What happens when companies view ISO 27001 as a tickbox exercise

In this blog, I want to share some observations from my experiences working with customers who have achieved the ISO 27001 certification. It is alarmingly easy for organisations to achieve certification by focusing on the approximately 100 controls in the standard, without actually achieving the underlying principles of effective information security management. This may lead to an ISO 27001 certification that is not worth the paper it is printed on, as the organisation holding it may still fall victim to cyberattacks, data breaches and other compliance issues stemming from mismanagement of their information security practices.

However, I hope to show this can be fixed with a mindset shift and buy-in from senior leadership. When the foundational principles of ISO 27001 are fully understood by leadership teams who view it as something more significant than a checkbox exercise, their support means that the time and money invested in achieving the certification will pay dividends.

The premise of ISO 27001

Before I dive into my observations, it’s important to explain what the premise of ISO 27001 actually is.

At a high level, ISO 27001 is designed to protect sensitive information, and implement an effective Information Security Management System (ISMS). To do this, you need a thorough risk assessment process and an information security ‘culture’ within your organisation. A crucial part of this information security culture is buy-in from senior management. If senior management don’t buy in to the importance information security, they will not express the importance of information security to the rest of the business. And because they don’t, the risk assessment process won’t be as effective as is it needs to be, and resources won’t be provided to mitigate security risks.

To extend this logic, let’s take PCI DSS as a comparison. PCI DSS comprises over 300 distinct requirements for the security of payment card information, whereas ISO 27001:2022 outlines just 93 controls. The disparity exists because PCI DSS operates in a realm of clear-cut, "black and white" rules; you are explicitly aware of the scope and the necessary controls that must be implemented, leaving little room for interpretation or flexibility.

By contrast, ISO 27001 allows a more nuanced, flexible approach. The controls you apply are shaped by your organisation's unique risk appetite. Essentially, ISO 27001 leans heavily on 'implicit' factors, such as fostering a robust information security culture and ensuring that the staff responsible for assessing risks are well-informed and committed to the task. Because of the subjective or intangible nature of these controls, they become harder to measure.

Given the lower number of explicit controls in ISO 27001, the thoroughness of the audit becomes paramount. If the audit does not rigorously evaluate these more subtle elements – like the organisation's security culture – that organisation might achieve compliance without improving their information security practices. I In my view, such a certificate would be essentially meaningless if it doesn't genuinely reflect a comprehensive, business-wide commitment to information security.

Paying lip service to compliance can leave you at risk

My concerns arise from experiences during internal audits of organizations already holding ISO 27001 certification and from discussions I've had with these certified entities in the course of other consultancy work. For instance, I worked with a medium-to-large-sized organisation, that had been certified for several years. On the surface, they appeared to have a structured approach with a designated ‘Head of Risk’. However, a closer look revealed troubling inconsistencies. The risk register was being maintained by one person (not the Head of Risk) without any input from other team members. The register itself was of a good standard, but this was largely due to the efforts of the previous owner who had a solid grasp of risk management. Regrettably, the current owner lacked a deep understanding of risk, leaving me concerned that the quality of the risk register would degrade over time.

I was even more alarmed when I found out that the risk owner was not engaging in discussions with other staff about emerging risks, nor was he involved in the risk-based discussions for new projects, nor was he communicating adequately with senior management in any way. The Head of Risk was communicating to the board about all risks to the business, not just information security risks. Moreover, meetings about information security risks between the Head of Risk and the owner of the ISO 27001 risk register occurred only sporadically.

In essence, despite outward appearances, there was a glaring lack of senior management buy-in to information security. These risks were not being discussed by staff who understand them adequately, and there was no standardised approach to risk management within the organisation. All of this meant that the fundamental premises of an effective ISMS were not being achieved. Information security was not taken seriously enough, and the risk assessment process was ad hoc and inconsistent. Furthermore, there was no process in place for the risk owner to be able to procure resources when he finally became aware of a new risk, such as from a new project, that had a high risk ranking.

I flagged these critical findings in my internal audit report. Yet, to my dismay, they passed the next ISO 27001 audit with none of my findings being flagged as ‘areas for improvement’. Although they could produce a Statement of Applicability and demonstrate the implementation of all relevant controls, the underlying issues remained unaddressed. This situation perfectly encapsulates my worry: certifications are often awarded based on checklists, while the true spirit and intent of ISO 27001, creating a robust and culture driven approach to information security are overlooked.

