Common pitfalls to avoid when getting ISO 27001 certification

As an organisation, implementing ISO 27001 provides you with several benefits including easier compliance with legal requirements, better security for data, and improved stakeholder confidence. The catch: successful implementation of the standard can be a major challenge to organisations doing it for the first time.  

Since the ISO 27001 standard is designed to be customisable to your organisation, there are several instances where businesses could go wrong in their implementation process. Based on our extensive experience of working with varied clients, we’ve compiled a list of the most common pitfalls businesses face when implementing the standard along with advice on what you can do to avoid them.

Not defining the right scope

Finding the right scope for implementing your organisation’s ISMS can be tricky. Organisations often set over-ambitious goals for the implementation of their ISMS, leading to the adoption of several redundant and unneeded controls and processes.

This can lead to resource wastage, increased cost of information security, and demotivated employees chasing unachievable targets. On the other hand, an organisation may define their scope too narrowly, and the needed controls may not be adopted. This could lead to noncompliance with the ISO 27001 standard and can make it appear that your organisation is not in control of its ISMS during the certification audit.

Lack of management

Commitment In many organisations, implementing the ISO 27001 is considered to be an IT exercise and the responsibility of the IT department of the business. In reality, it is a management standard for information security. The upper management in an organisation may not see the value the implementation of ISO 27001 adds to the business and they may be hesitant to fully commit to its implementation.

Too few resources

Often, the implementation of the ISO 27001 falls to a particular individual or team within the organisation. This type of approach can create information security silos where only very few individuals are aware of the controls and procedures around the ISMS and other aspects of the standard. The loss of such individuals could cause the collapse of the entire ISMS.

Find out which two other pitfalls are common for all businesses and how you can prevent these pitfalls from happening in our free guide about the most common pitfalls during ISO 27001 Certification.

How long does it take to get ISO 27001 certified?

Usually, the process can take 6 to 12 months, depending on business size and complexity. The use of designated solutions like the DataGuard platform, can fasten the process to as little as 3 months (also depending on a business’ properties).

This phase is called the ramp-up phase, where the main chunk of work is done. You carry out a gap analysis that aims to close up to 50% of your company's most significant risks in as little as 8 weeks.

Getting through the process involves:

• Defining your scope
• Building your Information Security Management System (ISMS)
• Identifying and managing risks
• Protecting your information assets
• Passing your ISO 27001 audit
• Maintaining your ISMS, keeping your certificate

Also, if you're in the mindset of scaling, we definitely recommend getting started sooner rather than later. Scaling your ISMS alongside your company growth is easier.

Does the ISO 27001 certification expire?

The ISO 27001 certification needs to be renewed every 3 years. Yet, it’s recommended to remain compliant to protect your company’s assets and ensure your information remain safe. Furthermore, companies must pass the annual surveillance audit to verify compliance and to avoid expiry of the certification before the three years cycle.

“If an organization does not pass the surveillance audit conducted by the external auditor, their ISO 27001 certification could potentially expire before the full 3-year term is completed. The surveillance audits are typically conducted annually to ensure ongoing compliance with the ISO 27001 standard. If compliance is not maintained, the certification might not be renewed for the full 3-year period.”
Larissa Bruns, Associate Consultant Tech Practice Professional Services

How do I transition to ISO 27001:2022?

If you already comply with the ISO 27001:2013 certification you don’t necessarily need a separate audit to transition to the new revision. You can either undergo a standalone transition audit or you can opt for a transition audit at the time of annual surveillance or re-certification. This depends on where you are in the certification lifecycle.

Here is an overview of a typical transition roadmap:

When it comes to the transitioning timeline, the 2022 revision was issued in October last year and the transitioning timeline has officially begun. By October 2023, UKAs plans to have transitioned all certification bodies to the new standard.

