When an organisation decides it needs ISO 27001, the first instinct is almost always the same: find the most technical person in the building and hand them the certificate. The one who knows the firewalls, who can read a control like a sentence, who already speaks in acronyms. It feels logical. Security is technical, so a technical person should own it. I have come to think this is one of the more expensive mistakes a company can make at the start, and it took me a while to see why. The person who should own your certification is not your most technical person. It is your best diplomat.
The Triangle You're Standing In
The moment you take on a certification, you are not really standing in front of a documentation problem. You are standing in the middle of a triangle, and you have to keep all three corners happy at once.
The first corner is the management team. They hold the budget, the authority and the time, all of which you will need and none of which they will give away easily. The second corner is the auditor, internal and external, who arrives with a process of their own and a list of things they need to see. The third corner is the people, everyone who actually does the work the controls are meant to protect, and who will quietly decide whether any of this becomes real.
Certification looks like a paperwork exercise from the outside. Spend a month inside one and you realise the paperwork is the easy part. The hard part is that you are constantly negotiating between three groups who want different things, on different timescales, in different languages. You will never please all three perfectly. The skill is keeping all three satisfied enough that the work keeps moving. That is not a technical skill. That is stakeholder management, and it is the capability the whole thing rests on.
What Each Corner Needs
Each corner of the triangle asks something specific of you, and they are not interchangeable.
The management team needs buy-in that is genuine, not performative. There is a version of compliance that exists only because a tender demanded it, and everyone involved can feel the difference. The work goes cold the moment the deal closes. What you actually want is the intrinsic version: a leadership team that understands, in their own terms, why having security in order matters to the organisation regardless of who is asking. Getting there is the real first step. It is the trigger for everything downstream, and nothing lands properly until it exists.
Once you have that commitment, your job flips from convincing them to protecting their time. Leadership does not want to wade through risk methodology. They want clear, pre-chewed decisions. The mechanism that makes this work is the management review, ideally run every quarter, where you bring the few decisions that genuinely need their attention. Each one arrives as a yes or no: here is the problem, here is what I think we should do, here is roughly what it costs. Quantified, decided, done. Do this well and the management review stops being a box to tick and becomes the engine room of the whole programme.
The auditor needs a relationship that surprises most people. The instinct is to treat the auditor as an examiner, someone to survive. The better posture is to treat them as an ally. There is genuinely more administrative weight to an audit than you expect: scheduling, coordination, the records that auditors themselves have to keep so they can show their own accreditation body they are auditing properly. Absorb as much of that planning burden as you can. Then prepare your people, because the part that quietly derails audits is the interview. Staff hear the word audit and imagine an exam they might fail, and they get nervous for no good reason. A short, honest brief on what an interview actually is removes most of that fear. What comes back out of the audit is findings, and findings are not a verdict. They are input. They get documented, turned into plans, decided on with the management team, and then landed with the people. The auditor is one corner to manage, and how you choose one in the first place is a separate question worth its own article.
The people are where all of it has to actually land, and they are the corner most programmes underinvest in. Roughly eighty per cent of risk lives in human behaviour, which means every decision you make and every finding you close is only as real as the behaviour change it produces. This is where you sit down with the groups that matter: HR around joining and leaving, operations around using tools safely, IT as the support layer underneath, and the suppliers and partners who need to understand how you expect them to work. None of this is about watching anyone. It draws only on what an organisation already does and already knows about itself. The difference between landing here and not landing here is mostly tone. You do not want to be the person who walks in and the room thinks, here he is again about passwords. You want people to find it interesting, even enjoyable. That sounds soft. It is the whole game.
The Job That's Left After the Paperwork
For most of the history of this work, something like eighty per cent of the effort went into getting documentation in order. Writing it, formatting it, keeping it current, producing it on demand for an auditor. It was the bulk of the job, and it was the part nobody enjoyed.
That part is now largely automatable, and this is the quiet shift I find genuinely exciting. When the documentation produces itself from what is actually happening, that effort does not disappear. It gets freed. It can go where it was always supposed to go: to the people, and to actually improving how an organisation behaves. This is the direction we are building toward at Askara Solutions, automating the paperwork so the human part can take centre stage rather than fighting for the scraps of time left over at the end of a busy week.
A few small things start to become possible once that time exists. Communication is the first thing to collapse when work gets busy, and it is the most damaging thing to lose, so having AI help draft an update or a report means the thread does not go quiet for a fortnight. Training can stop being an annual event nobody remembers and start happening at the right moments instead: a short microtraining triggered by an after-action review when an incident gets logged, while the lesson is still warm. A business continuity exercise can be run with the whole team as something closer to a light escape room than a fire drill. These are illustrations, not the point. The point is that the time to do them only exists once the paperwork stops eating it.
The Person to Appoint
So when someone asks who should own this, I no longer point at the org chart and look for the most technical name. I look for a profile. Someone who can stand firm enough to be taken seriously by the management team, and talk to them at their level without flinching. Someone who can sit across from an auditor as a partner rather than a suspect, neither intimidated nor defensive. And someone who is genuinely likeable to the people, who can make the unglamorous parts of security feel worth caring about rather than worth avoiding.
That is a diplomat, not an administrator. And it is worth noticing what kind of work this actually is. The paperwork was the part a machine could eventually do. Holding three sets of human interests in balance, reading a room, building real buy-in, making people care, that is the part no machine is going to take from you. It also happens to be the part worth enjoying. The certificate was never the prize. The conversations on the way to it were.