Certifying to ISO 27001: Key Tips for Success and Common Pitfalls to Avoid

Engage leadership early

Leadership buy-in is a critical component of the Standard, with Clause 5.1 (Leadership and commitment) addressing the importance of senior management supporting information security, both visibly and materially.  But beyond being necessary for conformance, engaged leadership can be the decisive factor between a seamless and successful ISO 27001 implementation and one fraught with difficulties.  As such, you should ensure leadership understand the Standard’s requirements, what will be expected of them, and what they can do to support the implementation in other areas.  Resourcing will, of course, be critical, but you also need to ensure they are aware that ISO 27001 is a continual process, not a one-off exercise.

To learn more about the Standard’s requirements around senior management and how to meet them, read our blog ISO 27001 Clause 5.1: Leadership and Commitment Explained.

Don’t reinvent the wheel

ISO 27001 is written in the ‘Harmonized Structure’ shared by many other management system standards, such as ISO 9001, ISO 14001, ISO 45001, ISO 22301, and more.  This essentially means that these standards all include the mandatory Clauses 4-10 seen in ISO 27001, and while there is some variation within these clauses between different standards, the processes they require you to implement and maintain are similar.  As such, you should always check whether your organisation is conformant or certified to any of these other standards.  If it is, you will likely be able to leverage processes already in place to meet ISO 27001 requirements.  For example, each of the standards written in the Harmonized Structure contain a requirement for document control, and you can use the same document control system for information security documentation as is used for quality, health and safety, etc.  While some processes may need to be modified slightly to fit the specific requirements of ISO 27001, you will often be able to adapt and extend what you already have rather than building from scratch.

Make the Standard work for you

ISO 27001 is written in the style of a framework.  So, instead of a highly prescriptive list of specific actions you need to take, it asks you to create systems that will work for you.  This flexibility allows you to take stock of what’s already in place within your organisation, and use that to meet the Standard’s requirements.  For example, ISO 27001 requires you to conduct regular management reviews of the ISMS.  This does not mean you necessarily need to create a specific meeting titled ‘ISO 27001 management review’.  If you already have something in place where information security will be discussed or senior management will already all be in the same room, adapt and use this existing structure to meet the Standard’s management review requirements.  Ultimately, ISO 27001 needs to fit into your business as usual, not bolted on as an afterthought or treated as a standalone activity.

Not having read the Standard

This may seem like an obvious prerequisite for a successful certification, but it is not uncommon for organisations to have not read the Standard before embarking on a certification project.  Sometimes, individuals will be tasked with achieving ISO 27001 certification as quickly as possible, and will attempt to do so without a comprehensive understanding of what needs to be in place.  As such, it is strongly advised that you purchase a copy of and read ISO 27001, as well as a copy of the supporting standard, ISO 27002, which contains a lot of extremely useful information that will help you implement the controls.  

Defining an unattainable scope

It’s important to ensure the scope of your certification is applicable and relevant to your business objectives.  If you have specific deadlines in place for when you need to achieve certification, a smaller scope is going to be quicker, and will have a shorter assessment duration than a larger scope that covers multiple locations and multiple countries, for example.  If necessary, it is perfectly acceptable to start smaller, perhaps with a particular location or key function, and expand your scope over time as you become familiar with the way your ISMS works.

Not having audit dates booked

Often, having a date for your audit in the diary will help to provide you with the necessary buy-in to achieve certification.  Presenting the relevant members of your organisation with a list of what they will need to do before the audit and a deadline by which they need to do it is a significant help in preventing slippage in the project.  All certification bodies will also have a lead time between assessments being booked and conducted.  Without audit dates booked in advance, there may be a substantial gap between your ISMS being ready for audit and the audit itself.  This can lead to slippage and a drop in focus.

Waiting for perfection

An ISO 27001 audit is an assessment of your organisation’s ISMS, not your organisation itself.  A common issue often found is that if an organisation has identified one or more nonconformities during their internal audit, it assumes that it is not ready for certification.  This is not the case; as the maturity of your ISMS is developing, you would expect to identify a number of nonconformities and opportunities for improvement.  An external assessor will be expecting to find an internal audit record that features nonconformities, as this will demonstrate to them that your auditors are competent, capable, and spending sufficient time evaluating the system.  When you identify a nonconformity, this provides you and your assessor with an excellent opportunity to explore the nonconformity, address any issues and in the process achieve one of the goals of any ISMS….to continually improve.

‍

Predominant focus on IT

It’s important to remember that ISO 27001 is focused on information security, not information technology.  We often see the management of information security delegated to the IT Department and, whilst most of the risks to information security you identify will likely relate to IT, there are many other elements which will need to be considered, not least of which will be the human component, often referred to as the weakest link in any management system.  Individuals sending emails and files to the wrong people, leaving documents in public sectors, etc., represent a significant risk to most organisations.  Making sure you consider physical security is also vital.  For example, the Standard’s access control requirements not only consider IT access, but also access into buildings and whether access is necessary for every individual who has been provided with it.  For more information on physical security in the Standard, read our blog on ISO 27001:2022 Annex A Physical Controls.