All 2013 certificates will expire on the 31st October 2025, this is the deadline to transition. Your will have to undergo a transitioning audit before this date, so ensure your company has allocated enough time for this transition. Yet you can still certify against the 2013 standard until April 2024, if you wish to do so.

Complying with the new 2022 standard is bound to save your organisation resources and frustrations. This is why we recommend transitioning sooner rather than later. You can gain detailed insights on transitioning in DataGuard's expert insights on the ISO 27001:2022 update.

What are the benefits of getting ISO 27001 certified?

The benefits of implementing ISO 27001 are plenty — both for your business and external parties and stakeholders. Here's an overview of the most important ones:

The benefits of achieving ISO 27001 certification:

• Your company or organisation can avoid significant financial losses caused by ransomware attacks.
• Win more deals; having a certified information security system can set you apart from the competition and win trust among potential customers.
• You may be able to secure investment more easily; investors are becoming more and more aware of the threats ransomware attacks have.
• By getting certified, you can experience increased customer trust because, nowadays, tech-savvy customers want to know how you handle data safely.
• Promising to keep your customer's data safe can become your brand's unique selling point.
• Reduced risk of data breaches: By having the proper measures in place — you can avoid the risk of a breach before it even happens.
• Setting up processes and procedures when it comes to how you handle data can also mean increased operational efficiency. Because now you have a standard process instead of different methods.
• Enhanced brand reputation: Customers want to know how you handle their information, and getting ISO 27001 certified is the ultimate promise that you take information security seriously.

Is ISO 27001 compliance sufficient?

If you’re looking to establish an information security management system — ISO 27001 is the ultimate baseline that will cover most businesses' compliance and information security needs.

What your customers and suppliers require will depend on where your business operates. ISO 27001 is an internationally recognised standard known as the gold standard, regardless of geographic location or industry. It should be sufficient for every use case, but if you are unsure — having an initial consult with an information security expert makes sense.

Getting ISO 27001 certified

Accredited vs. non-accredited certification

As we have learned so far, ISO 27001 certification is not mandatory for businesses. However, it’s recommended to be compliant with the standard at least. But what’s the difference between being certified and being compliant? In general, you must understand the three ways of communicating the implementation of ISO 27001:

• ISO 27001 compliant
• ISO 27001 certified
• ISO 27001 certified by an officially accredited certification body

The difference is that an independent third certification body validates an accredited certification. A non-accredited certification means you have implemented the ISO standards but have not undergone an external audit, nor have you been issued a certificate for an external certified body.

In the United Kingdom, numerous accredited certification bodies for ISO 27001 exist. These bodies have undergone scrutiny and accreditation by UKAS, the country's national accreditation authority. UKAS guarantees organisational competence and adherence to the highest standards, utilising a thorough audit process to ensure compliance.

Often, certain contractual agreements require an official accredited certification. Apart from this, achieving an accredited certification is highly recommended — you can use it in your communications towards customers and have an external assess your information security to ensure your ISMS is in check.

You can find a list of currently accredited bodies here.

We strongly recommend seeking certification exclusively through accredited bodies. Business partners often do not acknowledge certifications lacking confirmation from an international accreditation body. In fact, most contracts mandating ISO 27001 certification implicitly refer to certification by an accredited body. Read more about accredited bodies here.

Conducting a risk assessment

Conducting a risk assessment is not as straightforward as one might think. First of all, there are many different approaches to risk assessments. It’s not necessarily common practice, but scenario-based is the most effective way to access risk. This means considering past occurrences and analysing risky scenarios that may cause an issue.

The risk assessment consists of the following:

1. Identify & assess risk
2. Treat risks - you decide here how you want to address the risks. E.g., Accept, Avoid, Transfer, Mitigate.
3. Review residual risks.

A platform like DataGuard can help move you through risk assessment in an efficient way with a tested and proven process. Check out the full article on Conducting ISO 27001 risk assessment in 7 steps here.

