You are here

What are the common pitfalls during an ISO 27001 implementation?

White Papers & Publications
28 February 2019

Fourth chapter of our ISO 27001 story written by our experts. Discover the common pitfalls you could encounter during an ISO 27001 implementation.


The right scope: too ambitious or not enough

Defining the right scope for implementing an ISMS (Information Security Management System) can be tricky. On one hand, some large and complex organizations could over-estimate the planning and adopt a 'too-ambitious' approach including a lot of non-required tasks, activities, and resources.  As a result, the risk to squander resources, not reaching the target and demotivate the team will likely increase. On the other hand, organizations squeezing their scope to much (exemple: by excluding some controls from the Statement of Applicability or neglecting some of their interfaces wen defining the boundaries of their scope) will likely encounter non-conformities during the certification audit as they were not able to demonstrate that they are fully in control of their information security management system. The recommended approach for a realistic  ISMS implementation plan across the organization is to execute  pragmatic risks assessment blended with the implementation of missing best practices. The result is a company well-adopted Statement of Applicability (SoA) and planning. The auditors will be then confident with the ISMS implementation. ISO 27001 is based upon continuous improvement, therefore its implementation doens’t need to be a ‘big bang’  and does not require all elements in place to bring benefits.


Lack or poor roles and responsibilities definition

A typical pitfall is to consider an ISO 27001 implementation project is as an IT project and the involving resources from that department only. In many cases, the CISO (Chief Information Security Officer) is also still reporting to the IT manager and, as a result, only technical measures are considered. An ISMS (information security management system) is in fact a transversal project impacting holistically the whole organization and its departments, executives, staffs as well as partners. Sponsors as well as the project leader shall be mandated from the executive level. That implies that all project actors shall be clearly identified, and their roles and responsibilities stated and communicated across the organization.


Lack or poor buy-in from the executive level

In certain organizations, the Executive level does not see what the added values of an ISMS for their businesses are. Some organizations (local as well as international) perceive their cyber footprint as insignificant and still cannot imagine that they can be a target for cyber criminal such as disclosure of confidential or privacy data, malware attack, cyber blackmail, etc. In this case, the executive level don’t consider that an ISMS implementation is a real added value for their organization, customers and employees. Few years ago, during the first major ransomware attack wave, many organizations have stopped their activities once there are crypto-locked for the following reasons: no security policies implicate no backup, no awareness campaign, no recovery plan, etc.


ISMS? Not for us, we spend widely in technical security measures.

Information security can be considered as a strong 4-link chain in the overall security posture of an organization will be as strong as its weakest link. Administrative measures (the first link) regroup policies, awareness, controls, sanctions, processes, etc. and are used for formalizing how we need to act when we live and work together for an organization. Technical measures (the second link) are IT-related security measures such as encryption of laptops, deployment of antimalware to all workstations and servers, installation of firewalls, etc. Physical measures (the third link) describe all security measures used and deployed for securing buildings, entrances, offices and premises, energies, telecommunications, etc. Environmental measures (the fourth link) are used for mainly avoiding natural damages (flooding, earthquakes, hurricanes, ...) when an organization is deploying new infrastructures like new data centres, buildings, etc. In order to obtain a strong security and a well-defined ISMS, those 4 security domains shall be considered together as an indivisible entity.


From pitfalls to success

  1. Take some time to well define your scope and always ask yourself: will I convince the auditor?
  2. Prepare a change management plan: identify obstacles, build your team, consider the whole organization, and prepare your communication plan. 
  3. In this plan, please ensure you can translate ISO 27001 into word that talk to your team (“what’s in it for me”)
  4. Focus on quick wins and low hanging fruits
  5. Do not focus underestimate the 4-link chain


This article has been written by André Staquet,  Approach Community Partner.

Share this publication