied to the change
ment, etc. mated for complex
and investment for the
business cases.
organization with multi-
ple effects on informa- A range is recom-
tion security. mended for esti-
mates of values but
The case describes
not costs.
information security
applied to a spe-
cific asset or set of
assetswhere one or
a number of controls
should be applied.
Further information about economic decisions and key decision factors are described in Annex B.
6.3 Stakeholder Interests
[1]
ISO/IEC 27001 stipulates that the ISMS should be used to further stakeholders’ interests. Furthering
these interests should include consideration of information security economics. Economic factors should
be considered where information security could have a negative impact on stakeholders. As an example
the following values may be used:
a) Societal value, for example, should the total economic value of the defined society be included or
should there be any limitations?
b) Brand value, key business value, etc.
c) Reputation.
d) Customer value.
e) IPR (Intellectual Property Rights).
f) Depending on the business, particular economic values may be needed such as within the health
care sector, transport sector, etc.
© ISO/IEC 2014 – All rights reserved 7

Other functions within an organization may have already considered these values for their own
economic calculations and should be encouraged to provide valuable input when information security
is being considered.
Further information on stakeholders and their objectives are found in Annex A.
6.4 Economic Decision Review
The implementation and ongoing management of information security controls to protect information
assets will consume limited organizational resources. They therefore should be treated by an organization
as an item of value with the expectation of returning a favourable future return (e.g. prevention of theft
of sensitive information).
[4]
As described in ISO/IEC 27004, an organization needs to continuously evaluate and measure whether
the applied information security has achieved its intended purpose. This measurement process equally
applies to the assessment of the economic investment made by the organization in its limited goods and
services. For example, are the costs of the following activities reasonable:
a) Cost of risk assessing processes and projects.
b) Organizational infrastructure, including the cost of people required to maintain information
security .
c) Information security controls (e.g. cost of user access management solutions, cost of encrypting
backups) providing adequate ongoing protection in accordance with the organization’s risk appetite
(e.g. accepted residual risk).
d) Activities to provide ongoing control testing, process assurance and/or certification to demonstrate
the that information security has reached a specific standard.
e) Cultural development, training and awareness leading to a reduction in the number of information
security related incidents.
NOTE Investments in organizational infrastructure and training can have slower but long-term effects on
the organization. Their assessment should therefore be considered over a longer period of time.
7 Economic Objectives
7.1 Introduction
The application of economics to information security management requires appropriate data from the
information security management programme to be used as input factors in any economic decision-
making tools used by the organization. This process is straightforward for financial economic
considerations, but more difficult for non-financial consideration.
Economic decisions involve the prioritization of available limited goods and service resources to optimize
the achievement of organizational objectives. These economic decisions apply equally to information
security management as to other parts of the organization.
Annex B provides examples of information security specific decision factors for consideration when
optimising the achievement of multiple objectives. Each cost decision has the potential to influence the
achievement of information security outcomes. For example, increasing investment in risk mitigation
would allow the organization to operate at lower risk, but may not improve the organization’s
responsiveness to change.
7.2 Information Asset Valuations
Information asset valuations for information security purposes should be performed against the
criteria of Confidentiality, Integrity and Availability (and any additional information security aspects
8 © ISO/IEC 2014 – All rights reserved

