You are here

What are the typical roadblocks to launch an ISO 27001 certification project?

White Papers & Publications
21 February 2019

Third chapter written by our ISO 27001 experts. Have a look at the typical roadblocks you can encounter during an ISO 27001 certification project.


In this fast-growing market and in a competitive industry, organizations that take data security and data privacy seriously are more trustworthy than those who don't. Therefore, being ISO 27001 certified would ideally boosts your opportunities, enhances your processes with security mindset and brings confidence to customer and partners. Although being certified brings a lot of benefits (see chapter 2 - 14 February), organizations are often reluctant to implement this international standard, but why?

Organization priorities

Organizations are mainly focused on their business, their objectives and their growth. Implementing a standard like ISO 27001 is seen as a burden, with all those potential new processes that have to be implemented like Risk Management, Vulnerability Management, Asset Management, and all those controls that have to be carried out regularly. 
Who will do this within an organization where resources are limited, where there is no internal knowledge and where there will be a need to invest in tools? Moreover, norms seems to be complex and, most of the time, not easy to understand if your business uses information security systems only as supporting asset rather than a service like hosting.


Initial investment

The initial investment can also be a reluctant factor, depending on how mature your organization is (are risk management, asset management, access management already part of your processes?). The ISO 27001 may represent an huge additional effort, because without a strong management commitment, the implementation could turn into a nightmare.

Let’s take two examples:  

  • Vulnerability Management: Implementing a vulnerability management process represents an investment that every organization should take into consideration. This process needs to be supported typically by a tool (commonly a vulnerability scanner). Before deciding if you want to use an opensource tool or a licensed version think twice: an opensource is obviously free but will not offer you the full range of functionalities (like flagging false positives) that a commercial product will propose. 

Tip: First, you can start with a monthly scanning. Rapidly you will figure out that a scanner should run day and night and that alerts should be scripted to inform the teams, because you’ll realize that cybercriminals never sleep.

  • Change Management: an organization needs to demonstrate that ‘Security’, typically the CISO, is and should be involved in all changes (i.e. software, infrastructure, development, services, location…) simply because those changes could have an impact on the security. Often, people tend to face resistance to change, because organizations have the perception that the workload and cost will increase, and so there is reluctance to admit the shortcomings or simply misunderstanding what is required and why it is useful. 

Tip: Implementing a change management can easily be started by identifying the quick wins, go for the low hanging fruits, by using and/or deriving existing tools (like ticketing system). Also, awareness is a key factor to success and to ensure that everybody is onboard.  


Human factor

Another factor that could endanger an ISO 27001 implementation is the human factor, you all know the valley of despair when it comes to ‘changes'. Changing mindset, bad habits, feeling resistance to new processes can slow down any implementation. But believe us, once the organization is certified, no one wants to step back to the ‘good old days’ where everything was possible, but at what price and what risks? 

Hopefully, some partners exist to support companies facing those roadblocks.

This article has been written by Marc Degembes, Principal Consultant.

Share this publication