How to make your investment in ISO 27001 profitable

Nothing motivates executives more than profits; so, if you’re proposing your ISO 27001 project to your top management, you should figure out how this project can increase the profit of your company. “But how?” you may be wondering. “Profit cannot be created with this kind of a project; there are only costs!”

Actually, you’re wrong – ISO 27001 can have a positive financial impact on your company. Here’s how.

How is information security related to profits?

Profit can be created in two ways: (1) by increasing revenues, and (2) by decreasing costs. Let’s examine both of these from an ISO 27001 perspective.

Many companies are going for ISO 27001 certification because they need this certificate to get a new client through a tender, or because they want to convince their potential customers that they will safeguard their data in the best possible way. So, the point is – in many cases a company wouldn’t get new clients if they didn’t implement ISO 27001. Since every new client brings in additional revenue, the only question is whether this additional margin is higher than the investment in ISO 27001 – and it very often is.

Further, the whole philosophy of ISO 27001 is preventive: the main idea is to prevent incidents from happening, or if they do happen, to decrease their impact to a minimum level. In other words, this means that the costs incurred because of incidents won’t happen at all, or they will happen in a much smaller amount. Again, the question is whether this savings is bigger than the investment in ISO 27001 – and again, the answer is mainly yes.

Of course, this doesn’t mean you can afford to invest huge amounts of money in information security – you have to make sure you keep the ISO 27001 costs down, because otherwise it won’t create the financial impact you wanted it to. See also: 5 ways to avoid overhead with ISO 27001 (and keep the costs down).


It’s all about risk management

When I mentioned the preventive philosophy of ISO 27001, I actually meant the risk management: to prevent bad things from happening, first you have to find out which bad things (i.e., incidents) could happen – this is called risk assessment. Once you have a list of potential incidents (i.e., risks), you can start thinking about how to mitigate them, or in ISO 27001 words – how to treat the risks using various information security safeguards. All this together is nothing more than risk management. (To learn more about this concept, read The basic logic of ISO 27001: How does information security work?

The concept of risk management has existed in companies for a very long time – executives throughout the world insure their buildings, vehicles, and other higher-value assets against different threats (i.e., they transfer the risks to an insurance company), but they also tend to diversify their products and their markets because they don’t want to put all their eggs in the same basket – i.e., they want to reduce the risk of relying on a single product or a single market.

In smaller companies this risk management is informal, and in larger companies it is more explicit and formal, but the point is – managers are used to managing risks, and this kind of thinking is something they do understand.

It is true that executives normally do not view information security from this perspective of risk management, so if you want to succeed when speaking to them, then you need to treat your information security as just another way of managing risks. It is a rather novel way to present a security project, but it is also the most effective, because instead of firewalls and disaster recovery sites, now you can start speaking about money – and this is the language they do understand.

Which concrete steps are required?

So, knowing all this, what should you do? Basically, the following steps would be advisable:

Would you agree with these steps? What do you see as the biggest obstacles in getting the support from your top management?

Check out this free PowerPoint presentation  Project proposal for ISO 27001 implementation that will help show you which items would be the best to present to your top management.

Here you can also learn how to prioritize your security investment through risk quantification.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Connect with Dejan: