ISO 27001 & 22301 / ROSI - interpreting calculated value
Hi I wonder how I should Think when i calculate my ROSI value . If I receive a positive value I should invest in that security correction and if I receive a negative value I should not invest. Have I understood it right?
Please select user.
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First is important to note that the interpretation will depend on how the formula considers the incident costs and security control costs.
For example, in the formula:
ROSI = cost of a realized incident - the cost of needed security controls
the results can be interpreted as you said (i.e., a positive result means that the implementation of security controls is worthy, and a negative result means the implementation is not worthy).
In case the formula is:
ROSI = cost of needed security controls - the cost of a realized incident
The results interpretation would be inverse.
These articles will provide you a further explanation about ROSI:
This material can also help you:
HTML tags are not allowed