---
title: "Security isn't an IT problem, it's a management issue"
language: en

proposition: advisory

series-id: s01
series-title: "Security as an organisational challenge"
series-part: 3

audience:
  - leadership

channels:
  - linkedin
linkedin-account: personal

content-type:
  - post

status: published

publish-dates:
  linkedin: 2026-05-15T17:30:00Z

published-urls:
  linkedin: "https://www.linkedin.com/posts/richardkranendonk_managingsecurity-iso27001-resilience-activity-7461105663067283456-E_-F"

notetype: publication
isotags: []
tags: []
---

`Posted on 15 May 2026 19:30 CEST to LinkedIn personal stream`
# Security isn't an IT problem, it's a management issue.

That was the core of the previous two posts. The question remains: how to embed security in your organization?

Individual measures help, but in an organization that keeps moving, they quickly fall short. People leave, ways of working change, new tools are introduced, laws and regulations evolve.

You need to establish a management process that makes risks visible, assigns ownership, and allows for corrections. ISO 27001 provides a framework for exactly that.

ISO 27001 doesn't have the best reputation: unnecessary bureaucracy, paperwork overload, 14 sign-offs for every change. That's unfair. It's a framework you can tailor to your organization. At its core: managing risks, assigning ownership, and continuous improvement. Robust enough for corporates, flexible enough for smaller organizations. And you can reap the benefits without pursuing certification.

Ask yourself: how has my organization made sure that information security doesn't depend on one person, one moment, or one department?

I'd be curious to hear how that's arranged in your organization. Feel free to send me a message if you'd like to compare notes.

— Security as an organizational challenge — 3/3

\#managingsecurity \#iso27001 \#resilience