When ISO 27001 Goes Wrong (And How to Get It Right)

Written By Tom Gell

Let's be honest - implementing ISO 27001 isn't always smooth sailing. While the standard itself is straightforward enough, humans have a remarkable talent for complicating things. Here are the most common ways organisations trip themselves up, and more importantly, how to avoid joining their ranks.

The Great Documentation Avalanche

The Problem: Some organisations treat ISO 27001 like they're writing the next great novel. They produce endless policies, procedures, and documents that would make War and Peace look like light reading. Nobody reads them, nobody follows them, but by golly, they exist.

The Solution:

  • Write documents people will actually read (revolutionary, we know)

  • Focus on clear, concise guidance

  • Use templates as inspiration, not gospel

  • If a policy takes longer to read than to implement, it's too long

  • Test documents with actual humans before finalising them

The "IT Will Handle It" Syndrome

The Problem: Despite ISO 27001 being a business standard, many organisations still treat it as an IT project. They hand it to their tech team, wish them luck, and wonder why it doesn't stick.

The Solution:

  • Get leadership visibly involved from day one

  • Make it clear this is a business project, not a tech project

  • Involve people from across the organisation

  • Help IT team translate technical requirements into business language

  • Create clear ownership for non-technical controls

The Checkbox Champions

The Problem: Some organisations approach ISO 27001 like a giant checkbox exercise. They implement controls without understanding why, create processes that don't reflect reality, and then wonder why their security doesn't improve.

Warning: This is particularly evident in the rise of Compliance-as-a-Service platforms that promise to make certification "easy" through templated approaches and automated compliance tracking. While these platforms can be useful tools, they often encourage a tick-box mentality that misses the point entirely. You end up with a beautiful dashboard showing 100% compliance, but security that exists only on paper.

The reality is that downloading a template policy or ticking a box in a compliance platform doesn't make you secure. Just because your dashboard is green doesn't mean your data is protected.

The Solution:

  • Start with understanding your actual risks, not a generic template

  • Question why each control is needed for your specific context

  • Implement controls that make sense for your business, not just what's easy to track

  • Focus on effectiveness, not just existence

  • Build reviews into your process to catch misalignment between documentation and reality

  • Use compliance platforms as tools to support your ISMS, not as the ISMS itself

  • Remember that security is about protecting your business, not satisfying a software dashboard

The "Perfect Security" Trap

The Problem: Organisations sometimes try to create the perfect security system, leading to analysis paralysis, overcomplicated controls, and frustrated teams.

The Solution:

  • Remember perfect security doesn't exist

  • Start with addressing your biggest risks

  • Implement controls iteratively

  • Build in feedback loops

  • Focus on progress, not perfection

The Cultural Resistance

The Problem: The most robust security controls in the world won't help if your team sees them as obstacles to avoid rather than tools to use.

The Solution:

  • Involve teams in control design

  • Make security easier than insecurity

  • Celebrate security wins

  • Address frustrations quickly

  • Show, don't tell, why controls matter

The Resources Reality

The Problem: Organisations often underestimate the resources needed for implementation, leading to rushed work, cut corners, and frustrated teams.

The Solution:

  • Be realistic about time and resource needs

  • Plan for the long game, not just certification

  • Build in buffer for unexpected challenges

  • Consider external help for specialised areas

  • Focus resources on your biggest risks first

The Maintenance Muddle

The Problem: Getting certified is one thing; staying certified is another. Many organisations struggle with maintaining their ISMS once the initial excitement wears off.

The Solution:

  • Build maintenance into your regular operations

  • Set realistic review schedules

  • Automate what you can

  • Keep documentation lean and manageable

  • Plan for staff changes and knowledge transfer

The Implementation Insight

The secret to successful ISO 27001 implementation isn't finding the perfect template or following someone else's exact path. It's about:

  • Understanding your actual security needs

  • Building controls that work for your organisation

  • Creating processes people will actually follow

  • Maintaining momentum after certification

  • Learning from mistakes (preferably other people's)

Remember: ISO 27001 is a means to an end - better security - not an end in itself. Keep that in mind, and half the battle is won.

Debunking ISO 27001 Myths: The Reality Check

After years of helping companies achieve certification, we've heard every excuse, fear, and misconception about ISO 27001. Let's tackle the big ones head-on.

