---

1. Understand Your Scope (and Avoid Unnecessary Complexity)

Defining the scope of your Information Security Management System (ISMS) is absolutely critical.

A very common mistake is to aim too broadly right from the start – for example, “the entire global organisation and everything we do”. In complex environments, this almost guarantees:

• Overwhelming complexity
• Scope creep
• Frustration and loss of momentum

Instead, I strongly recommend starting with a focused, manageable scope, such as:

• A specific service or product line
• A particular business unit or location
• A clearly-defined “pilot” scope

This allows you to:

• Learn what works (and what doesn’t)
• Refine your processes on a smaller scale
• Demonstrate early success to leadership and customers

You can then expand the scope in phases, rather than trying to boil the ocean on day one.

Broad vs focused scope (at a glance)

Scope Type	Pros	Cons
Broad Scope	Comprehensive coverage	High complexity, increased scope creep, slower progress
Focused Scope	Manageable, easier to refine and expand	May require multiple phases to cover all areas

I’ve written more about how to handle scope here;

---

2. Engage Stakeholders Early (Don’t Build in a Bubble)

ISO 27001 cannot succeed as an IT-only or “compliance-only” project. If you try to build the ISMS in a corner and present it as a finished product, you’ll usually get resistance – or quiet non-compliance.

From experience, the most effective implementations:

• Involve HR, IT, Legal, Operations, Finance, Sales and other key functions early
• Form a cross-functional steering group with clear roles
• Keep regular communication flowing – not just a big announcement at the end

This early engagement:

• Brings in real-world perspectives on risks and controls
• Leads to more practical, workable solutions
• Reduces pushback later because people feel they’ve been part of the decision-making

A simple steering group that meets regularly can do a lot to keep things on track, ensure transparency, and build trust in the process. You don’t need to invite everyone you can think of – in fact, I suggest you don’t, but do find that small, core team who can help you push change through and maintain momentum.

Other attendees might be optional for certain aspects, such as HR, who probably don’t want to sit through technical reviews of controls but may very well be interested in the People control family and the training & awareness aspects of your project.

---

3. Secure Visible Top Management Support

Top management support isn’t just a box to tick for the standard – in practice, it really does make or break the implementation. Make sure you have a senior sponser, who has your back, and can help you with pushing through change.

Leadership involvement:

• Unlocks policy approval and resource allocation
• Signals to staff that “this matters here”
• Helps make security part of organisational culture, not just a project

To get genuine buy-in, you need to communicate the value of ISO 27001 in business terms, not technical ones:

• Reduced risk of painful incidents and regulatory trouble
• Stronger customer trust and better chances of winning bids
• A more predictable, controlled way of working with information

Make sure senior leaders understand both the obligations and the opportunities that come with certification. When they visibly champion the initiative – ask questions, attend reviews, and mention it in wider communications – it becomes far easier to embed security into everyday behaviour.

For example, without senior sponsorship, if you want to roll out a new security policy and have people adhere to it, you need the management team to say, “This is to be obeyed now,” or people might resist or drift and do their own thing.

---

4. Prioritise Resource Planning (and Be Honest About Capacity)

Even the best implementation plan falls apart if you don’t match it with realistic resources.

I recently spoke to a client who was projecting an 18-24 month ISO 27001 implementation, and the key reason was that they felt they needed to put many software solutions and technologies in place. You don’t, unless you see a major risk to your business of not doing so – 27001 is much more about working with policies, procedures and good governance than implementing lots of technological controls.

So, when you are planning your project, consider carefully how much additional resources you really need, but be crystal clear about what you do need.

Create a practical project plan that covers:

• Who is doing what (roles and responsibilities)
• How much of their time you realistically have
• Which tools or services you’ll need (e.g. training platforms, documentation, risk tools)
• Dependencies on other projects or teams

Where possible, appoint:

• A named project manager (even if part-time)
• A clearly identified ISMS owner

Review the plan regularly and accept that things will shift – people will go on leave, priorities will move, projects will collide. It helps to:

• Identify skills gaps early (e.g. internal audit, risk assessment)
• Have contingency ideas for when key people are unavailable
• Be honest with leadership when extra time or support is needed

Good resource planning doesn’t guarantee success – but poor resource planning almost guarantees a painful, drawn-out implementation.

---

5. Take a Pragmatic, Iterative Approach (Not Perfectionism)

ISO 27001 is built on the idea of continual improvement, not getting everything perfect before you start. I talk a lot about ‘minimal viable compliance’, and doing just enough to get certified in year one, but building out from there going forward.

I always encourage teams to:

• Implement policies and controls in small, manageable chunks
• Get them working “well enough”
• Gather feedback, then refine

Think of it as “Ready – Fire – Aim”:

1. Get something sensible in place.
2. Use it in practice.
3. Adjust and improve based on real experience.

This keeps momentum going and avoids the “we’ll roll it out when it’s perfect” trap – which often means it never gets rolled out at all.

Over time, your ISMS becomes more robust and better tailored to your organisation, because it’s informed by real-world usage, not just theoretical design.

---

6. Run Pre-Certification Audits (Rehearse Before the Real Thing)

Before you invite a certification body in, it’s very helpful to run a pre-certification check. I always run through one with my consultancy clients before they go to the audit proper. It might not be at the level of detail as a full audit, but a quick runthrough can reward you with the identification of missing elements, or not having things readily to hand (e.g. evidence or documents).

