• (0)

    ISO 27001 & ISO 22301 Blog

    4 crucial techniques for convincing your top management about ISO 27001 implementation

    Don’t expect your management to understand on their own why ISO 27001 is good for their company – you have to work very hard to convince them. Essentially, you need to have two elements to be successful in that process: (1) prepare a list of business benefits that are really applicable to your company, and (2) communicate those benefits in a manner that is understandable to your executives.

    I have covered the topic of business benefits in this article: Four key benefits of ISO 27001 implementation, and in the article you’re reading I’ll write about the best ways to communicate them.

    Unfortunately, one presentation to your top management is not going to be enough, no matter how nice your PowerPoint presentation looks. The truth is, much more is needed than a simple presentation, and it will take time for your management to understand all the key points.

    Here are a few techniques you can use for presenting your case in a more effective way:

    Elevator speech

    Chances are you’ll achieve much more in informal occasions than in formal meetings – e.g., when you accidentally stumble into your CEO in a cafeteria, in an elevator, or similar. If you are not prepared for such an occasion, you’ll probably get confused – therefore, you have to prepare a so-called elevator speech, a 30- to 60-second speech where you vividly present your case. When you rehearse it well, you will sound confident and convincing. For example, my elevator speech (as a consultant trying to sell my services) is: The investment in ISO 27001 will pay off if you prevent only one medium-sized incident, not to mention large incidents.

    Find an ally

    You need to find people who are close to your CEO and who would naturally be interested in what you are doing – for example, your Chief Financial Officer might see information security as a way to decrease the financial risk to the company, so she may choose to support your effort; the Chief Compliance Officer could see your project as a way to relieve him of part of the workload, while the marketing guys might see this as an additional key selling point. In any case, do your homework and research who would be interested in information security benefits.

    These people will not only give you additional insight into how information security will help the company, they will also make it easier to get to the top management agenda more quickly.

    30-20-10 rule for presentations

    When you do make your PowerPoint presentation, forget about all those fancy statistics you’ve found, and hundreds of slides you prepared. Instead, go for the 30-20-10 rule: use fonts size 30, maximum 20 minutes, up to 10 slides. And focus on benefits – this is the main message you need to deliver.

    And try to be short – your presentation should last a maximum of 10 minutes, plus 10 minutes for questions and answers. Here you’ll find a free PowerPoint presentation Project proposal for ISO 27001 implementation which includes all the elements that need to be presented to your top management.

    Be careful with words

    Remember, your target group is managers who don’t understand or don’t like your geeky expressions. For example:

    Instead of: Use this:
    Backup, fire-suppression systems (and other safeguards) Prevention (We will prevent…)
    Cost Investment (By investing in …, we will save xyz dollars…)
    Probability Risk (We will decrease the risk of…)
    Incident Damage (We will decrease the damage by implementing…)
    Disaster Loss/downtime (We will lose xyz dollars; our expected downtime will last…)

    This way, your executives will perceive you as someone who understands the business perspective of information security – in other words, you will build your credibility in their eyes.

    Prepare for the long run

    And here comes the bad news – to be successful, you need all the qualities of a good salesman: you need to be patient, persistent, and persuasive. I know that you probably didn’t want to become one, but this is what successful CISOs do.

    After a while, you will surely start to notice some progress – maybe not in the first couple of days or even couple of months, but don’t let that discourage you.

    This article is an excerpt from the book  Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own. Click here to see what’s included in the book…

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.