What do you base your decisions on when planning for budget?
What do you base your security decisions on when planning for budget, when you need to set your goals, and outline your priorities? Do you rely on policies, security incidents, audits or ISMS?
Or you read computer magazines and attend vendors' presentations and decide based on what you hear there?
There is nothing bad about getting informed at vendors' presentations but we should always think within our specific context.
And the best source for cybersecurity decision-making is actually our ISMS, as it provides a systemic, risk-based framework integrating insights from incidents and audits for continuous improvement.
Incidents offer reactive lessons on real-world failures, while audits validate control effectiveness.
Policies (including external regulations) have indirect effect on budgeting because they establish requirements and commitments.
Over time, mature policies (should) lead to sustained investments.
If the management decides we must protect clients' data then any action towards this goal that needs funding should be approved (choosing the most economical risk treatment option where possible). Otherwise we say one thing and do another. Not really good nor consistent.
ISMS is the primary driver
An effective ISMS (per ISO 27001 Clause 9-10) mandates regular performance evaluations, including internal audits and management reviews, to assess risks, controls, and non-conformities.
It also incorporates incident learning (A.5.27) to update risk treatments and policies, ensuring decisions reflect evolving threats rather than isolated events. This structured Plan-Do-Control-Act cycle outperforms siloed incident reports or periodic audits by linking security to business objectives, as in your balanced scorecard explorations.
Role of incidents and audits
Incidents fuel tactical decisions via root-cause analysis and lessons learned, triggering control updates (e.g., post-phishing training gaps for your employees). Audits provide compliance snapshots, identifying procedural weaknesses like those in your hybrid audit interests, but risk becoming backward-looking without ISMS integration.
Comparison of sources
| Source | Strengths | Limitations | Best Use Case |
|---|---|---|---|
| incidents | Real-time, specific threat insights | Reactive; biased by what occurs | Immediate response planning |
| audits | Objective control validation | Infrequent; snapshot only | Compliance gap identification |
| ISMS | Proactive, integrated risk view | Requires maturity to implement | Strategic prioritization |
The final advice
Prioritize ISMS-driven decisions, feeding audit findings and incident data into its risk register for justified budgeting and business interests alignment.