Fourth chapter of our ISO 27001 story written by our experts. Discover the common pitfalls you could encounter during an ISO 27001 implementation.
The right scope: too ambitious or not enough
Defining the right scope for implementing an ISMS (Information Security Management System) can be tricky. On one hand, some large and complex organizations could over-estimate the planning and adopt a ’too-ambitious’ approach including a lot of non-required tasks, activities, and resources. As a result, the risk to squander resources, not reaching the target and demotivate the team will likely increase.
On the other hand, organizations squeezing their scope to much (example: by excluding some controls from the Statement of Applicability or neglecting some of their interfaces wen defining the boundaries of their scope) will likely encounter non-conformities during the certification audit as they were not able to demonstrate that they are fully in control of their information security management system. The recommended approach for a realistic ISMS implementation plan across the organization is to execute pragmatic risks assessment blended with the implementation of missing best practices. The result is a company well-adopted Statement of Applicability (SoA) and planning. The auditors will be then confident with the ISMS implementation. ISO 27001 is based upon continuous improvement, therefore its implementation doesn’t need to be a ‘big bang’ and does not require all elements in place to bring benefits.
Lack or poor roles and responsibilities definition
A typical pitfall is to consider an ISO 27001 implementation project is as an IT project and the involving resources from that department only. In many cases, the CISO (Chief Information Security Officer) is also still reporting to the IT manager and, as a result, only technical measures are considered. An ISMS (information security management system) is in fact a transversal project impacting holistically the whole organization and its departments, executives, staffs as well as partners. Sponsors as well as the project leader shall be mandated from the executive level. That implies that all project actors shall be clearly identified, and their roles and responsibilities stated and communicated across the organization.
Lack or poor buy-in from the executive level
In certain organizations, the Executive level does not see what the added values of an ISMS for their businesses are.
ISMS? Not for us, we spend widely in technical security measures.
Information security relies on a strong 4-link chain, where the organization’s overall security posture is only as strong as its weakest link. Administrative measures (the first link) formalize how we work and act within an organization through policies, awareness, controls, sanctions, and processes.
Technical measures (the second link) involve IT-related security actions. Such as encrypting laptops, deploying antimalware across workstations and servers, and installing firewalls.
Physical measures (the third link) secure buildings, entrances, offices, premises, energy systems, and telecommunications through deployed security mechanisms.
Environmental measures (the fourth link) focus on preventing natural damages like flooding, earthquakes, and hurricanes, especially when organizations set up new infrastructures like data centers or buildings.
To achieve robust security and a well-defined ISMS, organizations must treat these four security domains as an indivisible entity.
From ISO 27001 pitfalls to success
- Take some time to well define your scope and always ask yourself: will I convince the auditor?
- Prepare a change management plan: identify obstacles, build your team, consider the whole organization, and prepare your communication plan.
- In this plan, please ensure you can translate ISO 27001 into word that talk to your team (“what’s in it for me”)
- Focus on quick wins and low hanging fruits
- Do not focus underestimate the 4-link chain
André Staquet, Approach Community Partner wrote this article.
