Stuck at 60%: Why Your ISO 27001 Project Stalled – And How to Get Moving Again

In practice, that “last 20–40%” is usually the hardest part of the whole journey (or any project!) and the difference between running a delivery that’s short and fat, offering benefits quickly, or having a project that drags on forever and never seems to deliver. It’s where you move from good intentions and half-built documents to something an auditor can follow, test, and sign off.

This article is for you if:

• You’ve already invested time in ISO 27001
• You know you’ve made progress
• But months keep passing and you’re still not booking the audit

Let’s unpack what “stuck at 60%” really means in real life – and how to get moving again without burning your team out.

---

What “60% done” usually looks like

The details differ, but the pattern is surprisingly consistent. A typical “60% complete” ISO 27001 project looks like this:

• Scope is roughly defined – there’s a scope statement somewhere, even if it’s a bit fuzzy and no one’s revisited it for a while.
• Policies exist, but are uneven – some are polished, others are drafts, and a few are still on someone’s to-do list.
• Risk work has been started – there’s a risk register and maybe a first pass at a Statement of Applicability (SoA), but neither feels finished or fully trusted.
• Controls are partially implemented – lots of security work is happening day to day, but it’s not consistently mapped to risks and controls.
• Evidence is patchy – some meeting minutes, some records, but nothing that feels like a coherent “audit trail”.
• Energy has dipped – the project is still “important”, but business as usual has crept back in front.

If that sounds like you, the good news is: you probably have more of the foundations in place than you think. The bad news is: the gap between 60% and “audit-ready” is rarely just “a couple of documents”.

In my experience, it usually comes down to five main things.

---

1. Stolen attention: when the world pulls your team away

You can start an ISO 27001 project with the best will in the world – and then something else happens:

• A big customer project drops in
• There’s a product fire to fight
• The company restructures
• A key person goes on leave

Attention is stolen. The team pauses ISO 27001 “for a bit”, fully intending to come back to it. The problem is that, just like any complex task, once you break your attention, it takes far more effort to get back to where you were.

You return months later and:

• No one can quite remember why certain decisions were made (which underscores the value of a decision log in any project)
• Documents feel unfamiliar (once you are out of your groove, it can be hard to remember the ‘what’ and ‘why’ of certain things)
• The next steps aren’t obvious any more

So the project feels heavier than it did before, and people subconsciously avoid it.

How to get back on track

I recommend treating a restart as a deliberate re-entry, not just “picking up where we left off”:

• Run a short reset workshop – 60–90 minutes to remind everyone of the scope, objectives, and where you got to.
• Summarise the project in one page – current scope, key risks, what’s already in place, and what’s left.
• Agree a small, focused sprint – for example, “For the next two weeks, we’re going to concentrate only on finishing the risk treatment and SoA.”

The goal isn’t to relive the whole journey; it’s to give your brain a clean, current picture so you’re not fighting through fog each time you touch ISO 27001. It’s a natural thing – to step off the treadmill, and then fear getting back on it, but the only wrong action is inaction.

---

2. Loss of owner: when your ISO 27001 champion leaves

Organisations are fluid. People join, people leave, roles get reshuffled. That’s normal. But it can punch a hole straight through your ISO 27001 project if everything was quietly hanging off one person.

If your ISO 27001 effort collapses the moment one individual moves on, there was probably something wrong with the governance from the start (unless you are genuinely a micro-organisation, in which case it may be unavoidable).

Typical warning signs:

• “We need to wait until Sarah’s back; she knows how the risk register works.”
• Nobody is quite sure where the latest versions of documents live.
• Handovers consist of “There’s a folder somewhere with all the ISO stuff in it.”

What to do if your owner has gone

If your ISO 27001 owner has left or changed roles, it’s important to jump on it quickly, before the work starts to erode.

I’d suggest:

• Formally appoint a new ISMS lead – name them, give them time and authority, and make it visible.
• Create a quick handover pack, if available from the outgoing champion, outlining where things are stored, which decisions have already been made, and which are still open.
• Review governance – do you have a steering group, or at least a couple of senior stakeholders, who can share responsibility?
• Ensure the incoming champion has the training they need. I may be biased, but my online training course is probably a good place to start!

Ideally, ISO 27001 governance should look like a small, stable group making decisions, not a single heroic individual carrying it on their back.

---

3. Fuzzy scope and moving goalposts

Another common reason projects stall is that the goal quietly moves while you’re running towards it.

You might start with one scope and set of products or services. Then, mid-way through:

• You expand into a new region
• You buy another company
• You launch a major new product
• You re-platform your core system

Suddenly, people hesitate every time you ask a question:

• “Is that in scope now?”
• “Should we hold off until the new platform is fully live?”
• “If we’re doing this, shouldn’t we include that as well?”

The risk is that you never quite commit, so nothing gets finished.

Put a stake in the ground

Here’s the thing: ISO 27001 scope is not a tattoo. You can change it later.

I strongly recommend putting your stake in the ground and drawing the line somewhere, rather than nowhere. The only true way to guarantee failure is not to do anything.

For your first year:

• Define a clear, practical scope that matches your current reality – the systems, locations and services you most need to protect or to show to customers.
• Be explicit about what is out of scope for now, even if you intend to bring it in later.
• Document future intentions – “In year two we plan to expand the scope to include X.”

Getting foundations in and working is more important than trying to freeze a constantly changing organisation into a single perfect scope. A well-implemented, slightly narrower scope is far more valuable than an ever-expanding theoretical one.

