1. Inscriminately copy templates

It seems efficient: you copy a template exactly, so that your documentation is in order. But this is exactly how the problem arises that ISO 27001 wants to prevent. You get an abundance of documentation that doesn't match your way of working at all. It then becomes a paper tiger for auditors, and you will be charged for that during an “information security audit” or “ISO 27001 audit”.

ISO does not ask for a folder full of documents, but for policies that you actually implement. Say what you do and do what you say. And that in the context of your organization. Nothing more.

2. Looking too much at the norm, not thinking enough for yourself

ISO 27001 is not a boarded up law. The standard deliberately leaves room to set up a system in a way that suits your organization. However, we often see that teams “get stuck” because they take the norm too literally. But information security (ISO 27001) is about making choices: what works for your processes, people and risks?

For example: a team wants to comply properly with ISO 27001 and reads the standard as if it were a tight manual. They see that security incidents need to be registered and are building an enormous, tightly defined Excel process that, in theory, is perfect. In practice, no one reports anything anymore, because it takes too much time.

As soon as they get back to the basics — getting a quick and easy view of incidents — a simple report form in the existing ticket system appears to be sufficient. Right within the scope that the standard offers, and much more effective for their own processes and risks.

One Security Officer Hiring (or an Information Security Advisor) can help find that balance between freedom and structure.

3. Thinking that ISO 27001 prescribes what measures to take

The standard does not require you to use specific tools, badges, controls, or systems. You decide that yourself, based on risks, but if you do write down that you use badges, you should actually use them. It's about reliability, not a checklist.

But imagine: you work in an office where there is hardly any sensitive data around. You simply have a clear key plan and everyone can work from home effortlessly. Then a badge system is not a logical step, no matter how often teams think “that's what ISO wants”. The standard doesn't require you to work with badges at all; it just asks that you design physical security based on your own situation. In an organization with a thousand employees, that context does look different. Then you want to know exactly who came in and when, and an electronic access system is better suited to your risks and scale.

4. Treat ISO as an afterthought

“Putting the ISO 27001 implementation down” to someone with some time to spare is a recipe for delay. Information security requires priority — within all parts of your organization, not just IT. Otherwise, it will lie, there will be too little support and awareness among employees will never get off the ground. And when the audit approaches, everyone suddenly starts running. This causes stress, but above all: low level of management involvement. This is immediately visible during an audit.

5. Wanting to do everything perfectly

Many organizations think that their ISMS must be perfect all at once before an auditor visits. That's really not necessary. ISO 27001 works with continuous improvement: you can start with a six and build on it every year. In fact, an auditor who never sees opportunities for improvement is not doing his job properly. An organization is constantly changing, so your information security must change with it. Areas for improvement are normal, not a crime.

6. Allow the ISMS to dust after certification

Achieving the certification feels like a finish line, but it's just the starting point. Without maintenance, learning and improvement cycles and regular internal audits, the effectiveness of your system quickly drops. That is why periodic maintenance is important, whether you have a Security Officer yourself or temporarily use an Information Security Advisor to keep the system up to date.

7. Thinking that ISO 27001 is just IT

Information security affects the entire organization. HR, purchasing, legal matters, privacy, leadership, physical security and facility management play a role. If employees think it's “nonsense”, awareness is lacking and the risk of human error increases. And that's exactly where most security incidents start.

The ISO 27001 issue one-on-one with IT parking simply goes wrong. You need someone who takes control of all parts of information security. So a Security Officer, who does not do everything alone, but contacts management and other people responsible. It's not surprising that this person comes from the IT field, but the work goes far beyond just technology.

8. Underestimating the risk assessment

The risk assessment is the heart of ISO 27001, but this step is often canceled too quickly. Teams immediately start working on control measures and complete them one by one. But that's not how it works. An effective “ISO 27001 risk analysis” determines which measures are relevant to your organization. Only then can you make conscious choices and you can clearly explain why you do what you do during an NIS2 audit, ISO audit or internal audit.

9. No plan for the burden of proof

ISO is about demonstrability. This means that you have to think about how you are going to collect information beforehand. Conceiving the burden of proof afterwards almost always leads to holes in your system. When it comes to measures, objectives and measurement and monitoring activities, you must therefore immediately determine: how do we demonstrate this?

You prefer to build on what is already underway. So take a critical look at your existing processes and gather the evidence and controls you need there, if you don't already. This keeps the system useful for your own organization and prevents you from coming up with extra controls “for the ISO” just to check somewhere.

10. A poorly defined scope

An unclear scope causes confusion. Which processes are covered exactly? Which systems? Which locations? Without a clear definition, it becomes difficult to set up a consistent system and you can run into difficult surprises in the audit.

No checklist

Implementing ISO 27001 is not a check list or an IT party. It is an organization-wide process that starts with a good information security plan, a thorough risk analysis and consistent maintenance. With the right guidance, you can prevent the pitfalls that sideline many organizations.

However, a checklist can help, because the standard requires a few fixed components, such as the management review and the internal audit. Our checklist simply ensures that you don't overlook those mandatory points. You can download that checklist here.

Want to know more about how we can help you? Schedule an informal and free consultation below.

‍