Not the budget. Not the tools. But leadership.
Two companies, similar in size, with the same goal: to implement ISO 27001
and get certified.
Company 1️⃣
Goal: “Get certified in 5 months!”
Tone: “We just have to do it.”
Typical phrases:
→ “ISO requires it!”
→ “It has to be this way—because of ISO!”
No real management commitment. Constantly shifting priorities. Operational chaos instead of clear direction.
Company 2️⃣
Management at the all-hands meeting:
“We’re doing this because we want to grow through it.”
Clear message:
→ Part of day-to-day operations
→ Focus on benefits, not on certification
→ Prioritization driven from the top
… 14 months later
Company 1️⃣
❌ Escalations
❌ Procrastination
❌ Excuses
Company 2️⃣
✅ Certified for 4 months
✅ Relaxed teams
✅ Real added value in everyday work
The employees? Engaged rather than overwhelmed.
The real insight: ISO 27001 doesn’t fail because of the standard.
It fails because of leadership and communication.
Those who try to force information security through by brute force will fail. Those who lead by example and explain it will succeed.
How do you lead—with pressure or with direction?
Tags
Share post
Thomas Neeff