"We're Too Small for ISO 27001"

This myth usually comes from companies who think ISO 27001 is only for enterprises with massive IT departments and dedicated security teams.

The Reality: 

Being small is actually an advantage. You have:

  • Fewer systems to secure

  • Simpler processes to document

  • More control over changes

  • Greater ability to embed security in your culture

  • Less organisational inertia to overcome

Some of our most successful implementations have been with companies under 50 people. They typically achieve certification faster and maintain their ISMS more effectively than their larger counterparts.

"It's All About Documentation"

This myth stems from horror stories about companies drowning in paperwork and endless policy documents.

The Reality: 

Documentation is just evidence of what you do, not the main event. Good documentation should:

  • Be clear and concise

  • Reflect what actually happens

  • Help people do their jobs better

  • Provide clarity when needed

  • Support your security practices

The best ISMS documentation we've seen fits in a small Wiki. The worst fills multiple SharePoint sites and still doesn't help anyone.

"We Need to Buy Lots of New Technology"

Many companies assume ISO 27001 requires investing in expensive security tools and technologies.

The Reality: 

ISO 27001 is technology-neutral. It cares about:

  • How you manage risk

  • Whether your controls work

  • If you can prove they work

  • How you improve over time

Often, you already have most of the tools you need. The key is using them effectively and consistently.

"It Will Slow Down Our Business"

There's a persistent fear that ISO 27001 means adding bureaucracy and red tape to every process.

The Reality: 

Good security speeds things up. It means:

  • Clear processes for common situations

  • Faster decision-making about risks

  • Fewer security incidents to manage

  • More efficient onboarding

  • Less time fixing problems

  • Quicker responses to client security questions

When implemented well, ISO 27001 reduces friction rather than creating it.

"We Need Security Expertise First"

Companies often think they need to hire security experts before starting their ISO 27001 journey.

The Reality: 

While security expertise is valuable, ISO 27001 is fundamentally about:

  • Understanding your business risks

  • Making informed decisions

  • Following through on those decisions

  • Learning and improving

You can build expertise as you go, and often your team knows more than they realise about what needs protecting.

"Once We're Certified, We're Done"

Some see certification as the finish line, after which they can relax.

The Reality: 

Certification is really the starting line. It means:

  • You have a working ISMS

  • Your key controls are effective

  • You understand your risks

  • You're ready to start improving

The real value comes from building on this foundation to make security part of your company's DNA.

"It's Too Expensive"

The cost of certification often appears daunting, especially for smaller companies.

The Reality: 

Consider these costs:

  • A single security incident (average cost: £20,000+)

  • Lost business opportunities (often £100,000+)

  • Emergency security fixes (usually 3x planned costs)

  • Reputation damage (priceless)

  • Time spent on repetitive security questionnaires

ISO 27001 is an investment that typically pays for itself within the first year through prevented issues and new opportunities.

It Takes Ages to Get Certified"

This myth usually comes from companies still recovering from a previous consultant who treated ISO 27001 like a pension plan - something that pays out indefinitely. Or they've heard horror stories about certification projects that ran longer than an enterprise software implementation.

The Reality: 

You can achieve certification in 3-6 months. And no, that's not because we've discovered a loophole or a shortcut - it's because we've stripped away all the unnecessary faff that typically makes these projects drag on.

The quick route to certification means:

  • Starting with what you've already got (which is usually more than you think)

  • Making decisions promptly rather than debating them to death

  • Building security processes that actually work, not writing novels about them

  • Having clear ownership and accountability

  • Working with people who've done this before (and learned from others' mistakes)

The companies that end up in certification purgatory usually:

  • Try to build the perfect system first time

  • Get lost in endless policy reviews

  • Wait for magical moments of universal agreement

  • Let consultants bill by the hour

  • Treat every decision like it's permanently carved in stone

Most certification projects don't stall because they're complex - they stall because people get caught up in perfecting things that don't need to be perfect. Remember: having good security today is better than having perfect security someday in the theoretical future.

The Bottom Line

The biggest myth about ISO 27001 is that it's complicated. It isn't. It's about understanding what matters to your business, protecting it effectively, and being able to prove you've done so. Everything else is just details.

The ISO Serious Approach: Building Security That Works

We believe getting ISO 27001 certified shouldn't feel like pulling teeth. Our approach strips away the corporate jargon and unnecessary complexity to focus on what matters: building security that actually works for your business.

