ISO 27001 certification has grown steadily over the past five years in the Middle East, but information security resistance from executive teams is still a concern for those managing an ISO 27001 project, according to the ISO 27001 Global Report.
The challenge is getting – and keeping – the board’s attention.
The success of your ISMS (information security management system) depends on genuine commitment and support from top management.
Without this, your project will lack the financial and human resources needed, and the ISMS will not be aligned with the organisation’s strategic goals.
Challenges when securing board buy-in for ISO 27001
The ISO 27001 Global Report found that 51% of respondents experienced “problems either convincing the board about the importance of information security or securing the necessary budget and resources to implement ISO 27001”.
The report also highlighted the following top three challenges:
- Securing sufficient budget allowance to implement an ISMS (21%)
The past decade has seen a rapid growth in cyber attacks worldwide, placing cyber security risks as a top priority on board agendas.
Despite this, organisations’ cyber security budgets have not risen accordingly, leading to a growing shortfall in investment.
It is essential that you can articulate the value of the information security programme when attempting to justify the security budget.
Compiling a business case is a critical step in influencing decision makers, particularly if you require budget approval for deeper information security investment.
The business case should identify internal and external resources required, as well as any training, software and tools you will need for the project.
It should also weigh up the costs of implementation against the financial and reputational damage associated with a data breach.
- Convincing the board that information security is a critical business issue (20%)
Most ISO 27001 proposals fail because they don’t focus on the benefits of implementing an ISMS.
Increasing public awareness of cyber risk is driving the issue onto the board’s agenda.
When the board finally understands it needs to act against these threats, it becomes very interested in hearing from information security specialists.
The business case for ISO 27001 should focus on the value of specific features to your organisation, e.g. “This anti-malware solution has hourly updates (feature), which means that we are protected from zero-day attacks (benefit).”
- Gaining permission to employ sufficient human resources to deliver the project (11%)
An ISO 27001 project requires contributions from many people across the organisation, and from different levels within it.
External consultants may be needed for guidance or for additional resource to execute the project plan.
You should identify your resource requirements in the business case so that, once the board has signed off on the project, you can rely on having access to those resources.
Resources to help gain buy-in for your ISO 27001 project
Making a convincing business case for an ISO 27001 implementation project is not an easy task, so it is essential that security teams understand how to convince the board to invest.
July’s book of the month bundle, The ISO 27001 Expertise Bundle, provides you with the essential resources and skills you need to convince the board to invest, along with the first steps to take once you have gained approval.
This cost-effective bundle includes:
- A must-have guide for presenting the compelling business case for ISO 27001 investment;
- A pocket guide to understand the possible breach scenarios your organisation could face, and the true costs involved;
- An indispensable guide to equip you with the sales skills you need to persuade the board to invest in information security; and
- An expert guide to help you get to grips with the Standard and make your ISO 27001 implementation project a success.