ISO 27001 planning pitfalls

If you’re involved in, or leading an ISO 27001 implementation project in the near future you’ll be keen to avoid common pitfalls on your journey towards certification.

Here’s a heads up on 3 of the pitfalls that can occur in the planning stage of an ISO 27001 project.

Pitfall #1 – Planning in haste

“Typically a medium size company, working without external assistance, can be ready to go for ISO 27001 certification 14 to 18 months from project start” Nick Orchiston, Management Systems Consultant at IT Governance Ltd.

Bearing in mind the typical time scale for an ISO 27001 project, the amount of time you should allocate to planning is significant. The roadmap below shows the approximate proportion of time that should be allocated to each stage of the Plan, Do, Check, Act cycle.

Pitfall #2 – Failing to get ‘buy-in’ from key areas of your organisation

Part of the project initiation stage involves setting up a management group that has ownership of the information security management system (ISMS) and responsibility for planning and implementing it effectively.

Ensuring that the right people are involved in this management group is important. Without ‘buy-in’ from senior managers in key areas such as HR, sales, operations and admin, you may find it very difficult to implement the ISMS as your project progresses. You should also consider involving more junior staff. They will bring a different perspective to the management group, often identifying practical issues that will make the implementation process much smoother.

Pitfall #3 – Planning to do too much or too little

Deciding the scope of an ISMS can be tricky. For large, complex organisations it may be sensible to avoid taking on ‘too much’ by adopting a staged approach to implementation. This approach is valid if information security needs can be independently assessed in separate parts of the organisation.

At the other extreme, planning to include ‘too little’ is to be avoided. Whilst it might seem like a ‘quick route’ to compliance – any external auditor worth their salt will not accept a narrow scope that leaves critical functions exposed to security risks.

Prepare for pitfalls …

The ISO 27001 Certified Lead Implementer course is part of our ISO27001 training pathway. This course provides lots of practical tips on avoiding common implementation pitfalls. Developed by Steve Watkins and Alan Calder, this course is based on years’ of experience in avoiding pitfalls to deliver efficient and cost-effective ISO 27001 compliance projects.

Share now…

Share on Twitter Share on Facebook Share on LinkedIn