ISO 27001 has a mythology problem. Over the years a set of persistent misconceptions have taken hold — that it’s only for large enterprises, that it’s a purely technical exercise, that it takes years and costs a fortune, and that once you’ve got the certificate you can forget about it.
Most of these myths have a grain of truth buried somewhere, which is what makes them sticky. But taken at face value, they put organisations off pursuing certification that would genuinely benefit them — or give those that do pursue it a false picture of what they’re signing up for.
Here are ten of the most common, with the reality behind each one.
ISO 27001: 10 Common Myths vs Reality
What people believe — and what the evidence actually shows
Myth 1: “ISO 27001 is only for large organisations”
Reality: Some of the most successful implementations are in companies with fewer than 20 people.
This is probably the most damaging myth, because it stops smaller organisations from even exploring certification. The truth is that ISO 27001 is explicitly designed to scale. The standard sets requirements, not a minimum headcount. A 15-person SaaS company and a 15,000-person bank are both implementing ISO 27001 — just with very different scope, complexity, and resource commitment.
The growth figures bear this out. The ISO Survey data shows there are now nearly 97,000 valid ISO 27001 certificates worldwide — nearly double the figure from 2023. A significant proportion of those are SMEs, and the SME segment is one of the fastest-growing parts of the market. In the UK alone, over 3,200 organisations currently hold valid ISO 27001 certificates, with the number rising year on year.
The practical implications of being small are that your ISMS can be leaner, your scope narrower, and your certification timeline shorter. A focused 15-person company can reach certification in three to four months. That’s not a smaller version of what a large company does — it’s a proportionate implementation that covers what matters for your specific context.
Myth 2: “ISO 27001 is purely an IT project”
Reality: Most security incidents are caused by people, not technology failures.
This misconception leads organisations to delegate ISO 27001 entirely to their IT team and wonder why it struggles to gain traction. But ISO 27001 is an information security management system — and information security involves everyone in the organisation.
The data makes this stark. Human error is involved in approximately 95% of all data breaches. Phishing, misconfigured systems, shared passwords, documents emailed to the wrong address, sensitive data on lost laptops — the vast majority of incidents involve human behaviour, not technical failure alone.
ISO 27001’s control framework reflects this. The 93 Annex A controls span four categories: organisational controls, people controls, physical controls, and technological controls. People controls cover things like background screening, security awareness training, acceptable use, and responsibilities on termination. Physical controls cover clean desk policies, physical access, and secure disposal. These are not IT problems — they’re operational and cultural ones.
ISO 27001 works best when senior management own the ISMS, when HR is involved in onboarding and offboarding, when line managers enforce acceptable use, and when all staff receive regular awareness training. IT implements and manages the technical controls, but they can’t own the whole thing.
ISO 27001 Is Not Just an IT Project
The standard spans four control categories — three of which have nothing to do with technology
Myth 3: “You need to implement all 93 Annex A controls”
Reality: You only implement the controls that are relevant to your risks.
The Statement of Applicability (SoA) is one of the most misunderstood documents in ISO 27001. Its purpose is to let you document which of the 93 Annex A controls apply to your organisation, which you’ve implemented, and — critically — which you’ve decided to exclude and why.
Exclusions are legitimate and expected. A small company with no physical office doesn’t need physical access controls for secure server rooms. An organisation that doesn’t develop software doesn’t need secure development controls. What you cannot do is exclude controls without justification, or exclude them solely because implementation feels inconvenient.
In practice, most organisations include the majority of controls in their SoA. But the key point is that this is a considered, documented decision — not a mandatory checklist. The risk-based approach at the heart of ISO 27001 means your controls should be proportionate to your actual risks, not a fixed template applied regardless of context.
Myth 4: “ISO 27001 certification means you’ll never get hacked”
Reality: ISO 27001 reduces risk — it doesn’t eliminate it.
No security framework eliminates the possibility of a breach. ISO 27001 is honest about this: the standard is built around risk management, not risk elimination. The goal is to identify your significant risks, implement proportionate controls, and have a credible incident response capability for when something does go wrong.
What certification does do is significantly reduce the likelihood and impact of incidents. Organisations with mature ISMSs typically have better access controls, faster incident detection, more effective response procedures, and a stronger security culture than those without. That doesn’t make them immune — but it makes a material difference.
The more valuable protection that ISO 27001 provides in the event of a breach is positional. If your organisation is ISO 27001 certified and suffers an incident, you are in a substantially better position with regulators, customers, and insurers than an uncertified organisation facing the same incident. The ICO explicitly considers the security measures an organisation had in place when assessing penalties. Certification is strong evidence that you took your obligations seriously.
Myth 5: “ISO 27001 is too expensive for us”
Reality: For many organisations, the savings in insurance premiums alone can offset the ongoing cost.