Implementing controls and a risk treatment plan to manage risks

An integral element of your information security program is the risk treatment plan. This plan is all-encompassing and is devised to execute measures to either accept, avoid, transfer, or mitigate the possibility or consequences of risks.

Of utmost importance within a risk treatment plan is the aspect of implementation. Its significance lies in guaranteeing the actual execution of risk treatment procedures.

You can read ISO 27001 risk treatment plan: How to develop the right one here.

Complete your ISMS Documentation

Documentation is the basis of your ISMS and the most important part of getting and maintaining your certification. If it's not documented, it's not relevant.

You need to keep track of many things when it comes to documentation, as there are many things to consider. To give you a complete overview of the documentation required for ISO 27001 certification, along with information on preparing said documentation, we have created a detailed list for the documentation:

Definition of the scope of application of the ISMS (Information Security Management System)

The scope of application of the ISMS is defined in the so-called “Scope Document”. This determines which divisions of your company are subject to the ISMS. Your ISMS doesn’t necessarily need to be rolled out across the entire company - only the relevant departments and divisions. That said, in the case of smaller companies, it will usually cover all departments.

Coordination and documentation of the guideline on information security

The objectives which your company seeks to achieve with your ISMS should be clearly defined in the guideline on information security. This document should also demonstrate why information security is a top priority in your organisation, and that management is responsible for the guideline.

This does not have to be formulated by management themselves but must always be approved by the necessary stakeholders. The ISO standard already specifies the following information security objectives:

• Data confidentiality
• Data availability
• Data integrity

Definition of risk assessment and risk management methods

You will need to identify your company’s risks, assess them individually and define an appropriate methodology for risk management. The assessment should always be carried out by the respective risk owner and should ultimately be approved by management.

In addition, this area should be coordinated within the company, ideally with your ISO, CISO or risk management department. Given that this process must be repeated on a regular basis, it can result in a lot of effort, especially for small and medium-sized enterprises that lack in-house security and risk experts. Repetitions occur when there are new assets in the company that require a risk assessment.

Preparing a declaration of applicability

As part of this step the ISO/CISO shall agree, with the respective specialist departments, which of the 93 controls stated in Appendix A of ISO 27001:2022 must be carried out or which are relevant for the company.

ISO 27001 has specified various areas such as cryptography, HR security or operational security. Companies may exclude some of these areas by providing appropriate justification. For example, if a business does not have a loading zone, it is simply not necessary to draw up rules for loading zones.

Download our free E-Book to learn about all 22 documentation requirements.

If you choose to work with experts such as DataGuard or an external consultant, you may receive documentation templates that will help cut down on your manual work significantly compared to creating them from scratch.

What is an audit, and why is it important?

An audit is basically the process of checking that your ISMS meets the requirements and criteria of a standard. If you are certifying against ISO 27001, it will be the requirements of the ISO 27001 standard.

Audits ensure the success of your ISMS by identifying information security non-conformities and can be either internal or external. Internal audits can be carried out using the organisations’ own resources — whether that’s internal employees of the company or contracted independent consultants (2nd party auditors).

External audits are carried out by a certification body, external partners or customers who want to assess the ISMS on their own terms. The latter is rather the exception than the rule — when referring to an external audit, a certification body is meant in most cases.

Audits are incredibly important not only because they are:

• A concrete requirement of the ISO 27001 standard.
• The only way of verifying whether you comply with the standard.
• Necessary to obtain your ISO 27001 certification.

Conducting internal audits: How to go about it

Internal audits are vital for long-term success in earning and keeping your ISO 27001 certification. They should be carried out on a regular basis by employees within the company, as opposed to external auditors coming into your company to assess your ISMS.

However, independency and qualification are a must for being an internal auditor. Another option is to perform internal audits with external consultants, like the experts at DataGuard, who also offer regular audits. Internal audits are your best bet for catching gaps in your documentation and improving it.

When you are getting certified for the first time, the internal audit ensures you have everything you need in place to pass your certification on the first try.

