richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/marketing/campaigns/FUD with Certification.md

2.8 KiB
Raw Blame History

Fears, Uncertainties, and Doubts with ISO 27001 certification

People who need to implement ISO 27001 within their organization, often worry about the following:

  • Am I doing it right
  • Did I interpret this article correctly
  • Havent I forgotten anything
  • Are we doing enough
  • How long will this take
  • How will I get people to cooperate
  • This will bring a mound of unnecessary paperwork
  • We will need to implement unworkable procedures
  • This will take all flexibility out of our way of working
  • We will become robots
  • We will need to implement all kind of expensive measures

Themes

The challenges they face an be grouped in several themes, as described below.

Lack of leadership / top management support

  • leadership doesn't fully understand the value of ISO 27001, sees it as a bureaucratic burden instead of a strategic priority
  • not a priority for middle management because of leadership stance
  • lack of resource allocation (time, money and people) due to lack of leadership

Business alignment

  • overly long and confusing policies that are difficult for employees to understand and auditors to navigate
  • Risk of ISMS becoming isolated from real business processes, especially when internal responsibility lies with people lacking authority or visibility into all business areas.
  • integration of management processes, process documentation, and continuous evaluation

Acceptance / buy in at operational level:

  • (cultural) resistance from employees, beccause ISO 27001 implementation often introduces new policies and processes that can be perceived as burdensome or unnecessary
  • this is aggravated if staff don't understand the benefits and/or aren't properly trained
  • this is aggravated if the ISMS is implemented as, or perceived as, an artificial system for certification rather than an integrated part of the company's culture and operations

Documentation /policy tuning:

  • how to create and maintaining policies and procedures that are both comprehensive enough to satisfy auditors and practical enough for employees to follow.
  • Over-engineering of a one-size-fits-all approach from templates, leading to massive, unwieldy documents, instead of tailoring the documentation to the specific needs and size of the organization
  • finding the balance between being thorough and being concise how much detail or separation is appropriate for policies, procedures, and supporting documentation

On Risks:

  • How do we properly identify, analyze, and prioritize all relevant risks.
  • Fear of missing a critical risk or not prioritizing them correctly.

Passing the audit:

  • When is a control implemented "enough" to pass an audit and a fear of misinterpreting the auditor's expectations. This often stems from the fact that ISO 27001 is a framework, not a prescriptive checklist.
  • Lack of structured and impartial internal audit processes