Who should be your project manager for ISO 27001/ISO 22301?

If you’re planning to start your ISO 27001 and/or ISO 22301 project, you’re probably wondering who could lead such a complex project – what type of person do you need, with which authorities, and should you go with someone in-house or someone from the outside?

First of all, don’t even think of starting to implement these standards without a project approach – to succeed, you need a project manager, project sponsor, clearly defined milestones and deadlines, etc. See also: ISO 27001 project – How to make it work.

Profile of the project manager

Since ISO 27001 and ISO 22301 are closely related to information technology, the project manager should have at least average knowledge of IT; however, this project should not be treated as an IT project, so you should avoid having someone from your IT department lead this kind of a project. See also: 5 greatest myths about ISO 27001.

What you need is someone with a balanced knowledge of IT and of your company’s business processes, because managing information security is, in most cases, related to organizational issues (developing policies and procedures, defining responsibilities and change management), not the technology.

Since the manager of these kinds of projects will often run into opposition from some of their colleagues, such person should have enough authority either by position or by respect from his/her peers.

Once this project is over, this person is the most likely candidate to become your Chief Information Security Officer (CISO) or Business continuity manager. For smaller companies, you will usually have one position that covers both information security and business continuity, while in larger companies these functions will be separate – although very often in the same department. See also: Chief Information Security Officer (CISO) – where does he belong in an org chart?


Needed skills & availability

It would be perfect if your project manager had experience with ISO 27001/ISO 22301 implementation, but you’ll find these kinds of people very rarely.

In most cases, this person will obtain these skills by attending courses – the best are Lead auditor and Lead implementer courses. Learn more here: Lead Auditor Course vs. Lead Implementer Course – Which one to go for?

Regarding the time needed, for a smaller company the project manager will need to spend about 1 or 2 hours per day for this kind of a project; for a company with a couple of thousand employees, this kind of a project will consume this person 100% of the time throughout the project duration. See also this Implementation Duration Calculator.

In-house or outsource?

There is no doubt about it – the project manager must be someone from inside your company – this is necessary because an outsider cannot know all the details and the cultural issues in your company.  When things get tough (which they certainly will during this kind of a project), you need someone who will know who to turn to, which kind of approach to other employees will be accepted, and what to avoid.

Don’t get me wrong – you should get some external help in order to get the know-how, but a consultant cannot lead your project. See also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant.

Which kind of authority?

This is probably the toughest question – on one hand, the project manager only has a temporary job, and on the other hand, he has to change how things are done in your company. So theoretically speaking, this person should have a formal authority to implement any change necessary as part of this project.

But, in reality, the following two characteristics will be much more important than the formal authority:

1) How well the project manager gets along with the project sponsor – because whenever the project manager hits a wall, it will be the sponsor who will provide him with a way to remove this wall.

2) The level of “diplomatic” skills of the project manager – since the project sponsor won’t get into every detail, the project manager will need to find ways to bypass this wall.

So, the point is – the project manager is a central figure in your implementation, and the success of your project depends much more on this person than you might think. So, to succeed, find a capable person, provide him with the required skills, and give him a good sponsor. The alternative is to have one of those never-ending projects.

Download this free Project plan template that is applicable for smaller and mid-size companies.

Here you can learn how to become an ISO 27001/ISO 22301 consultant.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.