Have you ever tried to convince your management to fund the implementation of information security? If you have, you probably know how it feels – they will ask you how much it costs, and if it sounds too expensive, they will say no.
Actually, you shouldn’t blame them – after all, their ultimate responsibility is the profitability of the company. That means their every decision is based on the balance between investment and benefit, or to put it in management’s language – ROI (return on investment).
This means you have to do your homework first before trying to propose such an investment – think carefully about how to present the benefits, using language the management will understand and will endorse.
I’ll help you – the benefits of information security, especially the implementation of ISO 27001:2022, are numerous. But in my experience, the following four are the most important:
1) Compliance
It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if a company must comply with various regulations regarding data protection, privacy, and IT governance (particularly if it is a financial, health, or government organization), then ISO 27001 can bring in the methodology that enables it to do so in the most efficient way.
Even more important, if an existing customer asks you to comply with ISO 27001, then you need to comply with the standard to keep the client.
2) Marketing edge
In a market that is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of potential customers. ISO 27001 could be a unique selling point that can set you apart from your competitors, especially if new clients want their data to be treated with great care.
3) Lowering the expenses
Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruptions in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.
To be honest, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.
4) Bringing order to your business
This one is probably the most underrated – if you are a company that has been growing rapidly for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems, etc. ISO 27001 is particularly good in sorting these things out – it will force you to define roles and responsibilities very precisely, and therefore strengthen your internal organization.
To conclude – ISO 27001 could bring in many benefits besides being just another certificate on your wall. In most cases, if you present those benefits in a clear way, the management will start listening to you.