Why is management support non-negotiable for an ISMS?
Without management buy-in there is no budget, no authority, and no priority — and security work without those three is dead on arrival.
The blunt phrasing: "Ohne Management-Support geht gar nichts!" Three concrete failure modes follow:
- Keine Ressourcen — no time, no money, no people to do the work.
- Keine Kompetenzen — security has no power to give orders or enforce changes.
- Keine Priorität — security loses every conflict against revenue-driving projects.
And the punchline: management owns the risk and decides on the resources to mitigate it. Security professionals can advise on residual risk, but the call to accept or treat it is a management decision — by ISO and by law.
Why this is also a legal issue: Under most jurisdictions (Swiss OR Art. 717, German AktG §93, etc.) board members have a duty of care that includes IT/cyber risk. An ISMS gives them the evidence trail that they exercised that duty.
Tip: If you're a CISO drafting an ISMS policy, the first signature page should be the CEO or board chair. Anything signed only by IT is treated as an IT preference, not a corporate rule.