You don’t have to read much to recognise that data breaches and cyber threats are increasingly prevalent. Implementing robust information security measures is not just a regulatory requirement but a business imperative.
ISO 27001, the international standard for Information Security Management Systems (ISMS), provides a comprehensive framework for organisations to manage their information security risks effectively.
However, the journey toward ISO 27001 certification is fraught with challenges that can hinder progress and dilute the benefits if not addressed proactively.
This article explores organisations’ common ISO 27001 challenges and obstacles during implementation and offers practical solutions.
My FREE Information Security Toolkit
Every mandatory document template
ISO 27001 Compliant
Contents
Lack of Management Support
Challenge
Without strong backing from top management, initiatives to implement ISO 27001 can stall due to insufficient resources, lack of strategic alignment, and low organisational priority.
Sadly, I’ve seen it a few times: someone is evangelical about Information Security and wants ISO 27001, but there’s a lack of support and drive from the senior team.
Enthusiasm is often mistaken for drive or progress, but without the ability to act, influence, or lead, it rarely leads to real results.
Solution
Educate Leadership
Develop tailored presentations that articulate the financial, reputational, and operational risks of not implementing ISO 27001.
Use real-world case studies of data breaches to illustrate the consequences and highlight the competitive advantages of certification, such as improved customer trust and market opportunities. To be blunt, you need to hit them where it hurts – What is that management will fear or desire the most that ISO 27001 can help with?
Align with Business Goals
Link ISO 27001 objectives to broader business goals like customer acquisition, regulatory compliance, and operational resilience.
Emphasise how achieving certification can lead to improved operational efficiency, cost savings from risk reduction, and greater stakeholder confidence.
I’ve found that most organisations seeking ISO 27001 are doing it to open doors to customers (i.e. revenue growth). It’s increasingly being seen as a pre-requisite and a cost of doing business, especially in the regulated, government and financial sectors.
Regular Updates
Once you’ve hooked them in, then make sure you keep them there with regular updates on progress. This is going to be an ongoing effort, not a fire and forget project.
Schedule monthly executive briefings to communicate progress, discuss potential obstacles, and gather support for resource reallocation if necessary.
Use dashboards to visually represent progress, allowing management to understand the current status and areas needing attention.
Insufficient Resources
Challenge
Implementing ISO 27001 requires time, personnel, and financial investment, which can be challenging for organisations with limited resources. If you can’t get access to the people who you need to shape your ISMS, then you aren’t going to get far.
This tends to be linked to the lack of senior support. With robust project management, planning, and good support, you should get access to the right resources.
Solution
Resource Planning
Conduct a detailed gap analysis at the project’s outset to identify all resource requirements.
Develop a resource allocation plan considering immediate and long-term needs, including personnel, technology, and financial investment. Make sure this plan is honest and captures both the upfront costs of ISO 27001 certification, but the on-going costs as well.
Prioritisation
Take a risk-based approach to prioritise the implementation of controls – don’t try to do it all at once and ‘boil the ocean’ as they say. You don’t have to address every single risk that you identify in your evaluation of threats to your business – determine the company’s risk appetiate and draw the line where you say ‘we might adjust it in future, but right now we are happy accepting X level of risk’.
Focus initially on high-risk areas that could cause the most damage if compromised and progressively address lower-risk elements.
This ensures a staged implementation that maximises resource efficiency.
However, ensure you understand what ISO 27001 requires as a standard for minimal compliance (and potentially what your auditor interprets that to be). A good example are the controls of Annex A (also known as the Statement of Applicability) – you have to address all of them (unless they aren’t relevant to your business), but to what level is really down to you.
External Expertise
If internal expertise is lacking, hire specialised consultants or contractors to help with specific implementation aspects, such as risk assessment or developing documentation.
Consider part-time or contract engagements to manage costs effectively while benefiting from expert guidance. Like me!
Employee Resistance to Change
Challenge
Employees may resist new policies and procedures, perceiving them as burdensome or unnecessary, which can undermine the ISMS’s effectiveness.
So, if your IT team think this is a change happening to them rather than something they are instrumental in helping to deliver and they can influence, you are likely doomed to failure.
Solution
Awareness Training
Create interactive workshops that inform and engage employees in understanding the relevance of ISO 27001. Tailor content to specific roles, showing each employee how compliance impacts their day-to-day responsibilities and the organisation’s safety.
So, don’t train someone in the postroom in depth on GDPR issues, but do make sure your HR team have strong awareness – because it’s relevant to their roles, and therefore they’ll see the relationship and potential dangers and be more supportive.
Inclusive Approach
Form cross-functional working groups that include representatives from various departments. Engage these groups in policy development to ensure practical considerations are addressed, making policies more user-friendly and gaining broad support.
I will often seek the most ‘hostile’ stakeholders and bring them into the fold, giving them a voice and influence over how the project will unfold. They can then become your strongest advocates.
Communication
Develop an internal communication plan that uses multiple channels—emails, posters, webinars, and Q&A sessions—to explain the reasons behind the changes.
