Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021
  • (0)
    ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Blog

    How to make your investment in ISO 27001 profitable

    Nothing motivates executives more than profits; so, if you’re proposing your ISO 27001 project to your top management, you should figure out how this project can increase the profit of your company. “But how?” you may be wondering. “Profit cannot be created with this kind of a project; there are only costs!”

    Actually, you’re wrong – ISO 27001 can have a positive financial impact on your company. Here’s how.

    How is information security related to profits?

    Profit can be created in two ways: (1) by increasing revenues, and (2) by decreasing costs. Let’s examine both of these from an ISO 27001 perspective.

    Many companies are going for ISO 27001 certification because they need this certificate to get a new client through a tender, or because they want to convince their potential customers that they will safeguard their data in the best possible way. So, the point is – in many cases a company wouldn’t get new clients if they didn’t implement ISO 27001. Since every new client brings in additional revenue, the only question is whether this additional margin is higher than the investment in ISO 27001 – and it very often is.

    Further, the whole philosophy of ISO 27001 is preventive: the main idea is to prevent incidents from happening, or if they do happen, to decrease their impact to a minimum level. In other words, this means that the costs incurred because of incidents won’t happen at all, or they will happen in a much smaller amount. Again, the question is whether this savings is bigger than the investment in ISO 27001 – and again, the answer is mainly yes.

    Of course, this doesn’t mean you can afford to invest huge amounts of money in information security – you have to make sure you keep the ISO 27001 costs down, because otherwise it won’t create the financial impact you wanted it to. See also: 5 ways to avoid overhead with ISO 27001 (and keep the costs down).


    It’s all about risk management

    When I mentioned the preventive philosophy of ISO 27001, I actually meant the risk management: to prevent bad things from happening, first you have to find out which bad things (i.e., incidents) could happen – this is called risk assessment. Once you have a list of potential incidents (i.e., risks), you can start thinking about how to mitigate them, or in ISO 27001 words – how to treat the risks using various information security safeguards. All this together is nothing more than risk management. (To learn more about this concept, read The basic logic of ISO 27001: How does information security work?

    The concept of risk management has existed in companies for a very long time – executives throughout the world insure their buildings, vehicles, and other higher-value assets against different threats (i.e., they transfer the risks to an insurance company), but they also tend to diversify their products and their markets because they don’t want to put all their eggs in the same basket – i.e., they want to reduce the risk of relying on a single product or a single market.

    In smaller companies this risk management is informal, and in larger companies it is more explicit and formal, but the point is – managers are used to managing risks, and this kind of thinking is something they do understand.

    It is true that executives normally do not view information security from this perspective of risk management, so if you want to succeed when speaking to them, then you need to treat your information security as just another way of managing risks. It is a rather novel way to present a security project, but it is also the most effective, because instead of firewalls and disaster recovery sites, now you can start speaking about money – and this is the language they do understand.

    Which concrete steps are required?

    So, knowing all this, what should you do? Basically, the following steps would be advisable:

    Would you agree with these steps? What do you see as the biggest obstacles in getting the support from your top management?

    Check out this free PowerPoint presentation  Project proposal for ISO 27001 implementation that will help show you which items would be the best to present to your top management.

    Here you can also learn how to prioritize your security investment through risk quantification.

    Advisera Dejan Kosutic
    Author
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.