The Business case

A business case for using a Information security management system within a Small Business

The business

As a small business you should be aware of what information you hold, this can come in various forms of media.
If you are not sure of what information is it can be described as:  
Data that (1) has been verified to be accurate and timely, (2) is specific and organized for a purpose, (3) is presented within a context that gives it meaning and relevance, and (4) that can lead to an increase in understanding and decrease in uncertainty.

It can come in various forms eg, printed, written, oral, and visual and electronic. So as a business no matter type you are dealing with. It is all information. 

So then a problem come when classifying it and this can cause confusion examples of classifications are as follows:
Public – no effect on business operations or image
Sensitive – will have minor effect on business and brand
Private – will have personal effect
Confidential – can have a severe effect on business and brand.

As your business runs it deals with all forms of information and therefore you need to consider some form of management and also the legal requirements on the information you hold and how you use it.


Business manager goes to conference and take company laptop. Looses it on flight and has the only file of a new product the company plan to release.
The laptop has no passwords on it and no other security on it. Later that month a competitor releases new product which is what you had planned.

Business now goes under.
The company has now formal security policy or management system.

So what happens next?

Company decides to adopt an information security management system and this can be easily carried out with the right information and attitude.

Although this is a short but extreme scenario it can happen and prevention is better than the cure.


·         It reduces the risk of losing information
·         Minimizes the financial impact on company of security breaches
·         Increases efficiency by setting a security standard
·         Making the information more reliable


Organizational costs

·         Need to raise awareness for both staff and management
·         Adoption or adaption or a security policy.
·         Possibly having to release staff for none compliance

Design & development costs

·         Carrying out review of security
·         Preparation of policies guidelines and procedures.
·         Redesign of controls

Minimizing costs and time

It can take time to implement the changes needs and the knowledge required can mean a large outlay for training own staff to do this.

As a small business it can take a lot time that could be spent on business development so can be offset by using a information security consultant as they have the knowledge and can spend the time on the implementation and can take staff on awareness training minimizing the time lost by having several members of staff out of production at the same time.

The drafting of policies and procedures can take time as well but the consultant will have the knowledge to draft and with some consultation can draft specific policies for certain procedures within company.

The hardware side can be dealt with by the consultant too as they will have knowledge of certain products suitable for the role required.