Hannah Churchman In the majority of organizations, change is embraced by senior management, but feared by employees. In the case of implementing ISO 27001, a committed senior management team (SMT) can understand clearly the benefits that an Information Security Management System (ISMS) will bring, such as decreased risk of business disruption, enhanced market position, and increased compliance with legal requirements.
But, for employees, the introduction of a new system or working practices can often seem like a chore and an obtrusion on their existing roles. So, with lack of internal buy-in being a key factor in project failure, how can you ensure that you gain internal buy-in from your staff?
This article will explore the key objections you will come up against from your staff, and suggestions, based on experience, for how to overcome them.
What’s in it for me?
In some ways, people are easy to manage. By simply demonstrating the benefits to them, you are more likely to get employees on board with the changes required by implementing an information security system. Benefits that you could communicate are increased organizational stability and decreased likelihood of business disruption.
How you can gain internal buy-in throughout your organization:
- Provide training and awareness sessions explaining the benefits that ISO 27001 will introduce.
- Involve staff in the development of the Information Security Management System controls. Once you have provided awareness training, spend time with each department identifying areas where controls should be applied. These are the people who do their jobs day in and day out, and therefore know them best. You’ll be surprised with what you may have missed!
- Give staff plenty of opportunity to voice any concerns and ask questions (make sure that you answer them, or engagement will decrease). Employees value honesty and transparency in times of change.
- Make it fun! Let’s face it: information security is a dry topic for most. As the implementation lead, you should keep it light when necessary. For example, you could announce a competition for the most information security vulnerabilities reported in a month, or the best department audit score, with a prize up for grabs.
Learn more about the benefits of ISO 27001 implementation in the article Four key benefits of ISO 27001 implementation.
What happens if I don’t participate?
Similar to my point above, it is crucial for employees to understand the consequences if they DON’T participate. This isn’t about scare tactics, but having clearly defined and communicated guidelines and expectations. This is a crucial element for ISO 27001 implementation success.
How you can gain internal buy-in throughout your organization:
- Have a clearly defined disciplinary procedure, ensuring that it links directly to non-compliance with the Information Security Management System processes and procedures.
- Ensure that all guidelines are understood by getting employees to sign off on having read all policies and procedures. This puts the responsibility on them, and will ensure that they take the time to really understand the requirements.
- Ambiguity is the enemy here. Be as clear as you can when communicating what is expected from staff in order to achieve the best results.
Who should be setting an example?
Even though senior management realizes the importance of embedding an Information Security Management System within the organization, it doesn’t mean that they don’t see the day-to-day additions to their roles as a chore (read the article 4 crucial techniques for convincing your top management about ISO 27001 implementation to learn how to achieve their buy-in). Let’s take a clear desk and clear screen policy (security control 11.2.9 – learn more about this control in the article Clear desk and clear screen policy – What does ISO 27001 require?) as an example. Management knows why they need to follow the policy, but may forget or find it to be an inconvenience. It is imperative to implementation success for the SMT to realize the impact of their behavior on the rest of the organization. ISO 27001:2013 Clause 5.1 states that “Top management shall demonstrate leadership and commitment with respect to the information security system.” Ever hear the phrase “lead by example”? Unsurprisingly, it works.
How you can gain internal buy-in throughout your organization:
- Get the senior management team involved in implementation as early as possible. Ensure that you get commitment from the whole team by asking them to sign off on the implementation plan. One member of the team should also commit to being the implementation project sponsor.
- Hold separate training sessions for the senior management team. This meeting should be approached in a completely different way from general staff training, and guidance should be provided on how they can behave and the attitude they should demonstrate in order to encourage system and process adoption.
- Communication is crucial. Ensure that the management team is continuously cascading the importance of the Information Security Management System throughout their teams to maintain momentum.
Overcoming barriers to successful ISO 27001 implementation
I have shared three barriers to successful ISO 27001 implementation above, and ideas you can consider for overcoming them. With the right project planning, senior management commitment, and clearly defined and communicated expectations, the likelihood of gaining internal buy-in from your front-line staff will be greatly increased. As with all organizational changes, taking employees with you on the journey, rather than giving orders, is a much more effective way to ensure that new requirements are embedded throughout the business. Remember, people don’t like change, so the more buy-in you can build, the better your chances of implementing your information security system successfully.
Register for this free online training ISO 27001 Lead Implementer course to gain knowledge about the standard and find the best ways to motivate your employees.
