Take the ISO 27001 course exam and get the EU GDPR course exam for free
  • (0)

    ISO 27001 & ISO 22301 Blog

    Management’s view of information security

    If you think your management doesn’t have a clue what information security is all about, keep in mind that misunderstanding usually goes both ways: management often thinks you have no idea about what is appropriate for the business.

    So before suggesting to your management to start implementing your information security / ISO 27001 project, you should learn about your management’s way of thinking. Here are the five main concerns your management will have when you approach them:

    Is it really necessary? You have to be prepared to present the main benefits of information security, because otherwise the management won’t understand its purpose. In most cases you can choose among the following benefits: (1) Compliance with various legislation and contractual requirements etc., (2) Achieving competitive advantage in the marketplace, (3) Lowering expenses by decreasing the number of incidents, and (4) Optimizing your business operations by clearly defining tasks and responsibilities. Read more on these four benefits here: Four key benefits of ISO 27001 implementation.

    Does it fit into our company strategy? Strategic fit is very important for your top management – one of your management’s primary concerns is how to keep your company competitive for a longer time period. Therefore, you have to do your homework – find out how information security can underpin certain elements of your company’s corporate strategy.

    How to decrease the costs? One of the most misunderstood aspects of information security is that most of the problems (i.e. incidents) happen not because of technology, but because of human behavior. Therefore, most of the investments needed will be in defining new policies and procedures, and training and awareness programs which will prevent such incidents from happening – such investments are usually far cheaper than new technology.

    Sometimes, investment in technology will also be needed – in such cases you can try to calculate the Return on Security Investment. For instance, you might try to calculate the damage that would be caused by a fire, and calculate the investment needed to prevent such damage. Just be sure not to exaggerate here, because you’ll lose your management’s confidence.

    How to make sure we’ve achieved what we wanted? First of all, you need to help your management set very clear objectives – usually, those objectives will derive from the four benefits mentioned above. The second step is to set up a measurement system which will define how to measure whether the company achieved the set objectives; that system must involve clear responsibilities of who will make the reports, in which form, and who is going to read them and interpret them. Finally, a system must be in place to correct all the deviations from the objectives (be sure that such deviations will certainly happen).

    What risks are involved? Management usually wants to know what is the likelihood of failure of the investment they have made. Here you need to explain to them the balance between the risks you will identify during the risk assessment and the security measures your company will invest in – the higher the investment, the smaller the chances that something will go wrong. Of course, overinvesting is not a solution, and this is why you need to leave the decision about acceptable risks to the management – your role is to present them the risks and potential security measures in an objective manner. The decision what to do with those risks is up to the management.

    The point here is – the problem is not that management doesn’t want to invest in information security, but that it is either uninformed about it, or that you cannot speak the same language with your management.

    By understanding the five basic issues your management is concerned with and by establishing appropriate communication with them, you’ll dramatically increase your chances for your information security project.

    This free webinar can also help you: ISO 27001 benefits: How to obtain management support.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.