News & Commentary on ISO Management System Standards

    Typical errors in implementing ISO 27001


    information security 1-2

    Securing certification to this Information Security standard requires a collective effort.

    Implementing ISO 27001, the international standard for information security management systems (ISMS), can be complex, and there are several common errors that organizations may need to correct during the implementation process.

    Frequently Encountered Errors when Implementing ISO 27001


    Lack of top management support

    One of the most significant errors is the need for more commitment and support from top management. Solid leadership involvement makes allocating necessary resources and prioritizing information security within the organization easier.

    Insufficient risk assessment

    Organizations may fail to conduct a comprehensive and accurate risk assessment. This includes failure in identifying and assessing risks to the confidentiality, integrity, and availability of information assets. Without a robust risk assessment, establishing appropriate controls and prioritizing security measures effectively isn't easy.

    Misunderstanding the Nature of Annex A

    Annex A is mandatory. That means that if any of the Controls of the Annex can be implemented, it must be implemented. And where the Annex calls for policies and procedures, they must be available as documented evidence.

    The Controls of Annex A must be integrated into your Risk Assessment. The Annex should be used to check the risk assessment to ensure that all the commonly occurring vulnerabilities and threats to information security have been addressed.

    New call-to-action

    Inadequate documentation

    ISO 27001 requires the development of various documents, such as policies, procedures, guidelines, and records. Many organizations make the mistake of producing excessive or insufficient documentation. Finding the right balance is crucial to ensure the necessary controls are in place while avoiding unnecessary bureaucracy.

    Poor communication and awareness

    Failure to effectively communicate information security policies, procedures, and responsibilities to employees can undermine the success of ISO 27001 implementation. Lack of awareness and understanding among employees can lead to non-compliance and increase the risk of security incidents.

    Inadequate training and competence

    Organizations may overlook the importance of training employees in information security practices and providing them with the necessary skills and knowledge to perform their roles securely. Lack of competence can result in improper handling of sensitive Formal information or failure to follow security protocols. ISO 27001 training is essential for those who will be undertaking internal audits of the ISMS.

    Incomplete asset inventory

    A common mistake is not having a comprehensive inventory of information assets. Organizations may overlook certain assets (especially physical ones, e.g., a perimeter fence) or need to update the inventory of assets regularly, which can lead to incomplete risk assessments and insufficient protection of critical assets.

    View our ISO 27001:2022 Courses

    Overreliance on technology

    While technology plays a vital role in information security, relying solely on technological controls without considering human factors and organizational processes is a common mistake. Effective security requires a combination of technical, procedural, and human controls. The root cause of most security breaches is not technical failure but human error. Guarding against phishing attacks is essential.

    Non-compliance with legal and regulatory requirements

    Organizations may neglect to align their information security practices with applicable laws and regulations (e.g., GDPR). Compliance with legal requirements, such as data protection laws, industry-specific regulations, and contractual obligations, is a critical aspect of ISO 27001 implementation.

    Lack of continuous monitoring and improvement

    ISO 27001 is a framework that emphasizes continual improvement of the information security management system. Organizations often make the mistake of considering implementation a one-time project, failing to establish ongoing monitoring, review, and improvement processes.

    To avoid these errors

    Organizations should invest in proper planning, engage all relevant stakeholders, conduct thorough risk assessments, communicate effectively, and ensure ongoing monitoring and improvement of the ISMS. Seeking expert guidance or partnering with experienced consultants can also help successfully implement ISO 27001.

    New call-to-action

    Related Articles


    deGRANDSON Global is an ISO Certified Educational Organization

    In In October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because it is based on independent third-party assessment, unlike IRCA and Exemplar badges (which we believe are commercially compromised).  It is a ‘university grade’ standard globally by schools, colleges, and universities to demonstrate competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts