Common Pitfalls Identified in Organisations Seeking ISO 27001 Certification

Wayne Armstrong
|
Senior Information Security Consultant and Consultant Manager at URM
|
PUBLISHED on
9 May
2024

ISO 27001, the International Standard for information security management systems (ISMS’), is one of the fastest growing and most popular management system standards in the world.   Following an update to the Standard in 2022, to reflect the ever changing and rising cyber threats, ISO 27001 is widely recognised as the ideal tool to help organisations become risk-aware and proactively identify and address weaknesses.  And for those organisations looking to provide assurance to both internal and external stakeholders that they take the security of information seriously, certification to ISO 27001 remains the ultimate goal.

This blog is based on an ISO 27001 implementation and certification webinar, which was delivered by URM and BSI in April 2024 with Lisa Dargan (Director at URM) hosting the event.

Wayne Armstrong (Senior Information Security Consultant and Consultant Manager at URM) and Thomas Harrison (Partnership Manager at BSI) shared their experiences of commonly seen pitfalls with organisations seeking certification to the Standard.  At the webinar, Tom provided the assessor’s perspective, representing BSI, the UK’s national standards body and leading certification body, whilst Wayne provided the consultant perspective representing URM, one of UK’s leading ISO 27001 consultancy organisations having been involved in over 400 successful certifications and no failures.

Implementing the ISMS

Not having read the Standard

This may seem like an obvious prerequisite for a successful certification, but it is not uncommon for organisations to have not read the Standard before embarking on a certification project.  Sometimes, individuals will be tasked with achieving ISO 27001 certification as quickly as possible, and will attempt to do so without a comprehensive understanding of what needs to be in place.  As such, it is strongly advised that you purchase and read a copy of ISO 27001, as well as a copy of the supporting standard, ISO 27002, as this contains a lot of extremely useful information that will help you implement the controls.  

Defining an unattainable scope

It’s important to ensure the scope of your certification is applicable and relevant to your business objectives.  If you have specific deadlines in place for when you need to achieve certification, a smaller scope is going to be quicker, and will have a shorter assessment duration than a larger scope that covers multiple locations and multiple countries, for example. If necessary, it is perfectly acceptable to start smaller, perhaps with a particular location or key function, and expand your scope over time as you become familiar with the way your ISMS works.

Predominant focus on IT

It’s important to remember that ISO 27001 is focused on information security, not information technology.  We often see the management of information security delegated to the IT Department and, whilst most of the risks to information security that will be identified will relate to IT, there are many other elements which will need to be considered, not least of which will be the human component, often referred to as the weakest link in any management system.  Individuals sending emails and files to the wrong people, leaving documents in public sectors, etc. represent a significant risk to most organisations.  Making sure you consider physical security is also vital, and there is an increased emphasis on this aspect of security in ISO 27001:2022.  For example, the access control requirements not only consider IT access, but also access into buildings and whether access is necessary for every individual who has been provided with it.  For more information on the changes to ISO 27001 in the latest version of the Standard, see our blog on Transitioning to ISO 27001:2022.

Risk management

Risk management is at the absolute heart of ISO 27001 and it is key that you ensure the risks you focus on are realistic and appropriate.  There is no need to include every risk you can think of in the risk management process; instead, focus on those risks which are applicable to your organisation.  You should also look at what will be covered by the scope of your ISMS to make sure you have fully considered the in-scope risks.  

You may decide to document your risks within a spreadsheet and, whilst this is an option, you may eventually reach a stage where you document more risks than you are able to manage within a spreadsheet.  If you get to this point and feel you would benefit from exploring alternatives, there are a number of IT-based tools and applications available that come preconfigured with linked asset types, threats and controls and will enable you to share the ownership of risk across your organisation.

Aspirational policies and processes

Sometimes, we will find that organisations will come up with a set of information security management policies and processes that are extremely robust and detailed, however individuals working day-to-day in the organisation then come up with their own set of processes, workarounds, and ‘hacks’ to get things done more quickly and practically. In this situation, it is good to discuss with the operational team what the documented process should be that is both workable but also maintains security etc.  It’s important to ensure the ISMS reflects the reality of what your organisation is doing, and that you don’t make policy statements or develop processes that you are not able to meet, as this will likely result in nonconforming audit findings when your assessment takes place.  

Conflict of interests when auditing

One of the requirements of an internal auditor is that they need to be impartial, meaning that they cannot audit work they are responsible for or have been involved in developing.  If you are an IT manager, for example who has been assigned the internal audit as a project, you would be able to audit the HR and facilities functions, but auditing the IT team would most likely result in a conflict of interest.  Here, you would need to appoint another individual from elsewhere in the organisation to complete this aspect of the audit, or engage an appropriately skilled and experienced auditor who is external to your organisation.  

Avoiding a conflict of interest is naturally more difficult for micro organisations and, in particular, for one person organisations.  In these cases, you may be able to ask any other organisations you have links with to conduct your internal audit, or outsource the internal audit requirements.

Seeing auditors as adversaries

It should always be remembered that undergoing an audit is, ultimately, a voluntary business improvement exercise.  The auditor should be seen as someone who is there to help your organisation with its implementation of the Standard, and while they may ask probing and possibly uncomfortable questions, they should always be fair and objective.  It is much easier to handle information security questions from an auditor than it is to manage an information security incident that may occur due to an ineffective policy, process or system.  As such, it’s advisable to approach the audit as an opportunity for learning and improvement, and your auditor as a facilitator of this learning.  Internal audits can also set the tone for external audits, and vice versa.  So, if your internal audit is constructive and collaborative, this will most likely make the external audit much more straightforward.

