Benefits of ISO27001:2013

My team was recently asked to produce a case for actually implementing ISO 27001:2013 or other standards.  One of the problems with information assurance / cyber security is the discussion of when to stop.  It is very easy to spend money on cyber security, however how do you know that what you are spending is worthwhile or correctly targeted?

While we were researching this problem we looked into the benefits of ISO 27001:2013 as a way of deciding how much cost we could justify, and how that would benefit top level stakeholders. Part of the way we did this was by breaking down a document by the BSI on the benefits of ISO 27001 to give us the benefits, and linking these to core actions within the standard itself to see how each part of the standard gave value rather than increased security.  The map that we produced is currently available for free on StratNav. 

The top level benefits of ISO 27001:2013 are partially what you'd expect

• Better protection of information
• Enhanced business reputation
• Better understanding of threats to the business
• Clearer alignment of IS procedures to business objectives

What is more interesting is the way that these are achieved.  Clearer alignment comes from better understanding of what the business is using information to achieve coupled with better focused spending on IS.  Enhanced business reputation is of course less incidents, however it is also better focused and more efficient operations allowing you to win and maintain more business.

I'd argue that a strong benefits focus is needed to ensure that IS spending and policy is focused on supporting the business use of information, rather than the traditional IS tells the business how to "safely" use information.  Getting IT and IS to agree that they should enable rather than protect could be a challenge in some organisations, however it is a challenge well worth taking on.

Interesting uses of Benefits Realisation

One of the things often said about Government is that when there is plenty of money it pays to achieve things, and when there is no money it writes policy.  This is all well and good, but of course how do those tasked with implementing a mass of policy make sense of it?

The company Reachal has been working with PSN in Cabinet Office on a possible solution for this.  That solution takes the form of an application called StratNav.  This application is a free demonstration of how benefits mapping can take multiple complex strategies, break them down into what needs to be done, what that gives, and how it achieves goals.  More than this though, the Gov ICT collection allows users to visualise the links between individual strategies and follow them between and through strategies.

We think it is a far better way of consuming strategies and understanding them in a much more realistic way than simply trying to read hundreds of pages of text.  Give it a try, and let Reachal know if you agree!