Risk management

Risk management is at the absolute heart of ISO 27001, and it is key that you ensure the risks you focus on are realistic and appropriate.  There is no need to include every risk you can think of in the risk management process; instead, focus on those risks which are applicable to your organisation.  You should also look at what will be covered by the scope of your ISMS to make sure you have fully considered the in-scope risks.   Our blog on Information Security Risk Assessment and Treatment: Understanding Relevant Risks provides more detail on the fundamentals of risk management, and ensuring your risk management is prioritised and meaningful.

You may decide to document your risks within a spreadsheet and, whilst this is an option, you may eventually reach a stage where you document more risks than you are able to manage within a spreadsheet.  If you get to this point and feel you would benefit from exploring alternatives, there are a number of IT-based tools and applications available that come preconfigured with linked asset types, threats and controls and will enable you to share the ownership of risk across your organisation.

Aspirational policies and processes

Sometimes, organisations will come up with a set of information security policies and processes that are extremely robust and detailed, however individuals working day-to-day in the organisation then come up with their own set of processes, workarounds, and ‘hacks’ to get things done more quickly and practically.  In this situation, it is good to discuss with the operational team what the documented process should be that is both workable but also maintains security, etc.  It’s important to ensure the ISMS reflects the reality of what your organisation is doing, and that you don’t make policy statements or develop processes that you are not able to meet, as this will likely result in nonconforming audit findings when your assessment takes place.  

Conflict of interests when auditing

One of the requirements of an internal auditor is that they need to be impartial, meaning that they cannot audit work they are responsible for or have been involved in developing.  If you are an IT manager, for example who has been assigned the internal audit as a project, you would be able to audit the HR and facilities functions, but auditing the IT team would most likely result in a conflict of interest.  It is also not appropriate for you to audit an area of the business that is managed by your line manager.  In either of these situations, you would need to appoint another individual from elsewhere in the organisation to complete this aspect of the audit, or engage an appropriately skilled and experienced auditor who is external to your organisation.  

Avoiding a conflict of interest is naturally more difficult for micro-organisations and in particular for one-person organisations.  In these cases, you may be able to ask any other organisations you have links with to conduct your internal audit, or outsource the internal audit requirements.

Seeing auditors as adversaries

It should always be remembered that undergoing an audit is, ultimately, a voluntary business improvement exercise.  The auditor should be seen as someone who is there to help your organisation with its implementation of the Standard, and while they may ask probing and possibly uncomfortable questions, they should always be fair and objective.  It is much easier to handle information security questions from an auditor than it is to manage an information security incident that may occur due to an ineffective policy, process or system.  As such, it’s advisable to approach the audit as an opportunity for learning and improvement, and your auditor as a facilitator of this learning.  Internal audits can also set the tone for external audits, and vice versa.  So, if your internal audit is constructive and collaborative, this will most likely make the external audit much more straightforward.

Lack of legal compliance with overseas jurisdictions

If you are undergoing a multi-location certification, it’s important to ensure you take into consideration the compliance requirements of all the jurisdictions in which you operate.  This is particularly important if your organisation processes EU citizen data as well as UK citizen data, as you will be under the remit of the EU General Data Protection Regulation (GDPR) as well as the UK GDPR.

It is important to note that you are no longer able to simply maintain a list of regulations and legislation that you need to comply with.  Now, you also need to understand what these regulations require of you, as well as evidence to demonstrate that you are compliant.  The assessor will want to see this evidence, such as data protection impact assessments (DPIAs) or a record of processing activities (ROPA) for compliance with the GDPR.

Focussing on corrective, but not preventative actions

Often, when incidents occur, individuals will put all their energies into fixing the issue or problem without fully understanding the root causes.  For example, if an internal audit has been missed, organisations may try to quickly schedule and conduct another audit but won’t investigate whether they are under-resourced, understaffed, or there is any other reason which may have led to the audit not being performed in line with the established audit schedule.  A full root cause analysis when errors or incidents arise will allow you to understand the reasons behind the problems, implement holistic solutions and assist you in achieving the goal of continuously improving.

Gathering documented evidence

If your ISMS references documents, states that particular records will be kept, or defines specific locations where information will be stored, your auditor will ask to see this.   As such, it is vital that you have the necessary documentation available and are able to provide evidence of this to your auditor.  Failure to do so will generally result in a nonconformity which could otherwise have been easily avoided.  For a comprehensive breakdown of the requirements for documented information in the Standard, see our blog on ISO 27001 Clause 7.5: Documented Information Explained.