| Have you ever tried to convince your management to | | | | differentiate you in the eyes of your customers. ISO |
| fund the implementation of information security? If you | | | | 27001 could be indeed a unique selling point, especially if |
| have, you probably know how it feels - they will ask | | | | you handle clients' sensitive information. |
| you how much it costs, and if it sounds too expensive | | | | 3. Lowering the expenses |
| they will say no. | | | | Information security is usually considered as a cost |
| Actually, you shouldn't blame them - after all, their | | | | with no obvious financial gain. However, there is |
| ultimate responsibility is profitability of the company. | | | | financial gain if you lower your expenses caused by |
| That means, their every decision is based on the | | | | incidents. You probably do have interruption in service, |
| balance between investment and benefit, or to put it in | | | | or occasional data leakage, or disgruntled employees. |
| management's language - ROI (return on investment). | | | | Or disgruntled former employees. |
| This means you have to do your homework first | | | | The truth is, there is still no methodology and/or |
| before trying to propose such an investment - think | | | | technology to calculate how much money you could |
| carefully how to present the benefits, using language | | | | save if you prevented such incidents. But it always |
| the management will understand and will endorse. | | | | sounds good if you bring such cases to management's |
| I'll try to help you - the benefits of information security, | | | | attention. |
| especially the implementation of ISO 27001 are | | | | 4. Putting your business in order |
| numerous. But in my experience, the following four are | | | | This one is probably the most underrated - if you are a |
| the most important: | | | | company which has been growing sharply for the last |
| 1. Compliance | | | | few years, you might experience problems like - who |
| It might seem odd to list this as the first benefit, but it | | | | has to decide what, who is responsible for certain |
| often shows the quickest "return on investment" - if an | | | | information assets, who has to authorize access to |
| organization must comply to various regulations | | | | information systems etc. |
| regarding data protection, privacy and IT governance | | | | ISO 27001 is particularly good in sorting these things out |
| (particularly if it is a financial, health or government | | | | - it will force you to define very precisely both the |
| organization), then ISO 27001 can bring in the | | | | responsibilities and duties, and therefore strengthen |
| methodology which enables to do it in the most | | | | your internal organization. |
| efficient way. | | | | To conclude - ISO 27001 could bring in many benefits |
| 2. Marketing edge | | | | besides being just another certificate on your wall. In |
| In a market which is more and more competitive, it is | | | | most cases, if you present those benefits in a clear |
| sometimes very difficult to find something that will | | | | way, the management will start listening to you. |