In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.
You can find more information about the handling of your personal data in our privacy policy.
1. Not defining the right scope
Finding the right scope for implementing your organisation’s ISMS can be tricky. Organisations often set over-ambitious goals for implementing their ISMS, leading to adopting several redundant and unnecessary controls and processes. This can lead to resource wastage, increased cost of information security and demotivated employees chasing unachievable targets.
On the other hand, an organisation may define their scope too narrowly, and the needed controls may not be adopted. This could lead to noncompliance with the ISO 27001 standard and make it appear that your organisation is not in control of its ISMS during the certification audit.
How can you avoid It?
To define the right scope for your organisation, first identify the gaps in your organisation’s information security through risk assessment and then prioritise implementing the missing best practices.
Since implementing ISO 27001 is a continuous process, it is essential not to focus on perfect information security by getting everything done immediately. Identifying what you could implement now to deal with critical information security gaps while also considering the steps you can take in the future to reduce the risk further would be a great start to your ISO 27001 implementation.
2. Lack of management commitment
In many organisations, implementing ISO 27001 is considered an IT exercise and the responsibility of the IT department. In reality, it is a management standard for information security. The upper management in an organisation may not see the value the implementation of ISO 27001 adds to the business, and they may be hesitant to commit to its full implementation.
How can you avoid It?
Educating your upper management on the evolving risks organisations face in the modern business context, such as data breaches and malware, could help you communicate the value of information security. Try translating ISO 27001 compliance into the value it adds to your business when talking to your executives. Gaining top-down support would enable your whole organisation to embrace compliance as part of its day-to-day operations.
3. Under-resourced projects
Often, the implementation of the ISO 27001 falls to a particular individual or team within the organisation. This type of approach can create information security silos where only very few individuals are aware of the controls and procedures around the ISMS and other aspects of the standard. The loss of such individuals could cause the collapse of the entire ISMS.
How can you avoid It?
An ISMS is a holistic project affecting the entire organisation and should be treated as such. Spreading the responsibility around the business will help you avoid disruptions in implementing the standard. It will also enable employees to understand risks. Recruiting information security experts, hiring consultants and using information security management software are all options you can explore as standalone or combinations according to your organisational needs.
4. Technical feasibility issues
When organisations consider information security as solely implementing technical measures, they can overspend by adding layers of defensive technology without considering the unique threats the business may face on other fronts. This approach can increase the cost of information security while leaving the organisation vulnerable to other threats.
How can you avoid It?
Consider a comprehensive approach to information security by including all the domains that make up your organisation's security posture. Administrative measures such as controls, sanctions, processes, and awareness ensure the organisation systematically implements the standard. Technical measures increase the business’s resilience against cyber threats, while physical and environmental measures improve the physical security of information.
5. Over-reliance on tools
While software tools and document checklists make implementing ISO 27001 significantly more accessible for your organisation, entirely relying on them to become compliant can leave you open to risks.
How can you avoid It?
Use software to streamline your ISO 27001 implementation, but ensure you tailor it to fit your organisation. Constantly review and improve your ISMS and integrate such changes to your software tool while maintaining a human element to monitor the system.
Get help on your ISO 27001 certification journey
Implementing the ISO 27001 standard may feel daunting at first. However, it’s important to remember that the goal isn’t to achieve ‘100% security’ but to handle your organisation’s risks according to your risk appetite.
By prioritising the most critical risks first, focusing on continuous improvement and staying on top of your ISMS, you can successfully implement and maintain the ISO 27001 standard.
If you feel overwhelmed by the complexity and the practical issues of implementing the standard, talk to one of our certification experts. We speak your language and can help you with every step of your certification journey.
