Common Pitfalls in ISO 27001 Implementation

Implementing 27001 needs senior management commitment. Adopting these principles can be painful, if employees within the business see the senior management not following the principles and not leading by example then they will believe there is no point doing it themselves; it will be a case of them sitting and nodding their heads until you as the person implementing the system, run out of momentum and then everything will get shelved and forgotten. Equally even if you have your system already well established and in place, without visible and consistent support from leadership, the management system and its processes will lack authority. Without buy-in from management you also face issues with lack of resources being made available to implement/maintain the system and it will ultimately lack the strategic alignment needed to keep it going long term.

How you can avoid this

Make sure the business case for having ISO 27001 is established but also clearly and succinctly communicated to leadership. Know your market, if your senior management are all about brass taxes then bring it back to money, having 27001 may cost X but it opens Y markets and could potentially save you Z costs from being sued/fined for a data breach.

If you want to go further, demonstrate how it aligns with business goals such as regulatory compliance, customer trust, and operational resilience.

Building off the first pitfall, lack of support. Failing to embed the ISMS into your daily ops means that at an employee/staff level; if people aren’t interacting with the system regularly then they wont pick it up, use it or potentially even understand it. If people don’t understand why, you’ve put the system in place (or if they are just stubborn old mules!), then they are likely to also be resistant to that change; they might view it as an unnecessary extra burden that will just slow down their work during the day for little perceived gain.

Some companies like to treat ISO 27001 as a one-off project that they only need to think about once or twice a year; the result of that, security controls aren’t always maintained, compliance degrades fairly quick (but if you’re lucky you’ll find all those issues during your internal audits a week before your surveillance visit right?) and again people can also be resistant to adopting the system if it disrupts their routine and is then ‘only’ used during audits.

How you can avoid this

Daily beatings and public executions! I joke of course… no, the best way to avoid resistance to change is comprehension; teaching, training and helping people to understand why these processes are being put in place, then obviously also, maintaining their consistent use. Build information security into a core culture of the business, establish regular reviews, monitor key aspects of the system and provide updates about the system to all staff; get their buy-in, align it with other business processes or perhaps even as one of the metrics used in performance-based reward systems if you have that kind of thing in place.

Another pitfall that builds on the other two (you can see a trend amongst the biggest reasons, right?) is lack of awareness and training. People are often one of the biggest risks to information security. If employees aren’t aware of your policies, they don’t comprehend what is considered information/data they need to protect; or if they don’t know what to do in order to protect it then even the greatest technical controls in the world will fail.

How you can avoid this

Develop and implement awareness training that is comprehensive and structured; you also need to tailor this to your employees, their roles and responsibilities as well as their level of access to specific data and don’t just drop everyone infront of a 3-hour presentation covering you’re A-Z. A cleaner doesn’t need to know the finer points of secure code writing and peer review, but they do need to know about physical access control and securely destroying physical records (making sure paper records are shredded etc before just chucking them out) or making sure they don’t unplug the server so they can plug in the vacuum! Believe us, its happened before.

An easy mistake to make is underestimating the resource needs. Implementing and then maintaining the ISMS does require time, expertise and financial investment/commitment. Learning the standard and how it applies to your business, having the people with the correct knowledge and using their time and your own, etc. If you misjudge the demands it can lead to delays, overworked employees (and yourself) and ultimately subpar results.

How you can avoid this

Take a step back, slow your roll for a minute and try to develop a realistic project plan that covers staffing, training, tools and other stuff. Which, granted, is a lot easier said than done; like really, how do you plan a project if you’ve never done something like it before? Definitely a non-answer answer right. So personally, I’d say you should opt to use us, your friendly neighbourhood consultants! Asking someone with experience is a fantastic way of helping to gauge resource needs.

Internal audits are a key requirement of many ISO management systems not just 27001. But, it’s very easy to leave them till the last minute and end up often being rushed or treated as mere checkboxes. Without some genuine internal auditing and follow-up, problems can go unnoticed and your system will stagnate until you get slapped in the face with minor or major non-conformities at your surveillance visits.

How you can avoid this

Super easy, plan ahead and schedule in regular internal audits; do this as part of your annual financial / management planning at the start of each year and stick to it. OH and make sure you are using trained personnel ideally who are also as impartial as they can be to whats being audited (get someone from team/department A to audit team/dept. B, etc.). You should then also treat these findings as opportunities for improvement rather than failures, nobody likes being derided for failing. (we can also do internal audits for you instead if you want!)

