Common Mistakes and how to solve them
Many companies encounter pitfalls during the implementation process due to misconceptions and misunderstandings about the standard’s requirements and objectives. This article explores common mistakes organisations make with ISO27001 and provides key learnings to guide a successful implementation of an Information Security Management System (ISMS).
#1: ISO27001 tests the security of our systems and software
Misconception: Organisations often concentrate heavily on technical controls and IT security measures, neglecting the broader aspects of an ISMS.
Reality: ISO27001 is a comprehensive standard that evaluates the entire system of management, not just technical measures. It requires involvement from senior management and integrates policies, procedures, and processes across the organisation. The effectiveness of an ISMS is gauged by how well it is managed and integrated into the organisation's operations and culture.
Guidance: Ensure senior management is actively involved in the ISMS implementation and ongoing management. Management can show involvement by setting a strategic direction for the company that considers information security, committing budget and resources, writing down that commitment in the information security policy, periodically involve information security considerations in communication with employees, being involved in the management review, and determining course of action regarding control gaps and other non-conformities.
How Tidal helps: Tidal provides real-time visibility into ISMS progress and performance, allowing top management to track and monitor compliance efforts easily. Automated notifications and reporting functionalities keep management informed and engaged throughout the implementation process. We have even setup Management's responsibilities as Controls to enable tracking and monitoring their own compliance to ISO27001.
#2: ISO27001 is going to tell us exactly what we need to do
Misconception: Companies often look for a detailed checklist of actions and controls in the ISO27001 standard, expecting it to prescribe exact measures.
Reality: ISO27001 provides a framework for managing information security, but it does not prescribe exactly what measures should be implemented. Instead, it offers guidelines and a set of controls (Annex A) that organisations can adopt based on their risk assessment and specific needs.
Guidance: Avoid the temptation to treat ISO27001 as a one-size-fits-all checklist. ISO27001 requires organisations to conduct a thorough risk assessment and determine appropriate controls to mitigate these risks. You can use this knowledge to speed up the process: where there is no (unacceptable) risk, there is also no requirement to implement or demonstrate measures as part of the ISMS. This is an especially important lever for small organisations, that do not have the time or resources to implement enterprise-level security and compliance.
How Tidal helps: Tidal offers customisable templates and frameworks aligned with ISO27001 requirements. It comes with a library of pre-defined controls and risks that organisations can select from based on their specific risks and business needs.
#3: Documentation is just there for the auditor
Misconception: Many organisations see the ISO27001 requirement of defining the organisation context as a requirement to educate the auditor about the organisation. But this overlooks the importance of understanding where your organisation faces information security risk. This misconception often leads to poorly aligned security measures.
Reality: ISO27001 emphasizes the importance of understanding the organisation’s context to develop a relevant and effective ISMS. This includes identifying internal and external issues, understanding the needs and expectations of interested parties, and determining the scope of the ISMS accordingly.
Guidance: Conduct a thorough analysis of your organisation’s context as an initial step in the ISMS implementation. Identify internal factors such as organisational structure, culture, and existing processes, as well as external factors like regulatory requirements, market conditions, and stakeholder expectations. Use this understanding to scope your ISMS to the information that truly matters.
How Tidal helps: Tidal provides expert guidance during the process to help understand where information risks are, and how to deal with them. We have experience with scoping the information subject to the ISMS, and selecting and implementing pragmatic measures appropriate to the size and maturity of the organisation.
#4: More documentation means better compliance
Misconception: Organisations often believe that more documentation equates to better compliance, leading to excessive and overly complex documentation.
Reality: While ISO27001 requires comprehensive documentation to support the ISMS, over-documentation can create unnecessary complexity and hinder effective implementation and maintenance. The goal is to ensure that documentation is clear, concise, and directly relevant to the organisation’s information security practices.
Guidance: Focus on creating clear, relevant, and actionable documentation that supports your ISMS processes. Avoid unnecessary complexity and ensure that your documentation is easily accessible and understandable by all relevant stakeholders. This approach not only facilitates easier compliance and audits but also enhances the practical usability of your ISMS.
How Tidal helps: Tidal simplifies the documentation process by providing templates, version control, and centralized storage. It ensures that documentation remains concise and relevant by facilitating collaboration among stakeholders and automating document review and approval workflows.
#5: ISO27001 is a folder with documentation that we update annually
Misconception: Some organisations treat ISO27001 certification as a one-time project, neglecting the importance of ongoing evaluation and improvement.
Reality: ISO27001 is built on the principle of continuous improvement, requiring regular monitoring, reviewing, and updating of the ISMS to adapt to changing threats, business needs, and regulatory requirements. This includes monitoring the effectiveness of the technical and organisational measures you have implemented.
Guidance: Implement a cyclical process of Plan-Do-Check-Act (PDCA) to ensure continuous improvement of your ISMS. Regularly review security incidents, conduct internal audits, and gather feedback to identify areas for enhancement. By fostering a culture of continual improvement, your organisation can remain resilient and responsive to new challenges and opportunities.
How Tidal helps: Tidal automates both the monitoring and measurement of Technical security measures and the ISMS performance. It enables organisations to track key metrics, identify trends, and generate actionable insights through customizable dashboards and reporting capabilities. Automated alerts notify stakeholders of emerging issues or areas for improvement, fostering a proactive approach to enhancement.