top of page

The Hidden Cracks - Potential Problems You Could Encounter with the ISO 27001 Certification Process

A rock climber climbing an overhang

If this is your first time climbing the mountain known as ISO 27001 Certification, it can feel like a bit of a daunting task not knowing the route. Thankfully, with correct guidance and the right equipment in hand, it should be a much smoother ascent up the rock face. However, that doesn’t mean you shouldn’t be looking out for potential cracks along your route. Put your foot or hand in the wrong spot and you risk losing all that upward momentum due to one or multiple mistakes. If you know what to look out for, you can navigate your way through with significantly less hardship.

That’s what we’ll cover today: Some potential issues we’ve seen in our experiences. Along the way, we’ll present you with some questions to ask yourself if you were to encounter such issues during your quest to climb to the summit of ISO 27001 certification.

Problem #1 - Inadequate Risk Assessments

In our travels, we’ve seen a handful of organizations trying to go for ISO 27001 Certification, some with a much tighter timeline than others. That tight timeline can cause a handful of problems both at the onset and down the road. One such avenue where this can hurt your process is with the risk assessments (ISO 27001 Clauses 6 and 8). Risk assessments play a vital part of the process because they give you a full view of the context of your organization and what parts of it need to be assessed for your certification and what parts can be accepted into your risk appetite.

One thing you need to be aware of, however, is that getting a full picture of your organization takes time and a considerable amount of effort to complete. Rushing this crucial step can expose your data if non-conformities or vulnerabilities are accidentally missed.

Some questions to ask yourself when it comes to your own risk assessments:

  1. Are there current plans in place to research, document, and remediate/accept current risks in the organization? If so, what are they?

  2. How do our current risk assessments apply to industry standards and practices?

  3. Is executive leadership aware of these risks and how they can affect the organization? If so, how are they informed? If not, why?

Problem #2 - Little-to-no Management Buy-in

To make sure that everyone is on board with your organization’s cybersecurity and compliance goals, the certification process needs to have all members on board from the executive leadership on down.

However, for some individuals in leadership, they might look at only the short-term financial hit a certification will cause by complying with the audit and consider it to be “unnecessary” or a “waste of time/resources”. Not having them on board with the process and what it entails is vital to the security of your data, the trust of your customers, and the success of the organization.

Some questions to ask yourself:

  1. What is management's role in ISO 27001 Certification?

  2. If they are not committed to it, what are potential issues that could happen?

  3. How do you foster that kind of buy-in and support?

  4. How do you demonstrate the benefits of having an improved compliance and security posture?

Problem #3 - Processes and Policies are not Well-Defined or Followed

For ISO 27001, documented procedures concerning people, processes, and technologies are necessary. During the Stage 1 Certification Audit of the certification process, your auditor will ask what the processes are during the interviews. While verbally confirming your documentation process is a good start, physical proof in the form of documented policies, procedures, document version control, etc. is worth its weight in gold to your Stage 2 auditor. This shows them that there is a system in place and it is properly followed.

It can be a daunting task to make sure the documentation for everything in an organization is up-to-date and accurate with all the relevant information. In some cases, we’ve seen some organizations do have a documented process in place, but only for the sake of the compliance audit and do not actually follow through with the new process due to the scale of the task. They’ll create a documented process to pass the audit and just ignore it after the fact. This creates a huge discrepancy in the current state of your organization and could slow down or even halt the audit process altogether in subsequent years. Without the documentation, to some auditors, there might as well be no evidence of compliance at all.

Questions to ask yourself:

  1. Why is documentation in ISO 27001 so important?

  2. What should be included in documentation to be considered "compliant"?

  3. What documentation are we missing required by ISO 27001? What processes should have documentation?

Problem #4 - Lack of Continual Improvement

Picture this hypothetical situation: You’ve passed your ISO 27001 audit. Congrats! Now you can finally relax, right?

Not so fast.

One key component to ISO 27001 is the concept of “continual improvement”. This means that you’re always striving to make your controls, policies, and procedures better. If you think about it from a threat perspective, you’re only as protected as the last known vulnerability discovered. It is vital that your controls are regularly reviewed and updated as needed so that you’ll be prepared not only for today’s threats, but tomorrow’s as well.

Questions to ask yourself:

  1. Why is complacency and stagnation such a big problem in some industries today?

  2. Does your current organization embrace continual improvement practices? Why or why not?

  3. How are continual improvement practices documented? Where are they located?

Problem #5 - Stakeholders/Interested Parties Not Involved in the Process

While it might be obvious that all internal relevant parties in your organization would like to know how you’re trying to improve your security posture since it could affect their day-to-day operation, there are other groups (“interested parties”) who also should be involved in the process. These people, groups, or entities would be anyone that receives your products or services, who may be affected by them, or parties who may have a significant interest in your organization. This could be suppliers, investors, trade unions, government agencies, etc. Every organization can define who these parties are differently according to your operational needs.

Identifying and involving these parties is not only important for your certification, but it can also help you gain further insight into the context of your organization and what systems are in place to further its interests. Without their outside input or guidance, your organization could just be operating within an echo chamber.

Questions to ask yourself:

  1. What are your organization's interested parties/stakeholders?

  2. How will you engage them in the certification process?

Problem #6 - The Difficulty of Information Security Management System (ISMS) Creation

Real talk for a second:

Creating a functional ISMS is difficult and can be very expensive if you’re not careful.

People going for certification sometimes underestimate the steps involved in being ISO 27001 certified. On top of the collection of all your evidence, you also need to factor in what kind of resources and costs will be involved with each step. There’s the readiness assessment, implementation of new controls/policies, the actual internal audit itself, the certification audit, the surveillance audit, the annual internal audit to check on continual improvement, keeping up with the ever-evolving security landscape with technical get the idea.

If your executive leadership isn’t careful and only looks at the cost of the internal audit and thinks that’s all they need to pay, that cost can easily balloon out of control if not correctly budgeted (and risk assessed?).Thankfully, we created a step-by-step guide on what the process is from beginning to end and some best practices to make it a little easier:

ARORA Solutions' Cybersecurity Improvement Process

As organizations navigate the potential pitfalls on their path to ISO 27001 certification, it is crucial to address these challenges head-on. By recognizing the importance of thorough risk assessments, fostering management commitment, improving documentation practices, and embracing continuous improvement, organizations can enhance their chances of achieving successful and sustainable ISO 27001 certification. The journey may seem impossible at first, but with enough help, you too will be able to overcome these hurdles to fortify your information security practices in the ever-evolving digital landscape.

27 views0 comments
bottom of page