Not the budget. Not the tools. But leadership.
Two companies, similar in size, with the same goal: to implement ISO 27001
and get certified.

Company 1️⃣
Goal: “Get certified in 5 months!”
Tone: “We just have to do it.”
Typical phrases:
→ “ISO requires it!”
→ “It has to be this way—because of ISO!”
No real management commitment. Constantly shifting priorities. Operational chaos instead of clear direction.

Company 2️⃣
Management at the all-hands meeting:
“We’re doing this because we want to grow through it.”
Clear message:
→ Part of day-to-day operations
→ Focus on benefits, not on certification
→ Prioritization driven from the top

… 14 months later

Company 1️⃣
❌ Escalations
❌ Procrastination
❌ Excuses

Company 2️⃣
✅ Certified for 4 months
✅ Relaxed teams
✅ Real added value in everyday work

The employees? Engaged rather than overwhelmed.
The real insight: ISO 27001 doesn’t fail because of the standard.
It fails because of leadership and communication.

Those who try to force information security through by brute force will fail. Those who lead by example and explain it will succeed.

How do you lead—with pressure or with direction?

Tags

Share post

More articles

Recently at an NIS 2 workshop with a client’s management team.Topic: Reporting requirements for IT security incidents. The central BSI portal for reporting security incidents has recently been launched – which is good and right....
A study by G DATA, Statista and brand eins confirms that IT security in the DACH region is in a poor state. Many organizations still believe that attackers are not interested in them. The organizations...
Many organisations trust that their own systems and applications “will be secure somehow”. Especially when third parties such as IT service providers or cloud services are used, the trust in IT security is great. Our...