required by the organization). When establishing a value in monetary terms this value should reflect the
business impact value of the asset if the actual criterion is compromised. For example, if a public website
is compromised in terms of integrity (meaning that the information on that website is misleading), this
may incur a certain business impact which could be expressed in monetary terms. The confidentiality
value in monetary terms on the same website is zero as the information is publicly available. If the same
website becomes unavailable, the business impact will have a different impact in monetary terms due
to external parties not being able to access the information. Thus there exists three different values for
this asset. This guidance should be considered when conducting asset valuations.
Since evaluation of intangible assets can be difficult, there are two simple approaches that could be
adopted through the use of a simple comparative scale e.g. low, medium, high or a numerical scale such
as 1-4 . This is especially suitable when values and/or costs are calculated and/or presented as a range
of values (max, min).
Economic values that may be used as an economic justification relating to tangible and intangible assets
for information security investment are categorised in Table 2.
Table 2 — Types of Organizational Economic Values
Value type Description
Physical Sum of the tangible assets that comprise an organization
Customer Valuation of the business generated by the portfolio of clients of the organization
Societal Valuation of the perception that society in general has of the organization
Reputational Valuation of the perception that competitors, suppliers, customers, shareholders,
governments and other stakeholder components have of the organization
Intangible / Logical Sum of the intangible assets that comprise an organization. Intangible assets should
also include the information handled by an organization: strategic, business, etc.
Legal and Regulatory Potential sanctions and/or penalties that might result from a breach
The basic value model should be used in conjunction with the balance sheet for evaluating and presenting
conclusions of information security economics and is based on the following characteristics:
Direct values are direct economic values, such as material loss, or direct investments based on an
occurrence that can be passive or active. In this area the values can be precise.
Indirect values are extensions to the direct values and reflect the additional and more intangible values
lost or gained. The indirect values have a greater uncertainty and as such they can be within a range.
These values could include the value of lost output, increased administration, etc.
Extended values are those affected by the direct and indirect values and can be quite substantial. The
extended values have a greater range and have to be evaluated based on the same basis as direct and
indirect values, but will be affected by other factors as well such as impact on the society and/or the
organization as a whole. This could include others such as share price if relevant, etc. Extended values
here are often considered as unquantifiable values such as brand, reputation, etc. (Note extended values
are most likely to be negative but may also be positive.)
An organization should complete its valuation of its information assets by considering the different
stakeholders which include:
a) Tangible assets that comprise an organization.
b) Value of business generated by the portfolio of clients.
c) Intangible assets like information, customer perception, brand value, societal perception.
© ISO/IEC 2014 – All rights reserved 9

Table 3 — Types of Economic Asset Values - Principles and examples
Category Value type Description Asset Value
A Organization The parties The assets defined The total value could be broken down
within scope of to be able to run and to business processes related to specific
ISMS. maintain the busi- assets such as intellectual property rights,
ness over time. databases, ICT resources, etc. to which
values could be applied.
B 2nd and 3rd Individual The assets defined The value defined for the assets involved.
Parties customers, sup- to be able to run and
pliers. maintain the busi-
ness in relation to a
defined party.
C Stakeholders Any party The assets defined The total value could be broken down
intertested in to be able to run and to business processes related to spe-
the information maintain the busi- cific assets such as IPR, Databases, ICT
security aspects ness in relation to a resources, etc. to which values could be
of the organiza- defined party. applied.
tion, such as
owners.
D Societal Community Assets that could Value of the impact on the community
interests. compromise the com- which is then transfered to the organiza-
munity interest. tion.
This valuation can also be graded so as to apply an appropriate combination of the relevant categories.
For example, information assets associated with an entire database of 100,000 customer records
containing personally identifiable information could be much more valuable when all organizational
(category A), stakeholder (category C) and other affected party (category B) interests are aggregated.
Valuations may also be graded based on categories of important assets. For example, a database of
100,000 customer records containing personally identifiable information would be very important to a
government department. Similarly, unpublished final accounts of a major international company would
be very sensitive, with dangers of insider trading and major international economic repercussions.
Organizations can make informed economic decisions by mapping the relationship between cost decisions
and the relative consequences. As each cost decision (e.g. on risk mitigation costs, on certification costs)
can have multiple consequences, it may be possible to represent this relationship in a table.
8 Balancing Information Security Economics for ISM
8.1 Introduction
A well-functioning organization needs an information security management system that ensures its
information assets remain protected from adverse events, while at the same time being available to those
who need to use such information for sustainable organizational delivery of its business objectives. The
common requirements associated with determining benefits and costs to be achieved by an organization
to meet its business objectives are typically associated with:
a) Reduction of losses (often annualized).
b) Minimizing the costs associated with making financial and other provisions for loss events
(incidents).
c) Effectiveness of the information security management programme designed to protect information
assets.
d) Efficiency of the information security programme associated with the cost of planning, designing,
implementing, maintaining and improving the programme.
10 © ISO/IEC 2014 – All rights reserved

