Mistakes to Avoid with ISO 27001

With any project as complex as the implementation of ISO 27001 there are some things to avoid.   Here are two quick things you shouldn’t do.


Don’t focus on information security.  Although it sounds counter-intuitive it is only the “content” of ISO 27001 that is about information security.  What’s more is that if you achieve this and focus on the ISO 27001 process, it will ensure that information security is taken care of properly in your organization.

ISO 27001 is a management system standard.  It is a standard that describes requirements for a system for managing information security.  It does not include information security itself – merely the processes through which you will manage information security.  If you set the processes in place effectively they will (you will) effectively manage your information security.

The management system processes fall into two categories.  The “primary” processes in the standard are about the processes to understand your current information security perspective, quantify the risk to your organization and plan actions to accept or reduce the risk to make it acceptable.  It is implicit that senior management will be involved in accepting poor security… or pay to lower the risk.  There is no requirement in the standard that the risk has to be addressed or lowered, merely that management acknowledge it and accept it.  Other primary processes include a process to react to security incidents (or near incidents), contingency planning covering information security and a process to have access to information security contacts and information security legal requirements.

In addition to the primary processes, “support” processes include document control, records management, training, internal auditing, management and corrective and preventive action.

All of these processes must be formally defined in written procedures that describe a coherent and comprehensive system of processes that help understand and control information security.

It has to be said that although ISO 27001 is not “about” information security, it does make specific reference to information security technologies.  In an appendix it lists a number of general categories including physical access, human resources, communications, operations, etc.  These categories are expanded in some detail in ISO 27002 and ISO 27001 requires that these controls are considered when reviewing risks in the organization and that their non-applicability is formally justified in a “statement of applicability”.  Thus the pair of standards do actually require and cover information security but as mentioned earlier none of the requirements are mandatory.  Further, certification is about having a formal management system to ensure information security is consistently and continually addressed to ensure it is and remains effective.  If you focus on the security issues you are not contributing towards ISO 27001 certification and you are not assuring the consistency and sustainability of information security management.  Don’t ignore the security issues but deliberately address the management system issues.  That is the long term solution.


Don’t over-complicate your risk assessment method.  Risk is a calculation derived from probability and consequence.  To make it objective it needs to be quantified as a numeric value so that it can be compared to what management says it will accept.  This can be quite complex.  Ultimately risk usually includes subjective assessments of what the probability is and what value the consequence might affect.  There is a tendency to attempt to formalize each step and even break steps into multiple stages so the subjectivity can be limited.  However, truth is that when you add all the stages together the subjectivity still exists.  Keep the risk assessment methodology simple.  What is the max value of the information asset that may be compromised?  How serious is the threat?  How serious is the vulnerability?  (avoid breaking it down too far).  And when assigning numbers try 1-5 rather than 1-10.

The key factor to a good risk assessment is to identify the risks.  Most people in your organization will understand what that means when the risk and consequence is described and they will know how serious they are.  So long as you do a good job of identifying risk the numbers assigned and range they exist within are lest important.

If this is your first attempt at a risk assessment then keep it simple.  You can always make it more complex next time around.

Cavendish Scott, Inc. is experienced at implementing ISO 27001 management systems.  We guarantee successful ISO certification and design and implement practical and easy to maintain systems.  We also provide ISO 27001 training and conduct ISO 27001 audits including gap assessments.