4 crucial techniques for convincing your top management about ISO 27001 implementation

Don’t expect your management to understand on their own why ISO 27001 is good for their company – you have to work very hard to convince them. Essentially, you need to have two elements to be successful in that process: (1) prepare a list of business benefits that are really applicable to your company, and (2) communicate those benefits in a manner that is understandable to your executives.

I have covered the topic of business benefits in this article: Four key benefits of ISO 27001 implementation, and in the article you’re reading I’ll write about the best ways to communicate them.

Unfortunately, one presentation to your top management is not going to be enough, no matter how nice your PowerPoint presentation looks. The truth is, much more is needed than a simple presentation, and it will take time for your management to understand all the key points.

Here are a few techniques you can use for presenting your case in a more effective way:

Elevator speech

Chances are you’ll achieve much more in informal occasions than in formal meetings – e.g., when you accidentally stumble into your CEO in a cafeteria, in an elevator, or similar. If you are not prepared for such an occasion, you’ll probably get confused – therefore, you have to prepare a so-called elevator speech, a 30- to 60-second speech where you vividly present your case. When you rehearse it well, you will sound confident and convincing. For example, my elevator speech (as a consultant trying to sell my services) is: The investment in ISO 27001 will pay off if you prevent only one medium-sized incident, not to mention large incidents.


Find an ally

You need to find people who are close to your CEO and who would naturally be interested in what you are doing – for example, your Chief Financial Officer might see information security as a way to decrease the financial risk to the company, so she may choose to support your effort; the Chief Compliance Officer could see your project as a way to relieve him of part of the workload, while the marketing guys might see this as an additional key selling point. In any case, do your homework and research who would be interested in information security benefits.

These people will not only give you additional insight into how information security will help the company, they will also make it easier to get to the top management agenda more quickly.

30-20-10 rule for presentations

When you do make your PowerPoint presentation, forget about all those fancy statistics you’ve found, and hundreds of slides you prepared. Instead, go for the 30-20-10 rule: use fonts size 30, maximum 20 minutes, up to 10 slides. And focus on benefits – this is the main message you need to deliver.

And try to be short – your presentation should last a maximum of 10 minutes, plus 10 minutes for questions and answers. Here you’ll find a free PowerPoint presentation Project proposal for ISO 27001 implementation which includes all the elements that need to be presented to your top management.

Be careful with words

Remember, your target group is managers who don’t understand or don’t like your geeky expressions. For example:

Instead of: Use this:
Backup, fire-suppression systems (and other safeguards) Prevention (We will prevent…)
Cost Investment (By investing in …, we will save xyz dollars…)
Probability Risk (We will decrease the risk of…)
Incident Damage (We will decrease the damage by implementing…)
Disaster Loss/downtime (We will lose xyz dollars; our expected downtime will last…)

This way, your executives will perceive you as someone who understands the business perspective of information security – in other words, you will build your credibility in their eyes.

Prepare for the long run

And here comes the bad news – to be successful, you need all the qualities of a good salesman: you need to be patient, persistent, and persuasive. I know that you probably didn’t want to become one, but this is what successful CISOs do.

After a while, you will surely start to notice some progress – maybe not in the first couple of days or even couple of months, but don’t let that discourage you.

This article is an excerpt from the book  Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own. Click here to see what’s included in the book…

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.