{"id":10196,"date":"2016-09-12T16:07:50","date_gmt":"2016-09-12T16:07:50","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/016\/09\/12\/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation\/"},"modified":"2025-03-07T15:14:31","modified_gmt":"2025-03-07T15:14:31","slug":"4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2016\/09\/12\/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation\/","title":{"rendered":"4 crucial techniques for convincing your top management about ISO 27001 implementation"},"content":{"rendered":"<p>Don\u2019t expect your management to understand on their own why <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0is good for their company \u2013 you have to work very hard to convince them. Essentially, you need to have two elements to be successful in that process: (1) prepare a list of business benefits that are really applicable to your company, and (2) communicate those benefits in a manner that is understandable to your executives.<\/p>\n<p>I have covered the topic of business benefits in this article: <a href=\"\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/#benefits\" target=\"_blank\" rel=\"noopener noreferrer\">Four key benefits of ISO 27001 implementation<\/a>, and in the article you\u2019re reading I\u2019ll write about the best ways to communicate them.<\/p>\n<p>Unfortunately, one presentation to your top management is not going to be enough, no matter how nice your PowerPoint presentation looks. The truth is, much more is needed than a simple presentation, and it will take time for your management to understand all the key points.<\/p>\n<p>Here are a few techniques you can use for presenting your case in a more effective way:<\/p>\n<h2>Elevator speech<\/h2>\n<p>Chances are you&#8217;ll achieve much more in informal occasions than in formal meetings \u2013 e.g., when you accidentally stumble into your CEO\u00a0in a cafeteria, in an elevator, or similar. If you are not prepared for such an occasion, you&#8217;ll probably get confused \u2013 therefore, you have to prepare a so-called elevator speech, a 30- to 60-second speech where you vividly present your case. When you rehearse it well, you will sound confident and convincing. For example, my elevator speech (as a consultant\u00a0trying to sell my services) is: <em>The investment in ISO 27001 will pay off if you prevent only one medium-sized <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/?rel=information-security-controls&amp;doc=incident-log\" target=\"_blank\" rel=\"noopener\">incident<\/a>, not to mention large incidents<\/em>.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Find an ally<\/h2>\n<p>You need to find people who are close to your CEO\u00a0and who would naturally be interested in what you are doing \u2013 for example, your Chief Financial Officer\u00a0might see information security as a way to decrease the financial <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/?rel=risk-management&amp;doc=risk-assessment-table\" target=\"_blank\" rel=\"noopener\">risk<\/a>\u00a0to the company, so she may choose to support your effort; the Chief Compliance Officer\u00a0could see your project as a way to relieve him of part of the workload, while the marketing guys might see this as an additional key selling point. In any case, do your homework and research who would be interested in information security benefits.<\/p>\n<p>These people will not only give you additional insight into how information security will help the company, they will also make it easier to get to the top management\u00a0agenda more quickly.<\/p>\n<h2>30-20-10 rule for presentations<\/h2>\n<p>When you do make your PowerPoint presentation, forget about all those fancy statistics you&#8217;ve found, and hundreds of slides you prepared. Instead, go for the 30-20-10 rule: use fonts size 30, maximum 20 minutes, up to 10 slides. And focus on benefits\u00a0\u2013 this is the main message you need to deliver.<\/p>\n<p>And try to be short \u2013 your presentation should last a maximum of 10 minutes, plus 10 minutes for questions and answers. Here you\u2019ll find a free PowerPoint presentation <a href=\"https:\/\/staging.advisera.com\/27001academy\/free-downloads\/#project-proposal-for-iso-27001-implementation-power-point\" target=\"_blank\" rel=\"noopener noreferrer\">Project proposal for ISO 27001 implementation<\/a>\u00a0which includes all the elements that need to be presented to your top management.<\/p>\n<h2>Be careful with words<\/h2>\n<p>Remember, your target group is managers who don&#8217;t understand or don&#8217;t like your geeky expressions. For example:<\/p>\n<table border=\"1\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; background-color: #e6e6e6;\" width=\"50%\"><strong>Instead of:<\/strong><\/td>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; background-color: #e6e6e6;\" width=\"50%\"><strong>Use this:<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\"><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/?rel=information-security-controls&amp;doc=backup-policy\" target=\"_blank\" rel=\"noopener\">Backup<\/a>, fire-suppression systems (and other safeguards)<\/td>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\">Prevention (<em>We will prevent&#8230;<\/em>)<\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\">Cost<\/td>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\">Investment (<em>By investing in &#8230;, we will save xyz dollars&#8230;<\/em>)<\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\">Probability<\/td>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\">Risk (<em>We will decrease the risk of&#8230;<\/em>)<\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\">Incident<\/td>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\">Damage (<em>We will decrease the damage by implementing&#8230;<\/em>)<\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\">Disaster<\/td>\n<td style=\"padding-left: 10px; padding-bottom: 5px; padding-top: 5px; vertical-align: text-top;\" width=\"50%\">Loss\/downtime (<em>We will lose xyz dollars; our expected downtime will last&#8230;<\/em>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"padding-top: 5px;\">This way, your executives will perceive you as someone who understands the business perspective of information security \u2013 in other words, you will build your credibility in their eyes.<\/p>\n<h2>Prepare for the long run<\/h2>\n<p>And here comes the bad news \u2013 to be successful, you need all the qualities of a good salesman: you need to be patient, persistent, and persuasive. I know that you probably didn\u2019t want to become one, but this is what successful CISOs do.<\/p>\n<p>After a while, you will surely start to notice some progress \u2013 maybe not in the first couple of days or even couple of months, but don\u2019t let that discourage you.<\/p>\n<p><em>Check out this free online training\u00a0<\/em><a href=\"https:\/\/advisera.com\/training\/iso-27001-foundations-course\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 Foundations Course<\/a><em>\u00a0that explains every step in ISO 27001 implementation.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Don\u2019t expect your management to understand on their own why ISO 27001\u00a0is good for their company \u2013 you have to work very hard to convince them. Essentially, you need to have two elements to be successful in that process: (1) prepare a list of business benefits that are really applicable to your company, and (2) &#8230;<\/p>\n","protected":false},"author":26,"featured_media":10197,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[815,1470,1471],"class_list":["post-10196","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-top-management","tag-iso-27001-benefits","tag-iso-27001-implementation"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=10196"}],"version-history":[{"count":3,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10196\/revisions"}],"predecessor-version":[{"id":103742,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10196\/revisions\/103742"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/10197"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=10196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=10196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=10196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}