Step 1: Understanding Where You Are

Before we write a single policy or implement any controls, we need to understand your business. This isn't just a checkbox exercise - it's about building a foundation that makes sense for you.

Gap Analysis 

We start by looking at what you already have. Most companies are surprised to discover they're doing many things right - they just haven't formalised them. We'll:

  • Map your existing security practices

  • Identify what's working and what isn't

  • Spot the gaps that need addressing

  • Find opportunities for quick wins

Data Mapping 

You can't protect what you don't know about. We'll help you understand:

  • What sensitive data you hold

  • Where it lives in your systems

  • How it flows through your business

  • Who needs access to it

Context Setting 

This is where we get to know your business intimately:

  • Your goals and challenges

  • Your market and regulatory environment

  • Your stakeholders and their expectations

  • Your appetite for risk

Step 2: Building Your Framework

With a clear understanding of your starting point, we create a framework that fits your business like a well-tailored suit.

Scope Definition 

We'll help you define a scope that:

  • Makes sense for your business

  • Satisfies your clients' requirements

  • Is achievable with your resources

  • Allows for future growth

Risk Assessment 

Our risk assessment process is practical and focused:

  • Identifying real threats to your business

  • Evaluating their potential impact

  • Determining your risk tolerance

  • Prioritising what needs addressing first

Control Selection 

We'll help you choose controls that:

  • Address your actual risks

  • Work with your existing processes

  • Can be effectively maintained

  • Deliver measurable benefits

Step 3: Making It Real

This is where we turn plans into reality. We take the approach of "if we can do it, we'll do it" - meaning we handle the heavy lifting while keeping you in control.

Policy Development 

We create policies that:

  • People will actually read

  • Make sense for your business

  • Support rather than hinder work

  • Can be easily maintained

Process Implementation 

We'll help you:

  • Design processes that work

  • Document them clearly

  • Train your team effectively

  • Build in continuous improvement

Training and Awareness 

We develop training that:

  • Engages your team

  • Focuses on practical application

  • Uses real-world examples

  • Drives cultural change

Step 4: Keeping It Going

Getting certified is just the beginning. We stay with you to ensure your ISMS remains effective and continues to add value.

Regular Reviews 

We'll help you:

  • Monitor control effectiveness

  • Track security metrics

  • Identify improvement opportunities

  • Maintain certification requirements

Continuous Improvement 

Together we'll:

  • Learn from incidents and near-misses

  • Adapt to changing risks

  • Optimise processes

  • Build security maturity

The ISO Serious Difference

Our approach is different because we:

  • Focus on practical security over perfect documentation

  • Build systems people will actually use

  • Take on the heavy lifting

  • Stay with you throughout the journey

  • Speak human, not consultant

And most importantly, we put our money where our mouth is: if you don't pass your certification audit, you don't pay. Because we believe consultants should be accountable for results, not just billable hours.

Remember: Security shouldn't be a headache. With the right approach, it becomes a natural part of how your business operates - and that's exactly what we help you achieve.

Ready to Get Started?

Next Steps Are Simple

1. Let's Talk 

We’ll see if we're a good fit

  • 15-minute conversation to understand each other

  • You tell us about your business and goals

  • We'll share our approach and experience

  • Together we'll work out if we're right for each other

  • If we're not the right fit, we'll point you in a better direction

2. Discovery Session 

  • Understanding your business context and objectives

  • Current security practices

  • Certification timeline needs

  • Resource availability

  • Specific industry requirements

3. Tailored Proposal 

  • A clear understanding of what we heard about your needs

  • Three straightforward options for working together

  • Transparent pricing with flexible payment terms

  • How we'll support you through certification

  • What could go wrong (and how we'll handle it)

  • Clear next steps to get started

4. Hit the Ground Running

  • Kick-off within days, not weeks

  • Clear milestones and deliverables

  • Regular progress updates

  • Continuous support throughout

Ready to go?

Book a call here

Tom Gell

Translating ISO 27001 into human language for fast-growing companies. Former public sector leader who helped scale a startup to £1M ARR by making compliance digestible. Now on a mission to prove security certification doesn't require a 400-page policy manual or a PhD in bureaucracy. Powered by coffee and clarity.

https://www.isoserious.com
Next

Why Companies Get Certified