Make the communication two-way, encouraging employees to provide feedback or raise concerns and addressing them promptly to foster a culture of openness.
Complexity of Documentation
Challenge
ISO 27001 requires extensive documentation, which can be overwhelming and time-consuming to produce and maintain. Humans tend to overcomplicate things, but ISO offers many ways to tailor, simplify and adapt to your needs.
Solution
Documentation Strategy
In ISO 27001, there is no exact, fixed depth specified (but there are a few mandatory documents) for how detailed your procedures, policies, or documentation must be. The standard takes a risk-based and context-based approach — meaning the level of documentation depends on your organization’s needs, risks, and complexity.
However, Clause 7.5 (“Documented information”) gives some general requirements:
- You must document information necessary for the effectiveness of the Information Security Management System (ISMS).
- You need to control that documentation (approve it, update it, make sure it’s available where needed).
- The documented information must be sufficiently detailed to be effective and usable for the people who need it.
ISO 2022, which is the guidance for implementing the Annex A controls, hints at something similar:
Each control usually recommends that you define and document certain activities, but how detailed they should be is again based on your organization’s size, complexity, and risk profile.
You don’t have to write 50-page procedures unless that’s what your risks or audience require. If a short, clear document gets the job done and meets your ISMS’s needs, that’s fine!
I’m also going to suggest you take a look at tools like Scribe, which can make documentation a lot easier to conduct and maintain.
Setting Scope To Wide
Challenge
Defining the appropriate scope of the ISMS can be challenging, leading to either overly broad or too narrow implementations that are ineffective or unsustainable. A too wide scope can sink an ISO initiative before it really begins.
Would you start decorating every room in your house simultaneously, or would it make more sense to do one room each weekend for a while? Both approaches have merits, but when you have limited time and resources (and, in my case, ability), perhaps focus on one room at a time…
Solution
Start small and build it out over time.
Start with a manageable, clearly defined scope that aligns with your organisation’s highest risks or most critical assets. Think about key departments, systems, or processes where information security is most essential.
Once a strong foundation is built and maintained, you can expand the ISMS in stages, bringing more areas under its protection over time.
This phased approach makes certification more achievable, sustainable, and meaningful. It’ll also save you a lot of early implementation pain.
Maintaining Compliance Over Time
Challenge
Once ISO 27001 certification is achieved, the maturity can unravel as the team go back to their ‘day jobs’ and focus on other important priorities. This often leaves organisations in a desperate scrabble for their next audits – without sufficient evidence of compliance and record keeping.
Solution
Achieving certification is only the beginning; maintaining compliance requires ongoing effort and continual improvement. It’s not a do-it-and-forget activity.
Little and often is the better way to go. It does and doesn’t surprise me in equal measure when I see an organisation rushing to self-audit in the weeks prior to an external audit.
I suggest booking in your management review meetings for a quarterly cadence at least, and then ensuring these meetings carry ‘bite’ – you need to make sure that the internal clockwork of the ISO 27001 process and procedures you’ve created are happening when the management team isn’t looking – if not, why not. Don’t allow these sessions to become toothless, pointless reviews. Hold people accountable for delivering what they said they would.
Lack of Expertise
Challenge
Organisations may lack the in-house expertise to navigate the complexities of ISO 27001. They then get easily led by someone who knows a little, but not enough, or, an online tool that over complicates things.
Solution
Training
Make sure people are trained on ISO 27001, and it’s more than just one person, or they are sharing that knowledge. There’s lots of options from in-person training, consultant training sessions, online training and others. Such as my training below 😉
DIY ISO 27001 – Online Training & Toolkit
Take my online course and learn how to implement 27001
Hire Specialists
Recruit experienced information security managers or consultants who can oversee the implementation.
Consider contracting ISO 27001 specialists temporarily to guide the project and mentor internal staff to build internal competencies for long-term sustainability. While it’s going to cost a bit, most can tailor the solution to as much or as little support as you need, but what they particuarly offer is experience, and knowing not just how to adapt ISO 27001 to your business’ style and size, but also what auditors and paths to ISO 27001 certification are most suitable.
Knowledge Sharing
Establish an internal knowledge-sharing platform where employees can access resources, share best practices, and ask questions about ISO 27001. This could include wikis, internal forums, or scheduled lunch-and-learn sessions, creating a collaborative learning culture.
Common ISO 27001 Challenges Wrap Up
Implementing ISO 27001 is a strategic move that can significantly enhance an organisation’s information security posture.
While the challenges are real and varied, they are not insurmountable. By proactively identifying potential obstacles and applying targeted solutions, organisations can streamline their implementation process, achieve certification, and, most importantly, safeguard their critical information assets.
The key lies in commitment, strategic planning, and fostering a culture that values information security as a shared responsibility.
Supporting Articles
ISO 27001 Costs of Certification
How To Write an ISO 27001 Project Plan
ISO 27001 Certification Process Explained
How To Perform an ISO 27001 Gap Analysis
