What is this published document about?
It supplements the ISO/IEC 27000 family of standards by overlaying an economic perspective on protecting an organization’s information assets in the context of the wider societal environment in which an organization operates.
Who is this published document for?
Anyone making information security investment decisions will find this document useful, specifically:
- Executive management of any organization with delegated responsibility for strategy and policy
- Those responsible for preparing business cases for information security investment
Why should you use this published document?
This document provides information that will enable top management to make economic decisions concerning information security management. It complements the risk management approach of ISO/IEC 27001 and ISO/IEC 27005 in enabling organizations to perform effective information security management.