So, I’d strongly recommend

• A structured internal audit close to the offical audit (it’s mandatory to audit internally, but think about timings)
• Or an informal “mock audit” by an external specialist
• Or a pre-assessment service from your chosen certification body

This acts as a dress rehearsal and helps you:

• Identify gaps and non-conformities while there’s still time to fix them
• Get used to being audited – the questions, the evidence, the rhythm
• Build confidence in your readiness before you commit to formal Stage 1 and Stage 2 audits

The feedback from a pre-assessment is often invaluable. It’s usually cheaper and far less stressful to find issues at this stage than during a formal certification audit.

---

7. Invest in Awareness and Training (People Make or Break It)

You can have excellent policies and technical controls, but if people don’t understand their role, the ISMS won’t work in practice.

Build a simple but consistent approach to awareness and training:

• Start with onboarding for all new staff (what ISO 27001 is, what’s expected of them)
• Provide regular refresher training, not just a one-off campaign
• Tailor content for different audiences:
  • General staff – phishing, passwords, reporting incidents, handling data
  • Managers – their responsibilities, access approvals, handling incidents
  • Technical teams – secure configuration, change control, logging, etc.

Interactive formats generally work best: short workshops, quizzes, simulated phishing campaigns, micro-learning modules. Regular reminders and updates keep awareness alive as threats and your environment evolve.

This should be an ongoing, slow-burning activity that runs in the background and can take many forms. Don’t just dump a huge amount of PowerPoint slides on your team and leave them to it. Consider pacing, drip-feeding, and tailoring the messaging to their needs.

The goal is not to terrify people, but to make security understandable and practical.

---

8. Get Document Control Under Control

ISO 27001 does not require mountains of documentation – but it does require that the documents you do have are current, controlled, and accessible.

Good document control means:

• Clear ownership of key documents
• Version control (who changed what, when, and why)
• A single source of truth – typically a shared repository with appropriate access control
• Out-of-date versions properly archived and clearly marked

This makes life easier for everyone – and massively reduces audit friction when an auditor asks, “Can I see your current [policy/procedure/register]?”

So, have some system, a main index where you can easily find documents and evidence – Yes, you need to have document control in 27001, but I’m talking about having a sensible, easy-to-manage and find things framework.

---

9. Focus on the Risks That Keep You Up at Night

Risk management is the engine room of ISO 27001. If you treat it as a tick-box exercise, everything else becomes weaker.

It’s easier (and I believe much more effective) to focus on the major risks that really could/would have a negative impact on your business and its operations, rather than naming every conceivable risk you can think of.

For example, Ransomware is something I think every organisation should currently have a plan to minimise and respond to. It’s a growing threat that is destroying businesses, and many don’t know what they would do, or what their exposure is. So, that’s a risk worth addressing.

What’s not worth addressing are things like…

• Inventing separate risk entries for every individual device (“Loss of John’s laptop”, “Loss of Sarah’s laptop”, “Loss of Peter’s laptop”…)
• Overly theoretical scenarios that have no realistic chance of happening in your context
• Minor issues that might be annoying, but wouldn’t materially hurt the business

---

10. Don’t Get Hoodwinked by Auditors (Know What You Actually Need)

One of the bigger traps I’ve seen is organisations being talked into extra requirements that aren’t actually necessary for their context.

A few examples:

• Being told you “must” have a UKAS-accredited certificate when none of your customers or regulators require it
• Being nudged into tools, processes or documentation far beyond what your risks and scale justify
• Allowing auditors to effectively rewrite your scope to fit their preferences

To be clear: UKAS-accredited certification is the gold standard in the UK and absolutely the right choice for many organisations – especially if your customers explicitly ask for it. But it also tends to be:

• Less flexible
• More time-consuming
• More expensive

If your stakeholders are happy with a reputable, non-UKAS certification body, that may be entirely appropriate.

The key point is this:
Your ISMS should be tailored to your organisation’s risks, obligations, and market – not someone else’s generic idea of “best practice”.

Before agreeing to anything significant, ask:

• “Where in the standard or our contracts is this requirement actually coming from?”
• “Does this make sense given our size, risk profile, and customers?”

A good auditor or consultant will respect those questions and help you navigate sensible, proportionate choices.

---

Conclusion: Progress Over Perfection

Implementing ISO 27001 is not about creating a flawless system on day one. It’s about making steady, pragmatic improvements to how you manage information risk – and being able to demonstrate that to customers, regulators, and your own leadership.

If you:

• Define a sensible scope
• Engage the right stakeholders early
• Secure visible leadership support
• Plan and resource the work honestly
• Take an iterative, risk-based approach
• And keep PDCA and proportionate risk management at the centre

…you’ll be in a strong position to achieve certification and get real value from it.

Each step you take brings benefits: better risk visibility, fewer nasty surprises, more confident customers, and a stronger security culture.

Don’t chase perfection. Aim for a lean, certifiable ISMS that works for your organisation today – and then use continual improvement to grow it over time. Celebrate the small wins as you go; they’re the building blocks of a resilient and secure business.

---