ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 27001 & ISO 22301/BS 25999-2: Why is it better to implement them together?


May 7, 2014


Management’s view of information security

'By 'Dejan Kosutic on May 16, 2011

If you think your management doesn’t have a clue what information security is all about, keep in mind that misunderstanding usually goes both ways: management often thinks you have no idea about what is appropriate for the business.

So before suggesting to your management to start implementing your information security / ISO 27001 project, you should learn about your management’s way of thinking. Here are the five main concerns your management will have when you approach them:

Is it really necessary? You have to be prepared to present the main benefits of information security, because otherwise the management won’t understand its purpose. In most cases you can choose among the following benefits: (1) Compliance with various legislation and contractual requirements etc., (2) Achieving competitive advantage in the marketplace, (3) Lowering expenses by decreasing the number of incidents, and (4) Optimizing your business operations by clearly defining tasks and responsibilities. Read more on these four benefits here: Four key benefits of ISO 27001 implementation.

Does it fit into our company strategy? Strategic fit is very important for your top management – one of your management’s primary concerns is how to keep your company competitive for a longer time period. Therefore, you have to do your homework – find out how information security can underpin certain elements of your company’s corporate strategy.

How to decrease the costs? One of the most misunderstood aspects of information security is that most of the problems (i.e. incidents) happen not because of technology, but because of human behavior. Therefore, most of the investments needed will be in defining new policies and procedures, and training and awareness programs which will prevent such incidents from happening – such investments are usually far cheaper than new technology.

Sometimes, investment in technology will also be needed – in such cases you can try to calculate the Return on Security Investment. For instance, you might try to calculate the damage that would be caused by a fire, and calculate the investment needed to prevent such damage. Just be sure not to exaggerate here, because you’ll lose your management’s confidence.

How to make sure we’ve achieved what we wanted? First of all, you need to help your management set very clear objectives – usually, those objectives will derive from the four benefits mentioned above. The second step is to set up a measurement system which will define how to measure whether the company achieved the set objectives; that system must involve clear responsibilities of who will make the reports, in which form, and who is going to read them and interpret them. Finally, a system must be in place to correct all the deviations from the objectives (be sure that such deviations will certainly happen).

What risks are involved? Management usually wants to know what is the likelihood of failure of the investment they have made. Here you need to explain to them the balance between the risks you will identify during the risk assessment and the security measures your company will invest in – the higher the investment, the smaller the chances that something will go wrong. Of course, overinvesting is not a solution, and this is why you need to leave the decision about acceptable risks to the management – your role is to present them the risks and potential security measures in an objective manner. The decision what to do with those risks is up to the management.

The point here is – the problem is not that management doesn’t want to invest in information security, but that it is either uninformed about it, or that you cannot speak the same language with your management.

By understanding the five basic issues your management is concerned with and by establishing appropriate communication with them, you’ll dramatically increase your chances for your information security project.

You can also check out our free webinar ISO 27001 benefits: How to obtain management support.

  • Gary Hinson

    Good post Dejan! Many out-and-out infosec pros are quick to complain that their colleagues don’t understand infosec risks and controls but you’re right to point out that they often don’t understand the business.

    My favourite take on infosec is as a support function that would be conspicuous by its absense. Without infosec, many business activities would be far too risky to undertake. With infosec, the organization can go about its business safe in the knowledge that its information assets are protected.

    Keep up the good work Dejan :-)


  • Dejan Kosutic

    Thanks Gary!

  • David Shaw

    +1 on the comments from Gary, great post Dejan.

    However I have found that ‘management’ is not a homogeneous entity; the concerns to be addressed may vary.

  • Dejan Kosutic

    Hi David,

    I agree with you – different members of the management think differently about information security (some understand it better, some don’t); furthermore, the issues to be addressed vary depending whether it is top management, mid-level management or line management.

    What do you think, which issues vary the most?

  • Asaf

    Hi Dejan,
    Well said, “Misunderstanding goes both ways”. I agree that it’s very important to first understand the business and its strategies and then develop an information security program that is aligned with the business. The critical points have been very well summarised and discussed. I can only add is that it’s also important to demonstrate that IS program will help business in sustaining its efforts to achieve their objectives. InfoSec professionals try many approaches and the best one is the one that works.

  • Harshit Mistry

    Really good and very true article Dejan …

  • Jae Ho Jang

    Good posting, Thanks.

  • Maja Lucin

    Thanks Dejan!
    Keep writing good articles

  • Huberto Garza

    Great article, Dejan. Thank you for your clear, concise insight on such a relevant topic.

  • srini369

    Nice article Dejan!!!!!!!!

  • Gilson Rufino

    Great article, Dejan !!!
    There is a deep vison over “Value Proposition” in order help us when talk to leadership team ?
    Thanks in advance.

  • Dejan Kosutic

    Gilson, you can use these 4 benefits to convince your leadership – I find them particularly useful when presenting ISO 27001 project: (1) marketing edge, (2) cost savings, (3) better organization, (4) compliance. You can find detailed explanation here:

  • sridhar isms la, mod goi

    A deep, practical n experienced insight by dejan and is correct. He expressed the core

  • Helmut Karas

    perfect, thank you for this focused view

  • Dr.Brij Mohan Sharma

    Hello. Good evening. Joining first time. Would be surely associated in future. Information security management systems are really essential investments. it shall be better if the top management itself took the leadership in understanding their significance. Perhaps, the consultants like us have to offer free training to the top management and tell in transparent manner the benefits in short and long term of the information security systems. regards.