---

4. Perfectionism: overthinking your way to a standstill

Some people (often the very ones you trust with ISO 27001) are natural perfectionists. They care about the detail, they like things to be “right”, and they’ve read the standard closely.

That’s good – up to a point, and the onset of ‘analysis paralysis’.

Projects often stall when:

• Policies are rewritten again and again to chase the exact “right” wording
• People try to anticipate every possible scenario in a procedure
• There is a fear of “signing something off” because “what if an auditor doesn’t like it?”

ISO 27001 doesn’t require perfection. It requires that you evaluate risk and respond appropriately.

In other words:

• Have you understood your risks?
• Have you chosen controls that make sense for your organisation?
• Can you show that you actually do what you say you do?

None of that demands a 40-page password policy with every edge case covered.

A healthier standard to aim for

I usually encourage teams to aim for:

“Clear, honest, and appropriate for our risks,”

rather than:

“The best possible policy an auditor anywhere in the world could imagine.”

Lean, readable documents that accurately describe what you actually do will always beat beautifully written theory that nobody follows.

If you notice people repeatedly revisiting documents without ever calling them “done”, it might be time to have a conversation about what “good enough” looks like in an ISO 27001 context.

---

5. No concrete definition of “audit-ready”

The last reason many teams sit at 60% is simple: they don’t know what “done” looks like.

There’s a vague sense that “we should probably do more” and “we’re not quite there yet”, but no shared, concrete picture of what an auditor will actually look for.

One important mindset shift is this:

Auditors don’t sit in judgement deciding whether your documents are “good” or “bad”. They judge whether what you have meets the intent of the standard.

They’re asking:

• Does your scope make sense?
• Have you gone through a structured risk process?
• Is your Statement of Applicability aligned to those risks?
• Are the controls you’ve chosen implemented and operating?
• Do you review, improve, and deal with nonconformities?

They are not running a beauty contest for policy wording.

Define “audit-ready” in black and white

If you’ve never written down what “audit-ready” means for you, it’s very hard to cross the line.

I’d suggest creating a simple checklist along the lines of:

• Scope and information security policy approved
• Risk assessment completed and signed off
• Statement of Applicability agreed, with justifications
• Core policies and procedures in place for high-risk areas
• At least one internal audit has been completed and recorded
• At least one management review was completed with minutes and actions
• Nonconformity and corrective action process defined, with at least a couple of entries
• Evidence that key controls operate (access reviews, backups, incident handling, supplier checks, etc.)

Once this is written down and agreed, you can stop aiming at a moving target and instead ask, “What is left on this list?”

---

A simple 5-step “un-stuck” plan

If you recognise yourself in any of these five issues, here’s a straightforward way to get moving again.

Step 1: Run a reset session (and reclaim your attention)

Bring the key people together for 60–90 minutes:

• Revisit why you’re doing ISO 27001 at all – confirming purpose can be empowering for a project.
• Confirm who now owns what (especially if roles have shifted)
• Re-state the current scope and any future intentions

This is where you deliberately “switch your brain back on” to ISO 27001 after a distraction or a change in the team.

Step 2: Take an honest snapshot of where you are

Create a simple view of your project across three columns:

1. Documents – what exists and is approved
2. Practices – what actually happens day to day
3. Evidence – what you can prove with records

For each, mark where you’re solid, where you’re in decent shape, and where there are clear gaps. This gives you a realistic baseline instead of the comforting “about 80% done” story.

Step 3: Define “audit-ready” and compare

Write your own “audit-ready” checklist, like the one above, and agree it.

Then compare your snapshot to that checklist:

• Highlight the items that are already satisfied
• Identify the handful of gaps which genuinely stand between you and being able to book an audit

This step alone can transform the mood from vague anxiety to a clear, finite set of tasks.

Step 4: Pick a small number of high-impact actions

From that gap list, choose a short, focused set of actions – usually 8–12 – that will move the needle most.

For example:

• Finalise and approve the risk assessment
• Finalise the Statement of Applicability
• Run and document a management review
• Complete an internal audit on one or two key processes
• Formalise and start using an incident log

Give each a named owner and a realistic deadline. This is where you push back against perfectionism and scope creep and say, “These are the things that get us to audit-ready; everything else can go on the improvement list.”

Step 5: Protect a weekly ISO 27001 slot

To fight stolen attention, I’m a big fan of a short, recurring ISO slot:

• 30–45 minutes, once a week
• Same day, same time if possible
• Agenda: review the key actions, unblock anything stuck, and plan the next tiny step

This cadence keeps the project alive in people’s minds without taking over their week. It’s often the difference between gentle drift and steady, visible progress.

---

Where templates and guidance help at this stage

At 60%, most organisations don’t need more theory. They need:

• A consistent set of templates to fill gaps quickly
• Clear guidance on what’s “good enough” for audit
• A way to turn existing good practice into ISO 27001 evidence

That’s exactly the gap I try to bridge with my ISO 27001 toolkit and implementation course:

• The toolkit gives you every core template (risk register, risk treatment plan, SoA, internal audit, management review, incident log, etc.) so you aren’t reinventing the wheel.
• The course / coaching layer focuses on how to use them in a sensible order, how to avoid perfectionism, and what auditors actually expect to see in practice.

Whether you use my material or not, the principle is the same: stop aiming for theoretical perfection, decide what “audit-ready” looks like for your organisation, and protect the time and ownership to get there.