So you’ve decided that it’s in your organisation’s best interest to adopt ISO 27001, the international standard for information security. Good decision. Now you just need to convince the board to give you the financial backing and resources to implement the Standard.
That’s not as hard it once was, given how highly publicised data breaches now are. But you might still struggle to persuade senior personnel that there is no quick fix, and that effective, long-term information security requires a serious commitment.
In this blog, we explain the three biggest challenges you’re likely to face when securing board-level buy-in for ISO 27001 and how to overcome them.
1. Convincing the board that information security is an essential business issue
The most common reason that ISO 27001 proposals fail is because they don’t properly explain the benefits of implementation.
An ISO 27001-compliant ISMS (information security management system) isn’t something you implement on the off-chance that your organisation faces a cyber attack. Rather, information security risks are ever-present, and if a breach is significant enough, it can have crippling effects.
Your first task when proposing ISO 27001 is to make the board realise that the Standard provides essential solutions for critical issues.
You should be as specific as possible when explaining this. Lay out real examples of information security risks and the damage they cause, and explain how implementing ISO 27001 mitigates them. This includes technical solutions, like anti-malware software, as well as more general benefits, like an improved company culture where employees take greater responsibility for information security.
2. Getting the necessary budget
It’s no surprise that money is usually near the top of management’s priorities. They are ultimately responsible for ensuring the organisation makes a profit, so they will understandably want to cut back on spending wherever possible.
When proposing a budget for ISO 27001 implementation, it’s essential that you explain exactly how the money will be spent. This will help the board understand that you’ve not simply plucked your budget requirements out of thin air, and it will make them less likely to attempt to scale back the amount of money they allocate to the project.
3. Gaining HR support to initiate a project team
You can’t implement ISO 27001 alone; you’ll need a team of colleagues to help you, and probably also outside help in the form of consultants and auditors.
Your proposal should include a list of resources you need to complete the implementation process, as this will need to be approved by the board and put into motion by HR.
If you’re taking colleagues away from their day-jobs to help the implementation project, you might run into resistance from management, who will rightly be concerned about the organisation’s productivity in this period.
It’s your job to explain whose help you need and how their work will be integrated into the everyday running of the organisation.
Want help planning for ISO 27001 implementation?
If you’re looking for advice on where to start with ISO 27001, you should consider taking our self-assessment questionnaire.
This five-minute survey helps you identify your biggest information security priorities and discover ways to save time, effort and costs when implementing the Standard.