Not the budget. Not the tools. But leadership.
Two companies, similar in size, with the same goal: to implement ISO 27001
and get certified.

Company 1️⃣
Goal: “Get certified in 5 months!”
Tone: “We just have to do it.”
Typical phrases:
→ “ISO requires it!”
→ “It has to be this way—because of ISO!”
No real management commitment. Constantly shifting priorities. Operational chaos instead of clear direction.

Company 2️⃣
Management at the all-hands meeting:
“We’re doing this because we want to grow through it.”
Clear message:
→ Part of day-to-day operations
→ Focus on benefits, not on certification
→ Prioritization driven from the top

… 14 months later

Company 1️⃣
❌ Escalations
❌ Procrastination
❌ Excuses

Company 2️⃣
✅ Certified for 4 months
✅ Relaxed teams
✅ Real added value in everyday work

The employees? Engaged rather than overwhelmed.
The real insight: ISO 27001 doesn’t fail because of the standard.
It fails because of leadership and communication.

Those who try to force information security through by brute force will fail. Those who lead by example and explain it will succeed.

How do you lead—with pressure or with direction?

Tags

Share post

More articles

One of the core competences of cloud service providers is the safeguarding of infrastructures with regard to IT security. But what should be taken into account when using the cloud? The cloud has many advantages:...
When looking for tools to help you implement ISO 27001 or SOC 2, you will also come across so-called (compliance) automation platforms that promise to take up to 90% of the work off your hands...
The revision of ISO 27006 brings significant changes for ISMS audits according to ISO 27001—especially for digitized companies. I have looked into this and identified the following key points: New calculation logic for audit days...