Recovering an ISMS implementation

Answer:

The main points here are to focus on business benefits, low costs and quick wins.

To resume a poorly implemented ISMS, or convince management to implement security practices without external enforcement, you should focus on solving problems your areas are currently undergoing (e.g., low performance on KPIs, unplanned downtime, rework, non compliance fines, missed deadlines, etc.), by means of quick implementation of controls based on solid risk assessments (and less focus on the other elements of the management system).

It may seem odd to start like this, but the point is to try to gain/regain top management commitment and people's trust in information security (few but effective controls will help you with that), and only after achieving that you should try to demonstrate that in the long run the gains can only be maintained with the help of the other elements of the management system (e.g., in internal audit, management review).

These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/