Budgeting is generally a dreaded, stressful management task. Not only do we have to figure out the figures but we typically anticipate a tough battle ahead leading (probably) to a disappointing outcome and yet more problems.
On top of that, 2020 has been an exceptional year thanks to COVID. The business and information security implications of knowledge workers suddenly working from home, en masse, are still playing out now, while the economic impacts of COVID do not bode well for any of next year's budgets except perhaps for the manufacture of vaccines, masks, gloves, sanitiser and respirators.
- The objectives for the Information Security Management System - what it is expected to achieve;
- How broadly or narrowly to scope the ISMS;
- At what pace to implement the standard, and how precisely;
- What resources to assign to the implementation, not least a suitable implementation project manager/consultant and project team;
- Priorities for this work relative to other business activities, objectives and requirements, making adjustments as necessary (both initially and as the project proceeds when stuff comes up - as COVID did, for instance);
- Alignment with other corporate projects and initiatives e.g. exploiting strategic opportunities to update various systems, policies and processes for security and other reasons, at the same time;
- Change management aspects: does the organisation have the capacity and appetite first to adopt and assimilate the ISMS, and secondly to get the most out of it;
- Project risks e.g. the possibility that things probably will not go entirely to plan, hence the need for dynamic responses and contingency funds.