The cost of ISO 27001 is real and shouldn’t be minimised. For a small organisation (under 50 people) pursuing a consultant-led implementation, total Year 1 costs — including consultancy, certification body fees, and internal time — typically run to £8,000–£20,000. For mid-sized organisations, the range is higher.
But the ROI case is strong. Organisations with ISO 27001 certification typically see measurable savings in cyber insurance premiums — often £5,000–£15,000 per year for mid-sized firms — because insurers regard certified organisations as lower risk. Security questionnaire burden drops significantly, saving staff time on every enterprise deal. And for organisations with enterprise or public sector clients, certification often becomes a condition for winning or retaining work.
For organisations that certify primarily because a customer requires it, the calculation is particularly direct: one mid-sized contract win that required ISO 27001 frequently covers the entire Year 1 cost of certification.
There’s also a significant cost to not certifying. 43% of cyber attacks target SMEs, and the average cost of a data breach for a smaller organisation can run to tens of thousands — or more when you factor in regulatory response and reputational damage. ISO 27001 implementation is, among other things, a risk management investment.
Myth 6: “ISO 27001 takes years to implement”
Reality: A focused small organisation can reach certification in three to four months.
The timeline varies considerably by organisation size, complexity, and existing security maturity. But the idea that ISO 27001 is a multi-year journey is simply not accurate for most organisations.
Research consistently shows that a 3–12 month timeline covers the vast majority of implementations, with 6–9 months being the typical range for organisations of 50–200 people. For smaller, focused organisations with a defined scope, certification in 3–4 months is achievable with committed internal resource.
The variables that extend the timeline are well understood: a very broad scope, significant security gaps at the outset, limited internal resource, and delays in engaging a certification body. A well-scoped project with clear ownership and adequate resource doesn’t need to take long.
The timeline myth leads some organisations to delay starting — which is exactly the wrong response. Every month without an ISMS is a month of unmanaged risk.
Myth 7: “Once you’re certified, you’re done”
Reality: Certification requires ongoing maintenance and annual surveillance audits.
This misconception tends to emerge in organisations that view ISO 27001 as a project rather than a programme. They get the certificate, declare victory, and quietly let the ISMS gather dust — until the surveillance auditor arrives the following year and finds an ISMS that has clearly not been maintained.
ISO 27001 operates on a three-year certification cycle. After initial certification, you receive annual surveillance audits in years 1 and 2, and a full recertification audit in year 3. Surveillance audits check that the ISMS is being actively maintained — that the risk register is current, incidents are being logged, internal audits are being conducted, and management is reviewing the system.
The deeper point is that the standard’s requirement for continual improvement isn’t window dressing. An ISMS that doesn’t adapt as your organisation changes — new systems, new staff, new suppliers, new threats — will degrade. The value of ISO 27001 is in the ongoing operation of the ISMS, not just the initial certification.
Myth 8: “ISO 27001 certification makes us GDPR compliant”
Reality: ISO 27001 addresses most of GDPR’s security requirements but doesn’t cover its legal obligations.
This myth works in both directions — some organisations assume certification makes them GDPR compliant, others assume that because they’re already GDPR-compliant they don’t need ISO 27001. Both are wrong.
ISO 27001 addresses the security requirements of GDPR Article 32 — encryption, resilience, incident response, regular testing of security measures — comprehensively. If you’ve properly implemented ISO 27001, you’ve done most of the security heavy lifting that GDPR requires.
What ISO 27001 does not cover are GDPR’s legal and rights obligations: documenting your lawful basis for processing, maintaining a Record of Processing Activities, handling data subject requests (access, erasure, portability), publishing privacy notices, or appointing a Data Protection Officer where required. These are GDPR-specific obligations with no ISO 27001 equivalent.
The practical approach for organisations that need both is to implement them together, using the shared foundation — risk assessment, incident response, supplier management, access controls — to serve both frameworks simultaneously, then add the framework-specific requirements on top.
Myth 9: “ISO 27001 is just a documentation exercise”
Reality: Auditors specifically test whether your ISMS is operational, not just documented.
The documentation-only ISMS is perhaps the most common reason organisations fail their first audit or collect nonconformities. They produce beautiful policies, populate a risk register, and write an SoA — but none of it reflects how the organisation actually operates.
Experienced ISO 27001 auditors are very good at identifying this. Their standard approach involves sampling: pulling a list of user accounts to check for ex-employee access, asking a non-IT member of staff what they’d do if they received a suspicious email, reviewing the incident log to see whether it contains real events, and checking system configurations to verify they match policy requirements.
The three questions an auditor is always asking are: does the documentation say the right thing, does practice match the documentation, and is there evidence it actually happened? The first question is the easy one. The second and third are where unprepared organisations come unstuck.
An ISMS that is genuinely operational — where the risk register is used, incidents are logged honestly, training records are current, and access is reviewed regularly — will sail through an audit. A documentation-only ISMS will not.