Information security management can create intangible/non-financial and tangible/financial benefits
with positive values when management maintains an ability to direct and control information security
risks.
Cost and benefit decisions should relate to the expected benefits from achieving a risk reduction by the
deployment of planned controls. Typically risks are mitigated by a number of controls. The deployment
of a particular control may contribute at different levels to risk mitigation, ranging from a minor
contribution through to full risk mitigation.
Information security should support the achievement of business objectives. It should be remembered
that different approaches can be adopted, with different costs and benefits that will allow the desired
business objectives to be achieved. For example, it may be possible to trade-off ‘speed to market’ benefits
(e.g. increased revenue sooner) with increased ‘potential information security loss’ costs (e.g. privacy
of new customer data not protected and accessed by unauthorised persons). In this case potential loss
represents a valuation of the loss that could be incurred in absence or compromise of the information
asset (customer data). Alternatively, it may be better to accept a higher cost Information security
management programme to realize the benefits that would accompany good customer acceptance of a
product or service.
8.2 Economic Benefits
A reduction in losses can be determined by comparing an anticipated annual loss in the absence and
presence of the Information security management programme under consideration. When performing
this comparison, consideration needs to be given to using a methodology that can be aligned with other
methodologies in use by the organization.
Where different criteria or assessment techniques are used for determining information security risk, the
overall economic results will most likely not be consistent and comparable with other programmes and
initiatives. Similarly, to ensure a consistent and comparable outcome the risk criteria used to determine
economic benefits should be restricted to those that have a financial focus. However, the organization
should also consider how non-financial economic factors could be applied once the financial economic
focus has been completed. Information about management of information security risks can be found in
[5]
ISO/IEC 27005.
It is important to note that the selection of the risk criteria relevant to determining financial economic
benefits rarely resides with the information security management function and is often determined by
the Chief Financial Officer or someone with a similar financial role.
Costs associated with minimizing financial loss and other provisions for loss events may be reduced as
a consequence of an Information security management programme. This is an economic benefit that
can be taken into account when evaluating a proposed Information security management programme.
8.3 Economic Costs
Costs of an Information security management programme to support particular business objectives
should cover the entire lifecycle of the programme using a risk-based approach. Areas to be covered
may include:
a) Planning.
b) Implementation.
c) Operation.
d) Maintenance.
e) Improvement.
f) Decommissioning.
© ISO/IEC 2014 – All rights reserved 11

Reporting and assurance procedures (including any auditing by customers, 3rd parties internal auditing
or other assurance approaches) should also be included in the costs. Similarly, costs associated with
training and maintaining awareness of people operating or using information security controls should
be included in the costs.
[1]
Costs should also cover the entire information security management programme (see ISO/IEC 27001 )
and should be associated with a measurement of all the anticipated benefits, not just the economic
[4]
benefits (see ISO/IEC 27004 ). This approach should be taken as it is often unrealistic to separate costs
into categories associated with economic benefits and other benefits.
Maintaining knowledge about the costs and the effectiveness of the Information security management
programme provides an additional benefit that would enable the organization to convey confidence and
trust to organizational stakeholders.
Key cost areas should be considered when assessing the Information security management programme
as shown in Table 4.
Table 4 — Key cost areas
Cost Area Description
Risk assessment Includes all costs related to risk identification, analysis and evaluation.
Training and awareness Includes induction training, company wide programmes, targeted training, train-
ing assessment, reviews, training material development, presenters, and monitoring
tools.
Controls Includes direct costs for selecting and implementing controls to reduce risks, operat-
ing controls, other risk treatment options, and indirect costs related to organizational
effectiveness impact related to control. Controls may be preventive, detective and/or
reactive.
Certification Includes costs related to control monitoring and testing, assurance functions, cer-
tification testing and anything that works towards validating the effectiveness of
security controls. Certification costs are measured based on staff costs (performing
control testing), cost of audits, and cost of maintaining cer
...