An internal audit checklist will help you keeping an overview of the necessary steps in that process. Here is an overview of the steps in an internal audit:

1. Documentation Review
• All documentation from the management and control system should be reviewed to ensure that it is complete, accurate, and up-to-date.
• A team should be assigned to perform this task.
• The team should be given a clear set of instructions to follow while they are performing the review.
• The documentation should be examined for completeness, accuracy, consistency, and suitability for its intended purpose.
• The auditor will then check to see if you have the required documents and that it complies with the standards.
2. Management Review
• The management review team should go through the documentation again to make sure that all relevant information has been recorded and that there are no omissions or missing information in any of the documents.
• Finally, management needs to look over the report and take the audit results into account. Make sure that any essential changes and corrective measures are put into place.

Get a full breakdown of how to conduct an internal audit.

Undergoing external audits: What to expect

You will be in touch with your auditor before the external audit takes place to agree on an audit that includes resources and timelines for the audit.

In general, there are four types of external audits:

• Stage 1 Audit: This is the documentation review audit, whereby the external auditor analyses if your organisation has all the necessary documentation in place for a fully functioning ISMS. Your documents need to cover the documentation required in the ISO/IEC 27001 standard. The certification body will take the time to gain a sufficient understanding of the ISMS design in the context of your organization, risk assessment and treatment (including the controls determined), information security policy and objectives. A large emphasis will also be put on your company's preparedness for the audit. This allows planning for stage 2.
  
  
• Stage 2 Audit:Based on documented findings in stage 1's audit report, the certification body will develop an audit plan to conduct stage 2 of the audit. In addition to evaluating the effective implementation of the ISMS, the aim of stage 2 is to confirm that your company adheres to its own policies, objectives and procedures.

To do this, the audit will focus on:

• Top management leadership and commitment to information security policy and the information security objectives
• Documentation requirements listed in ISO/IEC 27001
• Assessment of information security-related risks and that the assessments produce consistent, valid and comparable results if repeated
• Determination of control objectives and controls based on the information security risk assessment Risk treatment processes
• Information security performance and the effectiveness of the ISMS, evaluating against the information security objectives
• Correspondence between the determined controls, the Statement of Applicability and the results of the information security risk assessment and risk treatment process and the information security policy and objectives
• Implementation of controls (see Annex A), taking into account the external and internal context
• And related risks, the organization’s monitoring, measurement and analysis of information security
• Processes and controls to determine whether controls are implemented and effective and meet their stated information security objectives
• Programmes, processes, procedures, records, internal audits and reviews of the ISMS effectiveness to ensure that these are traceable to top management decisions and the information security policy and objectives

Once you have completed stage two and passed the audit — you will receive your official certification.

• Surveillance/periodic audits: happen between certification and recertification audits focusing on specific areas of the ISMS. This is done every year.
• Recertification audit: This is necessary to keep your certification and covers all aspects of the standard and must be carried out every 3 years.

How long does it take to get ready for an ISO 27001 external audit?

Depending on the size of your company or organisation, you can be audit-ready in about 8 weeks. If you decide to go the manual route of building your documentation from scratch, it can take at least approximately 4 months.

There are a few main requirements you need to fulfil to obtain your ISO 27001. To help you with it, we’ve compiled a series of checklists which outline everything you’ll need for your certification.

• 1 to 20 employees - Up to 3 months
• 20 to 50 employees – 3 to 5 months
• 50 to 200 employees - 5 to 8 months
• More than 200 employees - 8 to 20 months

It is also important to take into account several other variables that may affect the time it takes for you to obtain the certification.

• The number of individuals on the ISMS implementation project (relative to the size of the business)
• The amount of time individuals are willing to spend on the project
• Engagement / endorsement / support from leadership
• The size of the company and complexity
• Auditor availability to conduct the external audit

When implementing your ISMS, you may experience unforeseen challenges which may delay certification as well.