Management Buy-in for ISO27001 Implementation

Overcome obstacles for Management Buy-In for Information Security

For any security plan to be effective, the co-operation of staff at all levels is essential. Achieving this is easier said than done, with other priorities and lack of communication often proving to be stubborn obstacles.

To ensure staff buy-in, management must be seen to fully support an information security plan and this can be a tough obstacle to overcome. Finding the best way to justify a security plan in the face of objections can be a challenge, but being prepared with the facts about the risks and benefits will be a big advantage.

So how do you get management to recognise Information Security as a priority amongst other commitments such as sales and marketing, finance and operations? The best approach is to make them appreciate that security applies to all areas of a business.

Information security relates to business functions in a number of ways. These are just some examples of possible scenarios and objections.

Sales and Marketing

If a sales person mislays an unencrypted laptop or USB stick which contains sales strategies or incentives, this information could be exploited. A competitor could use this data to gain an advantage in the marketplace, potentially resulting in lost projects and revenue. A security programme will limit the exposure to data breaches of this nature.

A common objection is that having a security programme does not drive sales. However a thorough, sustained security programme will attract new customers who need secure business practices, providing a competitive advantage.


Company sensitive information or funds being stolen would directly impact the companys ability to operate as usual. A business that is unable to pay employees and suppliers will founder quickly.

Cost can be an issue to management, but compare the value of a security programme against the cost of loss of financial data or funds and there is a clear victor. No-one wants to see their business fail, especially when preventative measures are available.


For day to day operations, intellectual property including templates and company policies, need to be protected. The challenge is to balance data confidentiality with accessibility for business processes.

Customer data is also an issue as this will ordinarily be stored either as hard copy and/or electronically. If this data was lost or stolen, the impact on both customers and the business could be devastating, with loss of customer confidence, possible legal action, investigations and fines.

Information is a valuable corporate asset and must be treated as such. While management might question the benefits of complying with information security standards, the expense for non-compliance could be far greater. The savings in terms of audit findings and evidence of good practice are significant.

The potential damage to reputation that data loss could cause is extensive. Should the media become involved any negative headlines will inevitably affect the publics perception of the company. For example negative comments on social media can instantly impact a brand without full details being understood. This alone can be extremely hard to recover from.

Ultimately, company accounts consist of both profits and losses. Whilst a security programme may not always generate additional profits, the reduction in losses can be considerable. Additionally, a security programme provides reassurance that will make it easier for the management to sleep at night.