Security Compromised because of Cost to Company

Skype and Dropbox is mainly to reduce the cost to company. Being a small sized IT firm the management is not in a position to buy licensed communication softwares. This may be one such instance but I feel we are compromising on security on many aspects.

How should I handle this situation ? The management is planning to go for external ISO 27001 certification. How should my controls be supporting both security and cost aspect.

Many companies use exactly the same tools, and yet they pass the ISO 27001 certification.

The selection of controls must be based on the assessment of your risks, so basically you can use less costly controls if they cover the risks - see also this article: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Skype is generally considered to be pretty secure for communication; Dropbox is probably fine if you upload less confidential documents while if you have highly confidential documents it would be probably better to use some other service which encrypts the files before sending them to the cloud. So the point is - you should select your controls based on the assessed risks.

Of course, all the software you are using must be licensed.