There are currently, 22 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
Select Interface Language:
ISO 17799 Resources
There are now quite a few BS7799, ISO27001 and ISO 17799 portals on the web offering commercial tools & products. Possibly the most complete is ISO 17799 and ISO 27001 Central.
Call for Papers
We are shortly to launch a content section for papers and articles on ISO 17799 implementation, BS7799, AS4444, ISO 27001, UNE71502, and information security generally. If you have produced a paper and would like us to publish it, please contact us via the feedback form above.
ISO 27001, ISO 27002 & ISO17799 User Group: Forums
17799.Com :: View topic - ROI for security implementation
Joined: Dec 17, 2004 Posts: 22 Location: Ontario, Canada
Posted: Thu Feb 17, 2005 11:48 pm Post subject: Some variables
One of the reasons we persued it was the fact that a number of our partners wanted to audit us before they "got into bed with us", so to speak. We didn't want them to get access to all our dirty little secrets, nor did we want to go through this process every time we hooked up with a new partner. As such, we decided that by acheiving this accreditation, we could provide assurance to our partners of our security processes and practices, and we wouldn't have to allow all those external companies access.
ROI - saves time and effort, provides assurances to partners. _________________ Cheers,
"Paranoia is the only sane approach. In this business, you would be crazy not to be paranoid."
Joined: Aug 05, 2005 Posts: 4 Location: International
Posted: Sat Aug 06, 2005 12:34 am Post subject:
As an auditor/consultant for ISO 17799 I must say that I have never seen a ROI or ROSI (Return on Security Investment) defintion that really made sense to me because of the unusually high degree of speculation when calculating the return. The return is usually not even measurable because it may consist in: (a) hightened awareness and therefore faster incident response, (b) less actual damage (e.g. because virus protection was implemented and had not been there before), (c) avoided damage, which is hardly quantifiable.
Just to convice top management, here are two approaches that usually work:
1.) Put the investment cost and a reasonable damage figure opposite each other. Even the most stubborn CFO will usually quickly understand the message.
2.) Make it clear to management that it's THEM who go to prison in case of a violation of compliance, not you.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum