ISO27001: Getting The Staff On Board

Ever watched a presentation that’s left you with the feeling that it was an hour of your life you’ll never get back? Ever sat in a room full of people that are just two PowerPoint slides away from screaming “None of this matters!” before defenestrating themselves? Have you ever had to present to a room full of people like that? People who have so little interest in you, or your subject, that they’ve had to resort to stabbing their own leg with a biro just to stay awake?

I might be going out on a limb here, but I’m pretty sure that most people reading this will have been subjected to “Death by PowerPoint” at some time in their lives, and that most of us have previously resorted to any excuse short of actually faking our own death not to be subjected to it again. The simple fact is that it’s hard to keep your attention focussed on anything you’ve already decided you don’t care about. It doesn’t matter how often someone extols the virtues of something to you; if you can’t see how it matters to you, you’re unlikely to care.

It is this facet of human nature that is usually the downfall of ISO27001 awareness campaigns. Regardless of the number of information security posters, emails or presentations you put in front of them, staff that don’t see how an ISO27001 project relates to them will, at best, pay it polite lip service.

So how do we get them to care? Well, for a start I would focus on the objectives of the standard, not the standard itself. Tell someone you’re putting a bunch of policies in place because the standard says so, and they’ll more than likely nod and smile. Tell them you’re putting in policies to try and make sure they still have a job in six months and they might take more of an interest. Such a statement – that ISO27001 will protect jobs – can seem a bit outlandish, but in most cases it’s true. Information Security is now a part of most major tenders: any organisation that’s chasing work from government, defence or the majority of the corporate sector will be required to demonstrate a strong commitment to Information Security. If these tenders aren’t won, then the work isn’t there to be done, and so the workers aren’t required to do it.

The effect of compliance with the standard goes deeper than that, however. ISO27001 can, and does, make working life easier for a lot of staff. The fact that the standard concerns itself with the integrity and availability of information, as well as the confidentiality, means that any successful ISO27001 project will result in an improvement in the accessibility and accuracy of the information staff need to do their work. This is the kind of aspect of compliance you should focus on when educating staff, highlighting the standard as a tool with which they can improve their own working lives. If you get stuck, I would recommend this book on the subject: The Case for ISO 27001.

However you decide to communicate your ISO27001 project to staff, always remember to demonstrate how it will benefit them directly. Having an opening PowerPoint slide that reads “Information Security: Keeping your job secure” will get the attention of most people. Keep the message simple, keep it relevant, and keep it positive.

If you need help with educating your staff, or with any other aspect of Information Security, you can always give us a call on +44 (0) 845 070 1750 or find out about our consultancy services.


  1. Gary Hinson 18th February 2010
  2. ISO 27001 Online Training 18th March 2011