Common Pitfalls Identified in Organisations Seeking ISO 27001 Certification

Implementing the ISMS

Not having read the Standard

This may seem like an obvious prerequisite for a successful certification, but it is not uncommon for organisations to have not read the Standard before embarking on a certification project.  Sometimes, individuals will be tasked with achieving ISO 27001 certification as quickly as possible, and will attempt to do so without a comprehensive understanding of what needs to be in place.  As such, it is strongly advised that you purchase and read a copy of ISO 27001, as well as a copy of the supporting standard, ISO 27002, as this contains a lot of extremely useful information that will help you implement the controls.  

Defining an unattainable scope

It’s important to ensure the scope of your certification is applicable and relevant to your business objectives.  If you have specific deadlines in place for when you need to achieve certification, a smaller scope is going to be quicker, and will have a shorter assessment duration than a larger scope that covers multiple locations and multiple countries, for example. If necessary, it is perfectly acceptable to start smaller, perhaps with a particular location or key function, and expand your scope over time as you become familiar with the way your ISMS works.

Predominant focus on IT

It’s important to remember that ISO 27001 is focused on information security, not information technology.  We often see the management of information security delegated to the IT department and, whilst most of the risks to information security that will be identified will relate to IT, there are many other elements which will need to be considered, not least of which will be the human component, often referred to as the weakest link in any management system.  Individuals sending emails and files to the wrong people, leaving documents in public sectors, etc. represent a significant risk to most organisations.  Making sure you consider physical security is also vital, and there is an increased emphasis on this aspect of security in ISO 27001:2022.  For example, the access control requirements not only consider IT access, but also access into buildings and whether access is necessary for every individual who has been provided with it.  For more information on the changes to ISO 27001 in the latest version of the Standard, see our blog on Transitioning to ISO 27001:2022.

Risk management

Risk management is at the absolute heart of ISO 27001 and it is key that you ensure the risks you focus on are realistic and appropriate.  There is no need to include every risk you can think of in the risk management process; instead, focus on those risks which are applicable to your organisation.  You should also look at what will be covered by the scope of your ISMS to make sure you have fully considered the in-scope risks.  

You may decide to document your risks within a spreadsheet and, whilst this is an option, you may eventually reach a stage where you document more risks than you are able to manage within a spreadsheet.  If you get to this point and feel you would benefit from exploring alternatives, there are a number of web-based tools and applications available that come preconfigured with linked asset types, threats and controls and will enable you to share the ownership of risk across your organisation.

Aspirational policies and processes

Sometimes, we will find that organisations will come up with a set of information security management policies and processes that are extremely robust and detailed, however individuals working day-to-day in the organisation then come up with their own set of processes, workarounds, and ‘hacks’ to get things done more quickly and practically. In this situation, it is good to discuss with the operational team what the documented process should be that is both workable but also maintains security etc.  It’s important to ensure the ISMS reflects the reality of what your organisation is doing, and that you don’t make policy statements or develop processes that you are not able to meet, as this will likely result in nonconforming audit findings when your assessment takes place.  

‍

‍

Conflict of interests when auditing

One of the requirements of an internal auditor is that they need to be impartial, meaning that they cannot audit work they are responsible for or have been involved in developing.  If you are an IT manager, for example who has been assigned the internal audit as a project, you would be able to audit the HR and facilities functions, but auditing the IT team would most likely result in a conflict of interest.  Here, you would need to appoint another individual from elsewhere in the organisation to complete this aspect of the audit, or engage an appropriately skilled and experienced auditor who is external to your organisation.  

Avoiding a conflict of interest is naturally more difficult for micro organisations and, in particular, for one person organisations.  In these cases, you may be able to ask any other organisations you have links with to conduct your internal audit, or outsource the internal audit requirements.

Seeing auditors as adversaries

It should always be remembered that undergoing an audit is, ultimately, a voluntary business improvement exercise.  The auditor should be seen as someone who is there to help your organisation with its implementation of the Standard, and while they may ask probing and possibly uncomfortable questions, they should always be fair and objective.  It is much easier to handle information security questions from an auditor than it is to manage an information security incident that may occur due to an ineffective policy, process or system.  As such, it’s advisable to approach the audit as an opportunity for learning and improvement, and your auditor as a facilitator of this learning.  Internal audits can also set the tone for external audits, and vice versa.  So, if your internal audit is constructive and collaborative, this will most likely make the external audit much more straightforward.

Lack of legal compliance with overseas jurisdictions

If you are undergoing a multi-location certification, it’s important to ensure you take into consideration the compliance requirements of all the jurisdictions in which you operate.  This is particularly important if your organisation processes EU citizen data as well as UK citizen data, as you will be under the remit of the EU General Data Protection Regulation (GDPR) as well as the UK GDPR.

Focussing on corrective, but not preventative actions

Often, when incidents occur, individuals will put all their energies into fixing the issue or problem without fully understanding the root causes. For example, if an internal audit has been missed, organisations may try to quickly schedule and conduct another audit but won’t investigate whether they are under resourced, under staffed, or there is any other reason which may have led to the audit not being performed in line with the established audit schedule.  A full root cause analysis when errors or incidents arise will allow you to understand the reasons behind the problems, implement holistic solutions and assist you achieve the goal of continuously improving.

Gathering documented evidence

If your ISMS references documents, states that particular records will be kept, or defines specific locations where information will be stored, your auditor will ask to see this.   As such, it is vital that you have the necessary documentation available and are able to provide evidence of this to your auditor.  Failure to do so will generally result in a nonconformity which could otherwise have been easily avoided.

Scheduling and Preparing for the External Certification Audit

Not having audit dates booked

Often, having a date for your audit in the diary will help to provide you with the necessary buy-in to achieve certification.  Presenting the relevant members of your organisation with a list of what they will need to do before the audit and a deadline by which they need to do it is a significant help in preventing slippage in the project.  All certification bodies will also have a lead time between assessments being booked and conducted, so, without having dates booked in advance, you may be left with a substantial period of time between your ISMS being ready for audit and the audit itself, which can also potentially lead to slippage and a lack of focus.

Waiting for perfection

An ISO 27001 audit is an assessment of your organisation’s ISMS, not your organisation itself.  A common issue often found is that if an organisation has identified one or more nonconformities during their internal audit, it assumes that it is not ready for certification.  This is not the case; as the maturity of your ISMS is developing one would expect to identify a number of nonconformities and opportunities for improvement. An external assessor will be expecting to find an internal audit record that features nonconformities, as this will demonstrate to them that your auditors are competent, capable, and spending sufficient time evaluating the system.  When you identify a nonconformity, this will provide you and your assessor with an excellent opportunity to explore the nonconformity, address any issues and in the process achieve one of the goals of any ISMS…. and that is to continually improve.