5 top tips for convincing senior management to implement an ISMS

Working in the information security industry, you understand how important it is to have a structured system for implementing cyber security best practice. Proving this to senior management is another kettle of fish.

Here are our five top tips for convincing senior management that implementing an ISMS is right for your business:

1. Focus on the benefits, not the features 

Most technology proposals fail because they focus on features, not benefits of the ISMS. A ‘feature’ is an attribute or characteristic of a product or service: something it has or does. A benefit is a description of the value of a specific feature to its user. E.g.

 ‘This anti-malware solution has hourly updates (feature), which means that we are protected from zero-day attacks (benefit).’

2. Avoid ‘tech-speak’

Although it may roll off the tongue for you, tech-speak is a language the board doesn’t understand. Security layers, protocols, OSes, petabytes, virtualisation and TLAs are all gobbledegook to those not in the know. If you’re going to have a conversation with the board, you have to speak their language and focus on the issues that preoccupy them, e.g.

  • Top-line revenue
  • Gross margin
  • The bottom line
  • Return on investment
  • Product/service quality
  • Risk management
  • Competition
  • Legal and/or contractual compliance
  • Measurement and KPIs
  • Resources

3Get your work spellchecked

While this may seem like an obvious point, senior management expect to see written communications that are syntactically and grammatically correct. Your written proposal represents your thoughts and ideas. If written well, it will establish you as a credible contributor to corporate life. If there’s lots of mistakes, your proposal will likely be put straight in the bin.

4. Develop an ally

Do you know how the decision-making process works in your organisation? Who’s the influencer and who’s the decider? Talk to your colleagues about their experience with proposals, who succeeded, who didn’t and why.

Then seek out an ally on the board, preferably someone who has similar views of information security issues. Developing the relationship takes time, but it will be worthwhile. They will be able to give you an insight into the decision-making process and, more importantly, they’ll champion your cause to the board.

5. Use regulatory compliance to your advantage

Identify a relevant law or regulation that has IT-related compliance requirements (the GDPR, DPA, HIPAA, GLBA, PIPEDA, etc.). Identify the gaps between your current practice and what the law requires you to do and focus on the areas of non-compliance that are likely to cause bigger problems. You can then link this to the outcomes of failing to comply: fines, reputational damage, executive careers, as well as an impact on the corporate bottom line.


Senior management will, of course, want to know how much implementing an ISMS will cost. You will need to list what you need in order to reduce your organisation’s risks to an acceptable level and work out the cost, in both capital and revenue terms. The costs will be below the likely level of a penalty, plus damages, plus brand diminution.

You need to find the tools to help your organisation implement an ISMS at a suitable budget. The No 3 ISO 27001 ISMS Comprehensive Toolkit contains many of the resources you need to implement ISO 27001, including:

  • Official ISO 27000 standards
  • Industry-leading implementation guidance
  • Pre-written documentation
  • Expert risk assessment software

Support your ISMS implementation with the expert guidance in this comprehensive bundle.
Get started >>

Extracts from this post were taken from Alan Calder’s Selling Information Security to the Board. For more guidance on this subject, you may find the ISO 27001 Expertise Bundle helpful.