ISO 27001 Benefits: How To Obtain Management

Support?

Presenter: Dejan Kosutic

©2015 27001Academy www.advisera.com/27001academy

GoToWebinar Control Panel

• Open and close your Panel

• View, Select, and Test your audio

• Submit text questions – they will be addressed throughout the session

• Raise your hand 5

©2015 27001Academy www.advisera.com/27001academy 3

How to increase chances for successful ISO 27001 implementation by bringing in the management.

You are in charge of ISO 27001 implementation…

…Without management support your project will probably fail!

©2015 27001Academy www.advisera.com/27001academy 4

Present your ISO 27001 project like a business case, and you’ll make your management much more interested!

©2015 27001Academy www.advisera.com/27001academy

Agenda

5

• Management mindset

• What is really ISO 27001

• Four main benefits of ISO 27001

• Return on investment

• Elevator speech

• Using right words

• Why is it difficult to obtain management support?

©2015 27001Academy www.advisera.com/27001academy

Management mindset

6

• Return on investment (ROI)

• Market

• Compliance

• Strategic direction

• Short time to present the case

• Management is under great pressure!

• Persuading the management takes time

©2015 27001Academy www.advisera.com/27001academy

What is really ISO 27001

7

• A management standard, not technical –Information Security Management System

• The purpose is to manage and control –example: BYOD policy

• Only 50% of controls from Annex A are IT related

©2015 27001Academy www.advisera.com/27001academy

Four main benefits

8

ComplianceMarketing

edge

Lowering the expenses

Optimizing business

processes

©2015 27001Academy www.advisera.com/27001academy

Return on investment (ROI)

9

• Asset: server

• Threat: fire

• Single Loss Expectancy (SLE) = $5000

• Annualized Rate of Occurrence (ARO) = 10%

• Annualized Loss Expectancy (ALE) = $500

• Conclusion: any investment in security < $500 annually is profitable

©2015 27001Academy www.advisera.com/27001academy

Elevator speech

10

Not more

than 45 seconds

Use a vivid

example!

Short speech you should

use to influence your executives to support ISO

27001

©2015 27001Academy www.advisera.com/27001academy

Using the right words

11

INSTEAD OF: USE:

Backup/firewall Prevention

Cost Investment

Probability Risk

Incident Damage

Disaster Loss/downtime

©2015 27001Academy www.advisera.com/27001academy

Why is it difficult to obtain management support?

12

• They can not fund it and want you to handle it without additional funding

• They do not see a business case for additional funding since it doesn’t generate revenue

• IT security specialists are not always good in "politics"

• Management is always busy with other projects

• They don't see any value in having the certification and see it as a tick box exercise

©2015 27001Academy www.advisera.com/27001academy

Conclusions

13

ISO 27001 will pay off if it prevents only one medium incident, not to mention large

ones

Use this key message and convince your management!

Q & A

Dejan Kosutic

http://advisera.com/27001academy/webinars/

Thank you!