Lack of legal compliance with overseas jurisdictions

If you are undergoing a multi-location certification, it’s important to ensure you take into consideration the compliance requirements of all the jurisdictions in which you operate.  This is particularly important if your organisation processes EU citizen data as well as UK citizen data, as you will be under the remit of the EU General Data Protection Regulation (GDPR) as well as the UK GDPR.

Focussing on corrective, but not preventative actions

Often, when incidents occur, individuals will put all their energies into fixing the issue or problem without fully understanding the root causes. For example, if an internal audit has been missed, organisations may try to quickly schedule and conduct another audit but won’t investigate whether they are under resourced, under staffed, or there is any other reason which may have led to the audit not being performed in line with the established audit schedule.  A full root cause analysis when errors or incidents arise will allow you to understand the reasons behind the problems, implement holistic solutions and assist you achieve the goal of continuously improving.

Gathering documented evidence

If your ISMS references documents, states that particular records will be kept, or defines specific locations where information will be stored, your auditor will ask to see this.   As such, it is vital that you have the necessary documentation available and are able to provide evidence of this to your auditor.  Failure to do so will generally result in a nonconformity which could otherwise have been easily avoided.

Scheduling and Preparing for the External Certification Audit

Not having audit dates booked

Often, having a date for your audit in the diary will help to provide you with the necessary buy-in to achieve certification.  Presenting the relevant members of your organisation with a list of what they will need to do before the audit and a deadline by which they need to do it is a significant help in preventing slippage in the project.  All certification bodies will also have a lead time between assessments being booked and conducted, so, without having dates booked in advance, you may be left with a substantial period of time between your ISMS being ready for audit and the audit itself, which can also potentially lead to slippage and a lack of focus.

Waiting for perfection

An ISO 27001 audit is an assessment of your organisation’s ISMS, not your organisation itself.  A common issue often found is that if an organisation has identified one or more nonconformities during their internal audit, it assumes that it is not ready for certification.  This is not the case; as the maturity of your ISMS is developing one would expect to identify a number of nonconformities and opportunities for improvement. An external assessor will be expecting to find an internal audit record that features nonconformities, as this will demonstrate to them that your auditors are competent, capable, and spending sufficient time evaluating the system.  When you identify a nonconformity, this will provide you and your assessor with an excellent opportunity to explore the nonconformity, address any issues and in the process achieve one of the goals of any ISMS…. and that is to continually improve.

How URM can Help?

If your organisation is embarking on certification to ISO 27001 for the first time or recertification against the Standard, URM’s team of experienced ISO 27001 consultants can offer expert advice and practical support to help you avoid all of the common mistakes outlined in this blog, and overcome any other challenges you may face throughout the process.  With nearly two decades of experience assisting organisations to achieve and maintain ISO 27001 certification, URM can offer a range of services to help ensure your certification project runs as smoothly and seamlessly as possible.  A URM ISO 27001 consultant can conduct a gap analysis of your existing information security practices against the Standard’s requirements to identify any areas for improvement.  Using our easy to use yet effective risk assessment tool, Abriska 27001, we can assist you to conduct your risk assessment and prioritise your risk treatment activities, always with an aim to maximise your time, effort and budget.  Following the risk assessment, we will work with you to develop and implement appropriate policies, processes and ISMS infrastructure with not only ISO 27001 conformance in mind, but also your organisation’s unique culture, style, and needs, thus enabling you to certify against the Standard with minimal interruption to business-as-usual operations.

Once the ISMS is in place, URM can also help you meet the ongoing audit requirements by supporting you to plan and implement an audit programme, and/or by conducting the ISO 27001 internal audit on your behalf.  Meanwhile, if you would like to further educate yourself on ISO 27001 and its requirements, URM regularly delivers a range of ISO 27001 training courses, all of which are delivered by a highly qualified and practicing information security consultant.  With our Introduction to ISO 27001 Course, you will learn about all aspects of information security and the importance of ISO 27001 in helping us protect information.  Meanwhile, to understand the changes in the latest version of the Standard, ISO 27001:2022, our 2-day ISO/IEC 27001:2022 Transition Course will both explain the changes themselves and provide practical guidance on how to transition to this new version of the Standard.

Wayne Armstrong
Senior Information Security Consultant and Consultant Manager at URM
Wayne is a Senior Information Security Consultant and Consultant Manager at URM with over 30 years’ experience in IT, information security and risk management. He has attained and maintained CISSP, CISMP, PCIRM, and CISA qualifications and is a Qualified Security Assessor (QSA) for the Payment Card Industry Data Security Standard (PCI DSS).
Read more

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
20/7/2022
What Are the Critical Steps When Implementing an Effective Information Security Management System?

URM assisted over 350 organisations achieve ISO 27001 certification, here are the critical steps when implementing an effective information security system.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
How Do You Go About Your ISO 27001 Information Classification?

This blog talks about information classification. So, what exactly do we mean by information classification?

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
20/7/2022
5 Common Fallacies Associated with ISO 27001 Certification

There are many good reasons to implement an information security management system (ISMS) and get it certified to ISO 27001.

Read more
Without URM, Havas People would not of achieved its certification goals.
Director, Havas People
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.