Let’s take them one by one.

---

Lack of Management Support

Challenge

Without visible support from top management, ISO 27001 projects tend to stall. You see:

• Not enough time and people allocated
• Conflicting priorities
• Security being treated as “IT’s hobby” rather than a business objective

I’ve seen this more than once: someone in the organisation (IT, I’m looking at you) becomes evangelical about ISO 27001, but the senior team haven’t really bought in.

Enthusiasm is mistaken for progress – but without the authority to change things, very little actually happens.

Solution

You need a senior sponsor, or you will be dead in the water. So, go find one.

1. Educate leadership in their language

Build a short, focused briefing for the senior team that answers three questions:

• What could go wrong if we don’t do this? (breaches, fines, lost deals, reputational damage)
• What could go right if we do? (new customers, smoother procurement, fewer firefights)
• What does the journey actually look like? (high-level steps, rough timelines, their role)

Use real-world examples and, bluntly, “hit them where it hurts or helps” – revenue, reputation, and risk.

2. Link ISO 27001 to business goals

Tie ISO 27001 to things they already care about:

• Winning bigger or more regulated customers
• Meeting regulatory expectations
• Improving resilience and reducing chaos when things go wrong

Most organisations I work with are chasing ISO 27001 because it unblocks deals or keeps them in the running for larger contracts. Make that connection explicit.

3. Keep them engaged

Once they’re on board, don’t let them disappear.

• Schedule regular, short updates (monthly or quarterly) on progress, issues, and decisions needed
• Use a simple dashboard or status slide so they can see at a glance where things stand
• Build management review into the calendar, not as a last-minute scramble

The aim is to move leadership from “We agreed this was a good idea” to “We’re actively sponsoring and protecting this work”.

---

Insufficient Resources

Challenge

ISO 27001 needs time, people and money. If you can’t get access to the people who understand your processes and systems, the project will grind to a halt.

Resource issues are often a symptom of weak senior support, but they also come from unrealistic planning – trying to do everything at once, or assuming people can do a full-time job plus ISO on the side. That said, 27001 shouldn’t be a massive burden in terms of either cost or effort.

Solution

1. Do an honest gap analysis and resource plan

Right at the start:

• Run a gap analysis to see where you are versus where you need to be
• From that, build a resource plan:
  • Who will lead?
  • Who needs to be involved and when?
  • What tools, services or training do you actually need?
  • What are the one-off costs vs the ongoing costs?

Be honest. If you pretend people have more time than they do, the plan will look great on paper and fail in reality.

2. Prioritise using risk

Avoid trying to “do everything” in one big wave.

• Focus first on high-risk areas – things that could seriously hurt the business if they go wrong
• Accept that some lower-risk items will be dealt with later
• Be clear about your risk appetite – what you’re prepared to live with for now

You must address all relevant Annex A controls in your Statement of Applicability, but how deeply you implement each one is driven by risk, context and common sense.

3. Bring in external help (sensibly)

If you don’t have in-house experience:

• Consider short-term consultancy or a part-time specialist to:
  • Help structure the project
  • Run risk assessments
  • Draft or review key documents
  • Prepare you for certification

This doesn’t need to be a huge, open-ended engagement. A few well-targeted days or weeks of expertise can save months of wheel-spinning.

I’ve written more about some of the likely costs here;

---

Employee Resistance to Change

Challenge

New policies and processes often feel like extra admin. If people see ISO 27001 as “more hoops to jump through”, you’ll get:

• Workarounds and shortcuts
• Grumbling and passive resistance
• Policies that exist on paper but not in practice

If your IT team, in particular, feel ISO 27001 is something being done to them, instead of something they help shape, you’re in trouble.

Solution

1. Make awareness training relevant

Avoid generic, one-off “be secure” presentations.

• Tailor content by role:
  • Front-line staff – phishing, passwords, reporting incidents, handling data
  • Managers – approvals, access, handling issues in their teams
  • Technical teams – change control, logging, secure configuration, backups
• Use interactive formats – workshops, short e-learning, quizzes, simulated phishing

Don’t bury people in legal detail they can’t act on. Show them how this affects their day job and why it matters.

2. Involve people in shaping controls

Form small, cross-functional working groups to help design how key policies and processes will work in practice. Include:

• Supporters (your natural allies)
• Sceptics or “difficult” stakeholders (bring them into the tent early)

When people feel they’ve had a say, they’re far more likely to support the outcome – and they’ll often spot practical issues you’d have missed. In fact, if I sense any resistance to change, I’ll seek out the most vocal person and have them join the team. They can turn into your most vocal advocate – if they feel involved and able to influence the outcome.

3. Keep communication two-way

Plan an internal communication drip:

• Short updates in existing channels (Slack/Teams, town halls, newsletters)
• Clear explanations of what’s changing and why
• A place for questions and feedback

And then actually respond to that feedback. Even when the answer is “we can’t change that because…”, people appreciate being heard.

---

Complexity of Documentation

Challenge

ISO 27001 has a reputation for generating mountains of paperwork. Left unchecked, you end up with:

• Long, unreadable policies
• Duplicated documents
• Nobody quite sure which version is current

Humans naturally overcomplicate this. The standard does not say “write 50-page procedures for everything”.

