ISO 27001 Certification: Common pitfalls

Let us break it down for you. The ISO 27001 certification is not a walk in the park, and its challenges are not like riding a bike. With challenges, challenges will arise. When challenges arise, mistakes are there to be made. Mistakes, though, are proof that you’re trying. Just make sure you don’t make them twice.

We all make mistakes. That’s no different from the journey towards  ISO 270001 certification: the official certification that ensures your organisation securely handles its data. We have summed up the common pitfalls that you could encounter during an ISO 27001 implementation. Today, we are going to share those with you.

ISO 27001: Cope with the scope

“Scope [ skohp ] – noun – The extent of the area or subject matter that something deals with or to which it is relevant.” When certifying for ISO 27001, defining the right scope for implementing an ISMS (Information Security Management System) can be tricky. It can easily be either too ambitious or not enough. Adopting a too ambitious approach could lead to not reaching targets and demotivating the team. On the other hand, organisations that squeeze their scope too much will likely encounter non-conformities during the certification audit, as they cannot demonstrate that they are fully in control of their ISMS.

Lack of roles and responsibilities

Never consider the ISO 27001 implementation project as an IT project involving resources from that department only. ISO 27001 certification is a project impacting the entire organisation and all its stakeholders. Everybody involved should be identified and their roles and responsibilities should be communicated across the organisation. Also, to help to prevent the ISMS from falling apart because of changes in key personnel, we recommend that all companies point out a designated survivor with a general understanding of the ISMS. Netflix taught us well.

Not knowing the worth of ISO 27001

Unfortunately, some organisations perceive their cyber footprint as insignificant and do not see the added value of ISO 27001 certification. That’s too bad. ISO27001 guides implementing appropriate measures to mitigate privacy and security risks, with recommended technical measures in line with the requirements of the GDPR. It helps you to comply with the GDPR, as it provides an excellent starting point for organisations looking to implement the technical and organisational measures that are necessary to reduce the risk of a data breach.

Failing to be vigilant after certification

It is common for organisations to breathe a sigh of relief when receiving the initial certification. Though, the risk is that they may go too far into “relaxation mode” and could still fall victim to common ISO 27001 pitfalls. ISO 27001 is an ongoing process that should be in place throughout the year, not just during the audit. Everything must be maintained to prove that the ISMS continues to function.  

With a group of bright people, great motivation, and a modest amount of training, you will be able to surprise yourself. Take time to define your scope, identify obstacles, build a strong team, consider the whole organization and prepare your communication plan. Don’t underestimate the wins of the process. To conclude, you should ensure that the ISMS is a living process that is built into the culture of the organization, so that it continues to function as designed after certification is received.

The ISO 27001 certification is just like life. Make mistakes, learn from them and stay on track. This track is worth it.

 

Table of Contents