Myth 10: “You need dedicated security staff to maintain ISO 27001”
Reality: Most small and medium-sized organisations run their ISMS without a dedicated security team.
This myth conflates ISO 27001 with enterprise-scale security programmes. While larger organisations may have a CISO, a security operations team, and dedicated compliance staff, smaller organisations typically maintain their ISMS with a nominated ISMS lead — often a technically minded director, operations manager, or IT manager — supported by clear ownership of specific controls across the business.
The ISMS lead doesn’t need to be a security specialist. They need to understand the framework, be organised, have access to senior management, and have the authority to drive the programme across departments. The technical controls are typically managed by whoever manages IT; HR manages the people controls; facilities manages the physical controls; and so on.
External support — a consultant for the initial implementation or an annual readiness review — can fill gaps without creating a permanent overhead. The ongoing maintenance of a well-established ISMS in a small organisation is a part-time responsibility, not a full-time role.
The Common Thread
Most of these myths share an underlying pattern: they’re based on a mental image of ISO 27001 as a large, complex, expensive undertaking suited only to organisations with the resources to match. That mental image is outdated.
ISO 27001 has scaled significantly since its early enterprise-focused days. The 2022 revision streamlined the framework. Toolkits, platforms, and well-structured consultancy programmes have lowered the barrier to entry. And the business case — in won contracts, lower insurance, and managed risk — is now documented and demonstrable across a wide range of organisation types and sizes.
If one of these myths has been the reason your organisation hasn’t pursued certification, it’s worth revisiting the decision with the reality in mind.
Frequently Asked Questions
Q: Can a startup achieve ISO 27001 certification?
Yes — and many do, often as a condition of their first enterprise contract. A startup with a defined scope (typically the product, its infrastructure, and the team that builds and operates it), clean systems, and committed leadership can reach certification in as little as three months. The key advantage startups have is that there are no legacy processes to change — you can build the ISMS the right way from the outset rather than retrofitting it around existing practices. The main challenge is that implementation competes with everything else a startup needs to do. Dedicated ownership and realistic expectations about internal time commitment are the critical success factors.
Q: Does ISO 27001 require a penetration test?
Not mandatorily, but effectively yes in most cases. Control 8.8 (Management of technical vulnerabilities) and Control 5.35 (Independent review of information security) together mean that most organisations will include penetration testing or vulnerability assessment in their ISMS. Auditors will often ask whether technical security testing has been conducted. For organisations with significant technical infrastructure, a penetration test conducted before Stage 2 is good practice and provides strong audit evidence. The frequency, scope, and method should be proportionate to your risk assessment — a small SaaS company might run an annual penetration test; a large financial services firm might run quarterly.
Q: Is ISO 27001 the same as Cyber Essentials?
No — they’re different frameworks with different purposes. Cyber Essentials is a UK government-backed scheme focused specifically on five technical controls (firewalls, secure configuration, access control, malware protection, patch management). It’s a narrower, lower-cost baseline that can be self-assessed (or independently verified for Cyber Essentials Plus). ISO 27001 is a comprehensive management system standard covering the full range of information security risks, with independent third-party certification. Many organisations hold both: Cyber Essentials as a quick baseline and procurement requirement, ISO 27001 for enterprise clients or more demanding security requirements. If you have to choose one, your customer requirements should drive the decision.
Q: Does having ISO 27001 affect our cyber insurance?
Yes, meaningfully. Cyber insurers are increasingly differentiating premiums based on the quality of an organisation’s security posture, and ISO 27001 certification is a significant positive factor. Certified organisations typically receive better premium rates, improved coverage terms, or reduced excess levels compared with uncertified organisations of equivalent size and risk profile. The most reliable way to quantify the impact for your organisation is to ask your broker to quote with and without certification explicitly. Savings of £5,000–£15,000 per year are not unusual for mid-sized organisations, and in some cases the premium reduction alone covers the ongoing maintenance cost of certification.
Q: What’s the difference between ISO 27001 and ISO 27002?
ISO 27001 is the certifiable standard — it defines the requirements for an ISMS and is what you certify against. ISO 27002 is a guidance document — it provides detailed implementation guidance for each of the 93 Annex A controls but is not itself certifiable. Think of ISO 27001 as the what (here are the requirements your ISMS must meet) and ISO 27002 as the how (here is detailed guidance on implementing each control). When organisations “get ISO 27001 certified”, they’re certifying against ISO 27001. ISO 27002 is a reference document for implementing the controls, not a standard you can certify to.
Related Guides
- Do I Need ISO 27001?
- ISO 27001 Certification Costs (UK)
- ISO 27001 ROI: How to Measure the Value of Certification
- ISO 27001 vs GDPR
- What is ISO 27001:2022?