Solution

1. Decide your documentation “depth” up front

ISO 27001 and ISO/IEC 27002:2022 expect you to:

• Document what’s necessary for your ISMS to be effective
• Control that documentation (approve, update, and make it accessible)
• Provide enough detail that people can actually follow it

That does not automatically mean highly detailed documents for every activity. For some organisations, a one-page process summary plus a checklist is enough. For others, a detailed procedure might be justified.

Let risk, complexity and audience drive the level of detail – not habit.

2. Create a simple documentation structure

Make it easy to find things:

• A single, central repository (e.g. SharePoint, Google Drive)
• A clean folder structure (e.g. Policies / Procedures / Registers / Records)
• Clear naming and version control
• One master index, so you can quickly see what exists and who owns it

Your future self will thank you when the auditor says, “May I see your current [policy/procedure/register]?”

3. Use tools to capture “how-to” steps

For step-by-step “how we do this” documentation, tools like Scribe (and similar) can record processes as people perform them. That can save a lot of time and keep documentation closer to reality.

---

Setting the Scope Too Wide

Challenge

Scope is one of the most important – and most misunderstood – parts of ISO 27001.

• Too narrow, and you leave important things out, or end up with a certificate customers don’t trust.
• Too wide, and the implementation becomes unmanageable before you’ve really started.

It’s a bit like redecorating: you can rip out and redo the entire house at once, but most people are better off tackling one room at a time.

Solution

1. Start small and meaningful

Begin with a clear, manageable scope that:

• Aligns with your most critical services, systems or customer commitments
• Makes sense to your customers (and potential customers)
• You can realistically support and evidence

You can absolutely expand later once the initial ISMS is bedded in.

2. Think in phases

Treat your scope as a roadmap:

• Phase 1 – core product/service and key supporting functions
• Later phases – additional offices, services, or internal functions

Each expansion should be a deliberate decision, driven by risk, opportunity and capacity – not a slow, accidental sprawl.

---

Maintaining Compliance Over Time

Challenge

Once the certificate is on the wall, something predictable happens….

• People drift back to day jobs
• ISO tasks slip down the list
• Documentation stops being updated
• Internal audits become a last-minute panic

The result is a desperate scramble before surveillance audits, with missing evidence and a lot of stress.

Solution

1. Shift from “project” to “rhythm”

Treat certification as the start of Phase 2, not the finish line.

Build a simple annual rhythm around:

• Quarterly (or at least annual) management reviews
• A realistic internal audit plan spread across the year
• Regular risk and SoA reviews
• Ongoing training and awareness

Book these into diaries like any other recurring business activity.

2. Keep it “little and often”

It’s far better to:

• Review a handful of controls or processes each month
• Keep logs and records up to date as you go
• Fix small issues quickly

…than to do nothing for 10 months and then try to re-create everything from memory before an external audit.

3. Give reviews some “bite”

Management reviews and internal audits shouldn’t be polite talking shops.

• Track actions with owners and due dates
• Ask, “Did we actually do the things we said we would?”
• Use corrective actions properly – fix the root cause, not just the symptom

Accountability is what keeps the ISMS alive when nobody from the certification body is watching.

---

Lack of Expertise

Challenge

Not every organisation has someone who has implemented ISO 27001 before. That can lead to:

• Over-reliance on one person who “knows a bit”
• Being guided more by tools or software than by the standard
• Overcomplication, or missing key requirements altogether

Solution

1. Build basic knowledge in-house

Don’t leave ISO 27001 in the head of one person.

• Send a couple of key people on introductory or implementer training
• Run short internal sessions to explain the basics to managers and team leads
• Make sure people understand how risk assessment and treatment work in your context

You don’t need a team of ISO gurus, but you do need more than one person who understands the framework.

2. Use specialists strategically

Bringing in an experienced ISO 27001 consultant or ISMS manager can:

• Accelerate your design and documentation
• Help you avoid common dead ends and over-engineering
• Give you a realistic view of what auditors expect for an organisation your size

This doesn’t have to be forever – a coach or guide for key phases can be enough, especially if they mentor your internal team along the way.

3. Encourage knowledge sharing

Set up simple ways for people to learn from each other:

• Internal wiki or knowledge base for ISO 27001 artefacts and FAQs
• “Lunch and learn” sessions on specific topics (risk, incidents, access control, etc.)
• Sharing notes after audits, incidents or major changes – “what we learned and what we’re changing”

The more normal ISO 27001 is in everyday conversation, the less intimidating it becomes.

My training course can help – if you grab a licence for others, then they can also get up to speed with not just the standard itself, but what the organisational change looks like.

---

Common ISO 27001 Challenges – Wrap Up

Implementing ISO 27001 is a strategic move, but it’s also a very human one. Most of the real challenges aren’t about clauses and controls – they’re about:

• Getting leaders to care and stay engaged
• Giving people enough time and help to do the work
• Changing habits and behaviours without grinding the business to a halt
• Keeping the whole thing alive once the certificate arrives

The good news is that none of these challenges is insurmountable.

If you:

• Tackle the obstacles openly
• Plan realistically
• Use risk and common sense to guide your decisions
• And treat information security as a shared responsibility, not just an IT project

…you can make ISO 27001 not just achievable, but genuinely valuable.