ISO/IEC TR TECHNICAL 27016 REPORT First edition 2014-03-01 Information technology Security techniques - Information security management Organizational economics Technologies de I'information-Techniques de sécurite - Management de la securite de I'information -Economie organisationnelle ISO /IEC TRRe9162um() IEC @IS0/IEC2014 IS0/IECTR27016:2014(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC2014 AHbyghtyraeansedlalestronicotherwipemifiedlanilaitdfiutdisgpplbbicatbpyimgyolbqnsthgintprndticedntnttiaiaet) otineamyisowithoutprior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. SSeostalight officeCH-1211 Geneva 20 Tel. + 4f22749 01 11 Fax + 41 22 749 09 47 Weaw.osh@iso.org Published in Switzerland ii @ IS0/IEC 2014 -All rights reserved IS0/IECTR27016:2014(E) Contents Page Foreword iv Iptroduction. Scope 2 Normative references 1 3 Terms and definitions 1 4 Abbreviatedterms. 3 5 Structure ofthis Document 3 6 InformationSecurityEconomicFactors. 4 6.1 ManagementDecisions 4 6.2 Business Cases 7 Economic Objectives 8 7.1 Introduction 8 7.2 Information AssetValuations 8 8 Balancing Information Security Economics for ISM 10 8.1 10 Introduction 8.2 Economic Benefits 11 8.3 HpplyingcEastsomicCalculations.to.IS.M 11 AnnexA (informative)Identificationof Stakeholders and Objectivesfor SettingValues .17 AnnexB (informative)EconomicDecisions andKeyCostDecisionFactors .19 ..22 AnnexC (informative)EconomicModelsAppropriateforInformation Security .26 AnnexD(informative)BusinessCasesCalculationExamples Bibliography .31 @ IS0/IEC 2014 -All rights reserved ii