LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

Why is management support non-negotiable for an ISMS?

Without management buy-in there is no budget, no authority, and no priority — and security work without those three is dead on arrival.

The blunt phrasing: "Ohne Management-Support geht gar nichts!" Three concrete failure modes follow:

  • Keine Ressourcen — no time, no money, no people to do the work.
  • Keine Kompetenzen — security has no power to give orders or enforce changes.
  • Keine Priorität — security loses every conflict against revenue-driving projects.

And the punchline: management owns the risk and decides on the resources to mitigate it. Security professionals can advise on residual risk, but the call to accept or treat it is a management decision — by ISO and by law.

Why this is also a legal issue: Under most jurisdictions (Swiss OR Art. 717, German AktG §93, etc.) board members have a duty of care that includes IT/cyber risk. An ISMS gives them the evidence trail that they exercised that duty.

Tip: If you're a CISO drafting an ISMS policy, the first signature page should be the CEO or board chair. Anything signed only by IT is treated as an IT preference, not a corporate rule.

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: May 31, 2026