Another organisation I worked with had only just achieved compliance for the first time, but as we were chatting they showed me the risk register. It contained only two entries. The Statement Of Applicability had no mappings to the risks that each control was mitigating. When pressed on this, they responded that the auditor was satisfied they had implemented the controls, and that this was their priority. Again, the company’s focus on achieving certification, rather than building proper information security management would leave them at risk. I felt they were missing the point.

While I cannot make wholesale conclusions, or sweeping generalisations from my own experience, I have spoken to colleagues and other customers who confirmed that what I have witnessed is nothing out of the ordinary.

Focus on the Risk Assessment phase

All this makes me question how much latitude auditors are prepared to give organisations during the audit, particularly around the more intangible and difficult to measure elements such as having a robust information security ‘culture’. While there is a recognition that organisations have room for improvement, and don’t have to have everything perfectly in place, I think auditors have skewed things too much in the wrong direction if they are certifying organisations solely on the basis that they have implemented the controls, but haven’t implemented a robust risk assessment process.

This is why it is important to focus on the Risk Assessment phases of the ISO 27001 standard rather than just the controls.

I would even go as far as to say that if I was working for a company that was looking to engage with a new third party, I would disregard their ISO 27001 certification and would still want to question them on how they protect sensitive information. I don’t want to criticise ISO 27001 certification entirely; it does provide a framework and a starting point. But we must remember that true information security resilience requires much more than simply having a certificate on your website. If you are partnering with an organisation and you want to ensure they prioritise information security, you should thorough vet them and conduct a proper risk assessment of their information security and cybersecurity practices and culture.

Ask yourself: why are you getting certified?

The foundational premise of ISO 27001 standard – to secure sensitive information by ensuring staff are knowledgeable about information security risks, and fully aware of the threats facing their organisation – is undeniably robust. For organisations that view ISO 27001 certification as merely a box-ticking exercise to meet contractual obligations, this scenario might appear convenient. However, if your organisation that is genuinely committed to bolstering your information security posture, then the true value of implementing ISO 27001 lies far beyond simply obtaining a certificate.

If you are looking to use ISO 27001 certification to genuinely improve your information security posture, my advice would be:

1. Engage with a consultancy to get support and advice on achieving your ISO 27001 certification. Select an external partner who shares this perspective ensures that your organisation will not just achieve compliance, but also enhance its security practices. Keep in mind that working with a consultancy or auditor who misinterprets the ISO 27001 standard could result in compliance without substantive security improvements, leaving your organisation vulnerable and unprepared for potential breaches, a very costly and embarrassing scenario.
2. Ensure that senior leadership buy in to why you are getting the certification. Implementing better information security practices requires time, resources and collaboration from various teams throughout the business.
3. Engage fully with the Risk Assessment phase rather than just the individual controls.

Should you get ISO 27002?

A potentially controversial opinion is that the controls outlined in ISO 27002 could be viewed merely as guidelines by organisations who do commit to the principles underlying ISO 27001, rather than an obligation. ISO 27002 is supplementary standard that focuses on the implementation of specific security controls which organisations have chosen. The controls defined in ISO 27002 have evolved over time based on trial and error, and new technologies, and it has become the belief that these are the only controls that need to be listed in the ‘Statement of Applicability’, that would map to the risks in the risk registry. This belief, however, further demonstrates how this misunderstanding is pervading the compliance industry, as the controls should only be considered as guidance, and it is perfectly acceptable for an organisation to ignore these specific controls and implement measures to mitigate all of their defined risks in any way they choose, as long as they can demonstrate to the auditor that they have a robust Risk Assessment process in place, and have addressed all risks in line with the risk appetite. The fact that the controls in ISO 27002 are not necessarily ‘compulsory’, like in PCI DSS, is further evidence that those ‘implicit/culture’ elements are much more important. Moving on to ISO 27002 is only suitable for those organisations who have properly implemented ISO 27001 and principles it expounds i.e., engendering a business-wide culture for information security with specific policies, security controls and risk management procedures. To do this, senior leaders must impress on the business how important information security is, and establish a comprehensive risk assessment process in place, which can take time to achieve.

Once this is done, and you have built an Information Security Management System identifying specific security controls which will lower your information security risks, ISO 27002 will ensure your Information Security Management System supports robust cyber resilience for the long term.

Claranet provide a range of services for auditing and compliance. We enable organisations to demonstrate their security posture and their resilience against cyber threats, so they can meet their auditing and compliance requirements and provide assurances to their key stakeholders that they are meeting widely-accepted security standards. Through training, audits and assessments, we provide a roadmap for minimising cyber security risks to your business. 

Find out more about our auditing and compliance services and how we help companies achieve ISO 27001.