Approaching management

Answer:

For situations like that you have to explain them that the proper approach would be base for their decision on which controls to use as results of risk assessment and legal requirements (e.g., contracts, laws and regulations). This way you can decrease friction, because you would be working only on risks that people consider relevant, or that they have to treat because they have external enforcement to do that (by means of clauses on service agreements, on customer contracts, or on laws/regulations).

This article will provide you further explanation about selecting security controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

For a better commitment you should convince your top management about the benefits of information security - here's the article that will help you: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

These materials will also help you regarding selecting controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/