ISO 27001 Implementation Challenges – And How to Overcome Them

Given the current state of the information security industry, there shouldn’t be any doubt that organizations must prioritize effective defence measures. According to one report, there were more than 1,000 publicly disclosed security incidents last year, while the average cost of a data breach hit $4.35 million.

One of the most effective ways of mitigating data protection risks is by implementing ISO 27001. It’s the international standard that contains a best-practice framework for information security and is used by organizations across the globe.

Despite the appeal of ISO 27001 and the need to address cybersecurity, senior management are often reluctant to invest. In a 2022 study published by Encore, 54% of surveyed CISOs said their board didn’t provide ample funding for information security.

This is no doubt frustrating, because ISO 27001 implementation needn’t be expensive. In fact, small organizations can often certify to the Standard for less than $20,000.

The key challenge when implementing ISO 27001 isn’t cost. Rather, the challenge is persuading the board that the project itself is necessary.

Martin Webster, author of the Leadership Thoughts blog, states that most projects tend to fail due to poor project planning, a weak business case, and ineffective top management involvement.

But with a new iteration of ISO 27001 released last year, there has never been a better time to convince boards that information security management is essential.

Top challenges when securing board buy-in for ISO 27001

The difficulty that CISOs face when trying to persuade boards about information security management isn’t, as you might think, because of a lack of communication.

In fact, there have been substantial improvements in this regard in recent years, with Encore’s study finding that 96% of executives discussed information security with the board of directors.

The problem is turning that conversation  the most significant challenge they face is persuading the board that these concerns should be a top priority. According to the study, over 60% of respondents reported not feeling supported by the board when it came to mitigating cyber risk.

If the organization is to bolster its information security practices, the CISO must be able to convince the board to their way of thinking. This can be broken down into three separate conversations.

1. Convincing the board that information security is a critical business issue

Most technology proposals fail because they don’t focus on the benefits of implementing an ISMS.

Ongoing press and public attention regarding cyber risk is driving the issue onto board agendas, and when boards finally understand they need to act against information security threats, they become very interested in hearing from information security specialists.

Your business case should focus on the value of a specific feature to the organization, e.g. “This anti-malware solution has hourly updates (feature), which means that we are protected from zero-day attacks (benefit).”

2. Securing sufficient budget allowance to implement an ISMS

The risk of cyberattacks has grown exponentially in recent years, which means threat prevention must be a top priority.

It is essential that a security team can articulate the value of its information security program when attempting to justify the security budget.

Compiling a business case is critical in influencing decision makers, particularly if you need budget approval for deeper information security investment.

Your business case should address the budget by identifying required resources, both internal and external, as well as the training, software, and tools that you will need for the project.

It should also weigh up costs of implementation against the financial and reputational damage associated with a data breach.

3. Gaining permission to employ sufficient human resources to deliver the project

Many people across the organization, and from different levels within it, will need to contribute to the ISO 27001 project.

You may also want to bring in external consultants, whether for guidance or for additional resource to execute the project plan.

It’s useful to identify your resource requirements so that once the board has signed off on the project, you can rely on having access to those resources.

ISO 27001: Nine steps to success

You can learn more about ISO 27001 and arm yourself with the knowledge you need to develop an implementation project with our guide – Nine Steps to Success: An ISO 27001 Implementation Overview.

Written by IT Governance’s founder and chief executive, Alan Calder, this book is essential for anyone tackling ISO 27001 for the first time.

The North American edition of this guide places a special focus on how US organizations can tackle ISO 27001 implementation.

It covers the process from the inception of the project to certification, explaining your requirements in simple, non-technical language.


A version of this article was originally published on March 6, 2018.