"SMEs, Information Risk Management, and ROI"

Abstract

Recent research in the area of standards accreditation has shown that the rate of take up of the ISO27001 (Information Security Management) by organisations been disappointing in many Western countries, compared to the picture emerging in Asia, and the rollout of previous international standards that relate to information management, such as ISO9001. In this paper, a researcher and a practitioner from the UK investigate possible reasons for a lesser interest in pursuing certification for organisational Information Security Management Systems (ISMS) across Western countries. They also share their perceptions and concerns that current attitudes of UK of small businesses regarding complying with standards and legislation means that they may be taking unnecessary risks with their corporate and personal data under the possibly misguided notion that other priorities are more important during these current recessionary times. The authors use an economics-based approach in proposing a solution to the problem. On the one hand they review the research that has provided methods for putting a figure on the value of corporate and personal data in larger organisations, and applying the principles of managing information risk as appropriate to SMEs. On the other hand they look at economics-related issues such as market pressure, insurance, outsourcing, and the legal and regulatory matters regarding privacy of personal data. The result provides a case for showing SMEs that, apart from the moral matter of being “good for the business”, there are very sound economic reasons for an SME developing an ISMS and getting ISO27001 certified