This can be a fairly common mistake and it can be quite a nuanced skill to write and frame scopes for management systems; we help define scopes all the time for our clients so I’ve only seen a few of these situations in person. That being said, scoping down too narrow can miss critical systems or not accurately reflect the operations of your business. With accredited certifications you’ll get a certificate with the scope of your management system printed front and centre on it (if you want to know more about accredited certification we have another blog post here about it).

Equally, if you go too broad then it can become unmanageable and you’ll be auditing for weeks on end, both internally and externally! Basically, an improperly scoped ISMS leads to gaps in your systems coverage or excessive complexity.

How you can avoid this

Set aside some time to sit and think about what your company’s risks are (what your risk profile is) and what your operational needs are, consider your legal, contractual and stakeholder requirements and try to be as specific as possible about which parts of the organisation need to be included within your scope. Write your scope down, leave it for a while, come back and read it back or fire it around the office/other managers to see what other people think about it. (if you are implementing 27001 for a specific customer contract it might be worth getting clarity from them around what they are looking for the cert to cover)

Risk assessments are a foundational aspect of ISO 27001. However, many companies can wind up only doing superficial or generic assessments that don’t accurately reflect their real risks. As a result, your controls may be misaligned or irrelevant.

How you can avoid this

Break down your assessments to look at context-specific aspects of the business. Look specifically at just hardware, or just software, physical, people, etc. then talk them through with people from different teams / roles in the business to see if they have different risks they associate with those aspects. Use a consistent structure for how you score your risks; tie them back to the SOA within 27001 and ensure that risks are regularly reviewed and updated (build this into your internal auditing schedule!).

Documentation is an important component of ISO 27001; within the standard there are sections that state “‘X’ shall be available as documented information”. However, overemphasising it at the expense of actual implementation is a big pitfall, especially with purchased toolkits (don’t get me started, just ask me about the dark abyss of toolkits if you ever get chance!). Some companies can end up producing extensive and sometimes unnecessary documentation that then ends up never being understood or even read by employees, it will weigh your system down and will likely cause you more non-conformities during external audits because they’ve not been maintained correctly or at all.

How you can avoid this

Focus on meaningful, usable documentation. Policies and procedures should reflect actual practices and be integrated into daily operations. Train your staff on how to apply them. Consultants like ourselves can also help you trim the fat when it comes to documentation if needed. Understanding whats actually required to be documented vs what isn’t is helpful information to have when doing all the different ISOs.

A bit more a niche issue, change management is an easy one to miss. And IT guys, this doesn’t just mean your change control processes for managing code updates and deployments. This relates to practical business changes, updates to the management system, changes to internal business processes, personnel and technologies. Yeah, its cool you’ve found some new software or you’re in the process of moving your entire filing directory to the cloud but have you actually planned it out and recorded what you are doing? Something perceived as innocuous as moving an employee between departments does have information security implications (permission levels changing in data accessibility, that person’s knowledge for X task, the availability of information they have, if they are the only person helping Y customer and they move, who’s got access to the information needed to continue helping that person, etc.) and you need to manage that.

How you can avoid this

I know you’re probably busy running the business and doing the changes on the fly but you should integrate your change management into the lifecycle of the ISMS; build the system so that changes are reviewed during the management review or do monthly Informal’s to flag changes and keep a track record of changes, record planned changes and conduct risk assessments for those planned changes.

Security incidents are the dreaded bane of todays digital world however many companies still find themselves taking the hope and pray approach. Emergency response and business continuity planning are great buzz phrases but are very easy to end up being only basic top-level plans around how you will respond. Having a weak and untested system can lead to confusion, delayed reactions to issues and ultimately a greater extent of damage during a breach.

How you can avoid this

Develop a response plan AND TEST IT. Run that thing through ringer! Plans should ideally include specifically defined roles so people know what they are doing and who to report to, communication strategies for if you need to contact specific people (including customers) and also make sure you do a proper post-incident analysis; make sure you learn from the incident and try to stop it happening again. As I say, test your plan regularly, do this by running simulations and adjust it based on lessons learned, oh and make sure you cover different types of incidents not just the same old easy to do scenario.

Hopefully you’ve found this interesting. ISO 27001 implementation is a powerful way to build trust, reduce risk and enhance your operational resilience. But the journey is not without its challenges. By being aware of the common pitfalls and proactively addressing them, we reckon you should be able to avoid costly missteps and create a management system that works for you and that delivers lasting and reliable value.

Successful implementation is less about checking boxes and more about embedding a culture of security throughout the company. With proper planning, commitment and continuous improvement, ISO 27001 can become a cornerstone of your company’s success in managing information security.

If you’d like help with getting your system off the ground or if you’d just like a little guidance or hell, just some internal audits doing. Then hit us up using our contact us webform or give us a ring.