The ISO-27001 Business Case Meeting
“…But How will it benefit the business?” – CEO asked a simple yet challenging question to the newly recruited, highly passionate chap recently hired to setup IT Governance function in the organization. By taking a sip of water and buying some time to come up with the most appropriate answer, he mumbled: “We will be ISO-27001 certified!” The CEO smiled, took the final sips from his Coffee and said “All of our clients are already very happy with our services and none of them is asking us to get any certification. Moreover, there is no direct regulatory requirement to have such a standard in place. So why to invest in ISO 27001…? (and the silence continued!)
Can you relate to this conversation?
ISO-27001: The Information Security Management System
ISO-27001 – a.k.an Information Security Management System (ISMS) provides a systematic approach of planning, implementing, monitoring and improving information security in the organization. Broadly speaking, the standard provides an information security “management system” by relating to the famous Deming’s Cycle (Plan, Do Check, Act) and provides “information security controls” grouped under categories like physical security, human resource, network, and application security and so on so forth.
In Pakistan, many leading private and public sector organizations have successfully adapted ISMS including AbacusConsulting, InfoTech, CDC, Allied Bank, and SECP. Most of the private sector pursued their ISMS journey under financial support from the Pakistan Software Export Board (PSEB) couple of years ago. Regulators were major drivers for the public sector for implementing ISMS along with the prevailing security situation in Pakistan and growing concern over targeted cyber-attacks on Pakistani public sector organization’s information assets. Within the private sector, Banks and IT companies took the lead in implementing ISMS standards. However, it must be noted that being an Information Security Management System, this standard can be implemented in a company with no computers or IT infrastructure as well. However such companies are rare to find as information processing is majorly dependent on IT and related technologies.
Developing a Business Case for ISO-27001 :
So now I will get directly to one of the most frequently-asked-question from me during the training sessions and advisory meetings on ISMS – “How to develop a strong business case for ISO-27001?”
Well, let’s split the process of developing the business case for ISO-27001 in 5 clear steps and talk about them in detail:
Step 1: Understand Business Context
Step 2: Evaluate high-level Risks
Step 3: Identify & Evaluate Past Incidents
Step 4: Short-Mid Term Benefits
Step 5: Develop a well-structured Business Case
It’s important to understand that who should develop this business case? Well, the rule of the thumb is that the business case should be developed by the most senior resource possible. Moreover, IT people should try to involve other departments including HR, Operations, Business, and Finance to create a “shared-ownership” of this business case rather than flying alone.
Step 1: Understand Business Context:
You need to forget your functional role (IT, HR etc) while understanding the business context. Understand the organization’s vision, plans, and strategies for the next 3-5 years and try to take notes of all the points which can help you in developing the ISMS business case. Try to understand the market in which the company is providing its products/services and take notes concerning overall threats in that market concerning information security. Identify the organization’s competitors and try to evaluate how ISMS can strengthen your organization’s position. You need to connect with the Business Leadership to get a feel of the organization’s direction as they are the best source of information for providing the business-related information. The Business Leadership may not speak with you in technical IT terms (and they don’t need to) but you need to further drill down and find out that how IT relates to the overall business and how ISMS will enable IT to support the business effectively – something called IT-Business alignment. Remember that ISMS cannot be conceived (& implemented) in Silos; it will affect everyone in the organization directly or indirectly. Moreover don’t get overwhelmed while evaluating business context, you just need to get a feeler of where the organization is going in the next 3 to 5 years.
Step 2: Evaluate high-level Risks
Once you understand the business context at a high level, the next step is to get a little more specific to information security-related aspects. You need to highlight all of the critical information and all entities which are involved in the information lifecycle as shown in the following diagram:
The Risks to the identified information and related entities are evaluated from the following three dimensions:
1) Confidentiality – How important is the confidentiality of this information?
1) Integrity – What kind of loss can the business expect if the information is not up-to-date?
2) Accessibility – What is the impact of the non-availability of this information?
So for example, if you are working in a bank and evaluating the “Online Banking Service” which processes critical “Customer Account Information”; What can be the impact on the business if it gets hacked (loss of confidentiality), shows incomplete account transitions (lack of integrity) or becomes inaccessible? List down all of the risks and highlight the Critical Risks. The critical risks are those risks that directly affect the core operations of the business (i.e. the value chain of business). Document these risks as they will become handy for you in the development of ISO-27001 business case and will become the basis for further work.
Step 3: Identify & Evaluate Past Incidents:
Past information security incidents, probably, are the best piece of information for your business case. Try to identify all past incidents which affected Confidentiality, Integrity or Accessibility (CIA) of critical information AND it affected business significantly. Most of the time, such incidents will be in the notice of Senior Leadership but still, you can quote them in your business case for future prevention. Moreover, you can also highlight the probable incidents which may occur in the future and try to support your argument with any weaknesses in your information security infrastructure. If you don’t find any incidents, then you can refer to any other organization(s) in your industry. Cyber Security in Pakistan is facing challenges from global threats. Document the most recent ones which had a significant business impact.
Step 4: Short-Mid Term Benefits :
It’s always good to talk about Vision 2020 but frankly, most of us won’t even make it to 2020!
You need to communicate simple and achievable benefits of implementing ISO -27001 in near future (along with long term benefits). What are the benefits which can be achieved in, let’s say, next 3 months and so on so forth? Break the overall goals to smaller, manageable and measurable goals as the Senior Leadership will be evaluating all of the financials associated and the expected ROI. The ROI of implementing ISO-27001 should be developed by considering the Senior Leadership’s mindset. We all know that after implementing ISO-27001, the organization will get a nice ISO-27001 Certificate and it will bring some commercial value to the business. Following are the 4 high-level ROI points as highlighted by DejanKosutic:
1) Compliance i.e. The Certificate!
2) Marketing edge
3) Lowering IT costs
4) Clear roles and responsibilities
Step 5: Develop a well-structured Business Case :
Following are few rules to follow while compiling the ISO-27001 business case (assuming you are presenting to an internal client i.e. CEO, CIO, IT Manager, etc):
• In case, you are presenting to an external client, Include a brief introduction of your company and ideally try to separate the company profile from the core business case
• The business case should be precise, supported by facts and figures
• The business case should have content which can be read/presented in 15 minutes max (Yes, believe it or not, that’s the time the decision-makers can spare for your business case)
• If you are using PowerPoint then you can think of 5-8 slides maximum and for MS word you can think of 4-5 A4 – single spacing
• Provide alternatives implementation approaches along with going for third-party certification audit and provide a chance to Senior Leadership for choosing the most feasible option available
Note: Our experts have developed a simple PowerPoint-based “ISO-27001 Business Case Template” which can be downloaded from the Resources section of our portal.
Summing it all up!
Senior leadership needs to see tangible results from ISO-27001 implementation which can be achieved in the near term with minimum investment (and maximum ROI). You should wait for ISO-27001 business case approval to start the Information Security Awareness in your colleagues, peers, and employees.
Best of luck to all of you!