Expert Advice Community


Question on Creating a Business Case for ISMS ISO 27001:2013

Guest user Created:   Jun 17, 2022 Last commented:   Jun 17, 2022

Question on Creating a Business Case for ISMS ISO 27001:2013

1. Is the creation of an ISO 27001 ISMS Implementation Business Case document mandatory? 2. What components should the business case contain? 3. When is the Business Case document created? before starting the ISMS planning phase? after the gap analysis, after the risk analysis, etc.? 4. As in the initial phase of an ISO 27001 ISMS implementation project, the cost and/or the investments required for the implementation of the controls for the treatment of risks are not yet known, how is the financial budget of an ISO 27001 ISMS project to add it to the Business Case?
0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Jun 17, 2022

1. Is the creation of an ISO 27001 ISMS Implementation Business Case document mandatory?

ISO 27001 does not require the development of a business case for ISMS implementation, although the elaboration of such material can be very useful to help you to identify business objectives related to information security and buy in the top management support for this project, and to define top-level objectives for the ISMS (which are mandatory for the standard).

These articles will provide you with a further explanation about getting top management support:

These materials will also help you with top management support:

2. What components should the business case contain?

Basically. you need to cover why an ISO 27001 ISMS is needed and what benefits the organization can achieve with its implementation.

Generally speaking, an ISO 27001 business case would cover these four benefits: assured compliance, enhanced marketing edge, decreased expenses, and improved organizational structure. You can see more detailed information in this article: Four key benefits of ISO 27001 implementation

In our free materials, you can find these two templates that present a general framework to organize the information needed to present a business case:

3. When is the Business Case document created? before starting the ISMS planning phase? after the gap analysis, after the risk analysis, etc.?

Generally, the business case is developed to get authorization for starting an ISMS project, i.e., even before the planning phase.

4. As in the initial phase of an ISO 27001 ISMS implementation project, the cost and/or the investments required for the implementation of the controls for the treatment of risks are not yet known, how is the financial budget of an ISO 27001 ISMS project to add it to the Business Case?

Since the budget for controls implementation is not yet known at the beginning of the project, in the business case you need to state this issue and that after the risk assessment and treatment process is concluded financial information about the controls can be presented.

Please note that ISO 27001 does not require all controls to be implemented, and that business context, together with risks and legal requirements are inputs for deciding which controls to implement, so you can adjust your implementation plan according to the available budget and acceptable risks.

This article will provide you with further explanation:

0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 17, 2022

Jun 17, 2022

Suggested Topics

Ash Created:   Jan 21, 2024 ISO 27001 & 22301
Replies: 1
0 1

ISO 27001 Internal Audits

Guest user Created:   Dec 14, 2023 ISO 27001 & 22301
Replies: 1
1 0

RTO in the BIA questionnaire