From ISO 27001 Failure to Mastery: Understanding Your Journey Through McClelland's Competency Model

Written By Tom Gell

Are we sitting comfortably? Let's begin.

The Psychology Behind ISO 27001 Success

Once upon a time, there was a chap called David McClelland. McClelland was a psychologist, Harvard professor, and the brilliant mind behind a behavioural framework we know today as the competency model - also referred to as the stages of competence model.

This powerful framework breaks down learning into four distinct stages:

  • Unconscious incompetence

  • Conscious incompetence

  • Conscious competence

  • Unconscious competence

And here's the fascinating bit: if you've failed your ISO 27001 audit, you're sitting squarely in the conscious incompetence stage - which is actually a tremendously exciting place to be.

Why Failing Your ISO 27001 Audit Isn't the End of the World

You're aware of what needs improving, which means you're better equipped for your quest towards mastery.

Even if you haven't failed your ISO 27001 audit and you're simply here to educate yourself about the certification process, you're still in that same conscious incompetence stage. This is equally thrilling because it demonstrates you're already heading in the right direction.

Before we continue, it's worth clarifying that an outright failure of your ISO 27001 audit is incredibly rare. Skilled auditors will flag issues throughout the process and provide time for corrections. In essence, they help ensure you're conscious of areas needing improvement whilst offering clear, actionable steps to get back on track.

The Forgiving Nature of ISO 27001 Auditors

On those rare occasions when organisations do fail the certification process, it's crucial to understand that auditors are rather forgiving. You won't be shunned into a life of shame like some medieval punishment. Re-audits are commonplace, and remember - you're now consciously incompetent, meaning you're aware of the precise steps needed to improve (as opposed to not having a scooby-doo).

The Common Mistake: Skipping the Journey

A frequent error organisations make during the ISO 27001 certification process is attempting to skip straight to the destination without respecting the journey. They rush to tick off minimum requirements on one massive checklist, which rather defeats the entire point of ISO 27001.

"It's not about the destination, it's about the journey."

Operating in the Conscious Competence Realm

Most of the ISO 27001 certification process operates within the conscious competence sphere - or should we say realm? That sounds rather better.

ISO 27001 requires organisations to be fully aware of and actively manage their information security practices in a structured manner. This encompasses:

  • Deliberate implementations

  • Continuous risk assessment

  • Regular improvements

  • Active oversight and reporting

It's not simply about putting policies on paper. It's about creating a functional system that effectively:

  • Identifies information security risks

  • Determines necessary actions

  • Ensures those actions are implemented

Essentially, you're conscious of what you're doing, why you're doing it, and you're demonstrating competency by implementing tangible measures.

Reaching Your Full Potential: Unconscious Competence

Only then, young padawan, will you reach your full potential and enter the realm of unconscious competence.

This marks the point where your organisation has become so deeply integrated in its information security practices that they're carried out naturally - without constant, deliberate effort or oversight. Maintaining standards becomes second nature, and the controls, audits, and improvements happen seamlessly as part of routine operations.

Where Are You on Your ISO 27001 Journey?

Perhaps you're at the unconscious incompetence stage, or you've made a start in conscious incompetence or conscious competence. Regardless of where you find yourself in relation to McClelland's framework, the goal remains the same: reaching that coveted unconscious competence stage.

The beauty of understanding your position on this journey is that it provides clarity about your next steps. Whether you're just beginning to recognise what you don't know, actively learning and implementing, or well on your way to mastery, each stage offers its own opportunities for growth and improvement.

Your Next Steps

No matter where you are in your ISO 27001 journey, professional guidance can help accelerate your progress through McClelland's stages of competence. The key is recognising that certification isn't just about meeting minimum requirements - it's about building a robust, integrated information security management system that becomes part of your organisation's DNA.

Ready to begin your quest towards ISO 27001 mastery? The journey starts with understanding exactly where you are today.

Get in touch
Tom Gell

Translating ISO 27001 into human language for fast-growing companies. Former public sector leader who helped scale a startup to £1M ARR by making compliance digestible. Now on a mission to prove security certification doesn't require a 400-page policy manual or a PhD in bureaucracy. Powered by coffee and clarity.

https://www.isoserious.com
Next

Is ISO 27001 Really Worth It?