Six years ago, I embarked on my first ISO 27001 implementation. Looking back, it feels like a mix of comedy and chaos. At the time, it was anything but funny.
I worked for an organisation that had let its ISO 27001 certification lapse. We needed it reinstated urgently for a contract. None of us had any experience with ISO 27001, but that didn’t stop us from diving headfirst into the deep end.
Here’s the story of how things went spectacularly wrong and the lessons I took from it, and some advice for others on ISO 27001 implementations.
Flying Blind
Our first mistake? We didn’t even have a copy of the ISO 27001 standard. Yes, you read that right.
We spent weeks bumbling around in the dark, trying to piece together what we thought we needed to do. It was like trying to assemble IKEA furniture without the instructions.
Eventually, someone suggested we buy the standard. Surprise, surprise – it helped immensely.
The Magical Online Tool That Wasn’t So Magical
Not long into the project, someone in the team stumbled across an online tool that claimed to walk us through the steps of ISO 27001 implementation. It sounded like the silver bullet we needed, so we bought a license and dove in.
Big mistake.
The tool was too complicated, especially since we didn’t fully understand the standard.
We were swimming in a sea of confusion, and the templates it provided were dense, legalistic, and downright intimidating. We felt obligated to use the templates and text, assuming the creators knew exactly what needed to be included in our policies; they didn’t.
Looking back, I realise we were letting the tool dictate the process rather than tailoring things to fit our organisation’s needs. It was a classic case of the tail wagging the dog.
Rudderless and Aimless
At this point, we were completely lost. We didn’t understand the standard, didn’t have the right tools, and didn’t know where to truly begin, although (paradoxically) we had started.
Our implementation was rudderless, aimless, and a colossal waste of time. After two months of floundering, we finally hit the reset button.
Bringing in the Experts
Recognising we couldn’t do this alone, I brought in an external consultancy to help us. They didn’t just steer the ship; they helped us build it.
They created documentation for us in a few key areas. More importantly, they worked with us to complete the Statement of Applicability in a series of collaborative sessions.
They also provided templates we could adapt, highlighting the mandatory components we needed to address. Suddenly, our project had form, direction, and a sense of purpose.
The Final Push
After four months of hard work, we went to audit. While the auditors identified a few areas that needed remediation, the process went relatively smoothly.
We addressed their findings, and soon after, we were certified. The relief was immense, but so were the lessons I learned.
Key Learnings & Advice on ISO 27001 Implementations
1. Get the Standard
This should be a no-brainer, but clearly, it wasn’t for us at the time. If you’re tackling ISO 27001, start by buying the standard from ISO.
It’s your roadmap and your reference point for everything you need to do.
2. Invest in Training or Expertise
Whether it’s training for yourself or bringing someone on board who understands ISO 27001, having the right knowledge is crucial.
Overcomplicating things in the first year will only lead to delays and frustration. Understand what’s needed as a bare minimum to pass your first audit, and build from there.
3. Use Templates (But Wisely)
Good templates can save you an enormous amount of time. However, not all templates are created equal.
Some are overly complex, while others might miss critical elements. Back when I first started, AI tools weren’t an option, but they’re worth exploring now.
Just remember that AI won’t include key elements like organisational objectives or commitments to continuous improvement unless you guide it carefully.
4. Be Wary of Tools
The online tool we used was more of a hindrance than a help. While tools can be useful, they often come with a steep learning curve and may impose a rigid, linear process that doesn’t suit your organisation’s workflow.
They can also create unnecessary overhead, slowing you down rather than speeding things up.
Final Thoughts
Looking back, my first ISO 27001 implementation was a masterclass in how not to approach certification. But it also taught me invaluable lessons that I carry with me to this day.
If you’re starting your own ISO 27001 journey, learn from my mistakes: get the standard, get the knowledge, and get the right tools and templates.
Most importantly, remember that your ISMS should work for your organisation, not the other way around.
Comments