According to the ISO 27001 Global Report 2016, information security resistance from executive teams is still a concern for those managing an ISO 27001 project. The challenge is getting – and keeping – the board’s attention.
Martin Webster, author of the Leadership Thoughts blog, states that most projects tend to fail due to poor project planning, a weak business case, and ineffective top management involvement and support.
A successful information security management system (ISMS) is dependent on genuine commitment and support from top management. With this, your project will get the financial and human resources it needs, and the ISMS will be aligned with the organization’s strategic goals.
Top challenges when securing board buy-in for ISO 27001 – and how to overcome them
The ISO 27001 Global Report 2016 showed that only 36% of respondents said that they had no concerns about securing board buy-in for the ISO 27001 project, and that the board was supportive from the start.
A further 51% of respondents had problems convincing the board, and highlighted the following top three challenges:
- Securing sufficient budget allowance to implement an ISMS (21%)
In the last ten years the risk of cyber attacks has grown exponentially, placing cybersecurity risks as a top priority on board agendas. However, despite cybersecurity threats increasing, organizations are not seeing budgets rise accordingly, leading to a growing shortfall in investment.
It is essential that a security team can articulate the value of its information security program when attempting to justify the security budget.
Compiling a business case is critical in influencing decision makers, particularly if you need budget approval for deeper information security investment.
Your business case should address the budget by identifying required resources, both internal and external, as well as the training, software, and tools that you will need for the project. It should also weigh up costs of implementation against the financial and reputational damage associated with a data breach.
- Convincing the board that information security is a critical business issue (20%)
Most technology proposals fail because they don’t focus on the benefits of implementing an ISMS.
Ongoing press and public attention regarding cyber risk is driving the issue onto board agendas, and when boards finally understand they need to act against information security threats, they become very interested in hearing from information security specialists.
Your business case should focus on the value of a specific feature to the organization, e.g. “This anti-malware solution has hourly updates (feature), which means that we are protected from zero-day attacks (benefit).”
- Gaining permission to employ sufficient human resources to deliver the project (11%)
A number of people across the organization, and from different levels within it, will need to contribute to the ISO 27001 project.
You may also want to bring in external consultants, whether for guidance or for additional resource to execute the project plan.
It’s useful to identify your resource requirements so that once the board has signed off on the project, you can rely on having access to those resources.
Essential resources to help gain buy-in for your ISO 27001 project
Based on the above, it is clear that information security teams often struggle to make a convincing business case for an ISO 27001 ISMS implementation project.
March’s book of the month bundle, The ISO 27001 Expertise Bundle, provides you with the essential resources and skills you need to convince the board to invest in ISO 27001, along with the first steps to take once you have gained approval.
This cost-effective bundle includes:
- A must-have guide for presenting the compelling business case for ISO 27001 investment
- A pocket guide to understand the possible breach scenarios your organization could face, and the true costs involved
- An indispensable guide to equip you with the sales skills you need to persuade the board to invest in information security
- An expert guide to help you get to grips with the Standard and make your ISO 27001 implementation project a success