The hardest part of the ISO 27001 process is convincing the management team that an investment in information security makes sense, and is something from which they will see a return. It is practically impossible to calculate the return on investment from the implementation of ISO 27001 because there are no revenues to be made, however, a company would see cost savings instead and it is by looking at these that we can estimate the financial benefits.
Firstly you need to think of the potential cost and damage an incident could cause. This however is complex and there are many factors that need to be taken into consideration. One factor is the scope of the accident how many departments and processes would be affected, an incident could potentially take out the systems of an organisation which would cause havoc as people would not be able to work effectively. An organisation may need to invest in new equipment or materials that were damaged by the incident and employees may need retraining or may have to take time out of their day to attempt to resolve the issue. Then lastly there are the legal penalties you may well face and lost revenues from both existing and potential clients.
Once you have calculated the Single Lost Expectancy you can calculate the likelihood that such an incident would occur in order to estimate the Annual Lost Expectancy. By subtracting the amount you would have to annually pay for an ISO 27001 certification from this Annual Loss Expectancy you will be able to see in real terms if the investment is worthwhile. Again there are different elements to the security systems you need to think about the initial cost and the internal and external costs of maintenance. Of course the major advantage is that the money that you spend on implementing the systems the less likely it is that an incident will occur.
Although you can be extremely sceptical about the final figure that ISO 27001 could save you – after all how are you expected to estimate the likelihood of an event happening but the main point is that with these figures you are speaking in your managements language. By presenting clear cut figures your chance of being heard is increased because you can give them simple figures that outline the advantages in real profit and loss terms.