Cost-Benefit Trade-Off Analysis of an ISMS Based on ISO 27001

If companies wish to safeguard their value chain, they should invest with the singular goal of securing revenues by taking adequate risk countermeasures. However, the investment in the risk countermeasure must be reflected in the adequate safeguarding of the value chain. In other words, the investment in the safeguarding, e.g., implementation of an ISMS based on ISO/IEC 27001:2005, must be comparable to the benefit of the value chain. As a direct analysis is difficult, a suitable alternative must be found. In this paper, we propose using Key Performance Indicators (KPI) as a suitable alternative that maintains the effectiveness and economic efficiency of an ISMS. However, the KPI of effectiveness and efficiency are contradictory and constitute a trade-off. In order to minimize turnover reduction, we propose using combinatorial optimization. Such optimization should weigh the benefit of a policy in terms of risk for each control against the cost of each control in terms of avoiding, mitigating or transferring the risk up to some predetermined investment limit.