Introduction
ISO 27001, the globally recognised standard for information security management systems (ISMS), offers a robust framework for protecting sensitive data. While the benefits of ISO 27001 certification are undeniable, the implementation process can present significant challenges.
In this article, we will explore three common hurdles that organisations often encounter when embarking on their ISO 27001 journey and provide practical strategies to overcome them.
By understanding and addressing these challenges, you can successfully implement ISO 27001 and reap the rewards of enhanced information security.
Resourcing
The first challenge is that the implementation and running of ISO 27001 requires trained and experienced people to do it. Furthermore, organisations rarely have that skill internally, so these are the most common approaches to this challenge:
- Use ISO 27001 Toolkits
- Engage Consultants
- Recruit an information security professional
- Train existing staff
Practically, the option that you take will be based on your size, your complexity and your budget. In reality, overtime you will use a combination of these approaches but where to start?
The best place to start is with an ISO 27001 toolkit as this represents the lowest cost, lowest risk option and provides a foundation upon which you can build. With costs in the hundreds, not thousands, these toolkits provide everything you need. By starting here you can work out what additional help you need and build on that help based on need.
The next step would usually to be engage with consultants as they provide you with the skills and resources you need and can parachute in to solve a particular problem incredibly quickly, if at a significant cost.
The role of the consultant includes the training of existing staff which should be supplemented with more formal booked based and course led training.
It is at this point that once you fully know and understand what is required and what you need that you would seek to recruit and information security professional.
Cultural Resistance
Implementing ISO 27001 into your organisation alongside existing priorities and projects can be a challenge, especially dependant on your overall culture. The standard requires a lot of documentation that you will either have to create from scratch or fast track with an ISO 27001 toolkit and it introduces the concept of process maturity. Process maturity means documenting processes and evidence of process operation.
This can be a massive culture gap in modern organisations and will be an area that will cause you to fail if you don’t go about it the right way.
The challenges to overcoming cultural resistance are based on techniques of human psychology. Understanding people and meeting their needs.
The usual approach to overcoming cultural resistance is:
- Stakeholder analysis: understanding who the key players are, both internally and externally to the organisation, and directly addressing their needs.
- Leadership buy in: ensuring that you are directly aligned with the business objectives and that you have the buy in from senior leadership who have committed to help drive the implementation and provide the required resources in time, money and people.
- Communication: communicating at all stages of the implementation with everyone that will be impacted to show the benefits of what will be done, what will actually be done, what will change and people’s contribution.
- Engagement: engage with the subject matter experts in the organisation and realising the standard does not have all of the answers and does not dictate how to run your business or dictate changes to business operations rather that those business operations take account for information security.
Security Perfection
The concept of information security perfection does not exist in the ISO 27001 standard. ISO 27001 is a risk based management system that implements controls and security proportionate to risk and based on business need.
Your information security does not have to be perfect. It has to be sufficient to mitigate the risk that you have or be accepted as a risk of not having it.
This is about being pragmatic and not perfect. It is about building a foundation and then continually improving and getting better. Continual improvement is baked into the standard and a cornerstone of the management system. Understanding that over time, things incrementally improve and having the processes in place to manage that.
Don’t Hold Back
The time to start your information security journey is now. With the right tools and online guidance, every journey starts with a step. There are challenges but do not let them hold you back. Are these all of the challenges you will face? Most certainly they are not, but they are the most common. Was anything that was ever worth achieving simple and without challenge?
 


 
