top of page

Why is implementing ISO 27001 so difficult?

Well, the simple answer is that it really doesn’t have to be. If you’ve looked at implementing it internally, or more likely, you’ve been given the extra responsibility to complete an implementation on top of your day job, it can look a little daunting to begin with.

Of course, I could bleat on about hiring someone to do it (like me) but, that might not be practical. So, I thought I’d pop down a starter for ten for you to give you how I would go about tackling it.

  1. Buy the standard. I know it’s wordy, and it might not make much sense right now. But, once you have it, it will become a checklist for you a little bit further down the line. It’s not expensive, and if nothing else, it provides excellent bedtime reading if you’re a bit of an insomniac.

  2. Get the boss on board. Now, you’ve probably been handed this dandy little project by your senior in the company. That person may or may not be the person signing the cheques, so let’s make sure everyone is on board this train before we start rolling. It doesn’t hurt to reach out to some certification bodies now, even before you’ve started doing any real work. They can give you an indication of cost, which you can take back to the people holding the purse strings. Pricing is relatively consistent between the different certification bodies, but (with my best Martin Lewis voice), get a few quotes, and you can then decide which one to choose. Some may be cheaper than others, but just make sure you are getting like-for-like quotes. There are certified and non-certified assessment bodies. I’m not going into the difference between each here, as it’s a whole other blog.

  3. If we’re happy with the costs, now is the time to start doing some work. Scope is a word you will hear, and it simply means, ‘What areas are we including in this certificate.’ A misconception is that you have to certify your entire company. This is incorrect; you might want to have a much smaller scope. A specific product you offer, a specific service you sell, a specific team. The options are endless, but it is up to you to decide what this might be. Typically, the smaller the scope, the easier the project. Start small and look to increase your scope a little down the line once you get the hang of things. Scope is essential, and it will drive things later. It’s always good to ask yourself what you are trying to achieve at this point. What do we want our ISMS to provide? What objectives should we set and measure so we know this project is going to head in the right direction?

Once you have your scope defined, go do some hunting about and start pulling together some simple lists of what information you have. Break it down into a couple of areas to make your life a little easier. Think about the hardware first. End user equipment, printers, network devices, app servers, web servers, database servers, blob storage, filing cabinets even. 

  1. Once you have this list, then write down the type of information you’re storing in these devices. Employee data, Customer Data, Company Data, Source Code, absolutely everything. Decide how important that data is, and how much of a pain it would be if was lost, stolen, or changed in error. Now we have a good list to work from.

  2. Now the fun starts. We’re going to look over that list and try and understand how each of those components could be damaged. That could be malicious intent by someone inside or outside of your company, or it could be simply by someone overwriting it. Once we know what those risks are, we are going to try and decide how we can stop those things from happening. This is where we apply controls. Some risks may have one control applied; some may have many (some might have none if you are happy with the risk just the way it is.) It’s up to you and your team to decide which controls you should apply to help you reduce the risk of something terrible happening to a level you are comfortable with. Most people will cast their eye over Annex A at the back of the standard and choose controls from here. Remember, you don’t have to use Annex A if you don’t want to. If this is your first rodeo, though, I probably would. It will make your life easier, and it’ll make life easier for the auditor too. Continue working through each risk until you’ve decided which list of controls you are going to apply once you’re done. You are going to capture all those controls together in a separate list. Congratulations on creating the outline of your first ‘Statement of Applicability’.

  3. The most important step now is to give yourself a pat on the back.


There’s more to do, but we’ve made a good start. Come back next time to find out where we go next.




Implementing ISO 27001:2022 might sound like a big task, but it’s worth it in the long run. It’s your ticket to showing your clients and partners that you take their data security seriously. Remember, it’s not about being perfect from day one. It’s about making steady progress and always looking for ways to do better. So, roll up your sleeves and get started on making your business more secure than ever before.

29 views0 comments

Recent Posts

See All


Os comentários foram desativados.
bottom of page