ISO27001 Success: An interview with Alan Calder

When it comes to implementing an information security management system (ISMS) in line with ISO27001, there are a number of guidelines to follow, pitfalls to avoid and questions to ask. We’ve grabbed Alan Calder, one of the leaders of the world’s first successful ISO27001 implementation (then BS7799), for a quick 10 minute chat for his views on creating your own ISO27001 success story.

What is the best piece of advice you could give anyone starting their ISO27001 project?

Management buy-in and support is absolutely critical. Make sure your management understand the business benefits of certification (improved competitiveness, cost reductions, secure confidential information, enhanced customer satisfaction etc.) as they will be your backbone throughout the implementation process.

What is the biggest misconception people have about implementing ISO27001?

In my experience of implementing the standard and teaching others to do the same, the biggest misconception I’ve found is that people think they have to implement all 133 controls in Annex A. In reality, you don’t. You only have to implement those controls that you select through a structured risk assessment, on the basis of likelihood and impact. This means that ISO27001 isn’t a ‘one size fits all’ standard for every business, but one that can be tailored specifically to your organisation.

Where did you learn all that you know now?

Most of my knowledge has come from nearly 15 years of helping organisations implement their Information Security Management System (ISMS). I’ve dealt with the good, the bad and seen it all, experiencing problems such as organisation buy-in, complicated risk assessments and post certification distress. From implementing ISO27001 a number of times in my own organisations to consulting with and training other organisations to do the same, has meant that I’ve seen the ISO27001 process from every angle.

Who were/are your biggest influencers in the information security industry?

I’d say my close support network – Steve Watkins and other fellow consultants that I work with. I’ve known Steve in particular for a number of years – we conducted the world’s first successful ISO27001 (then BS7799) implementation together and have since jointly written a number of books on information security and ISO27001.

What would you like to see the future of ISO27001 look like?

I would like to see less duplication between controls and the requirements of the management system. This would make implementation a lot easier for organisations. However, I can’t see this changing until a new version of the standard is released.

Which 3 resources should no organisation be without implementing an ISO27001 ISMS?

I would suggest a copy of the ISO27001 standard, the IT Governance No 3 ISMS Toolkit and focused implementation and audit training – like our ISO27001 Information Security Combination course.

Alan Calder is a leading trainer, consultant and lead implementer for ISO27001. He is a renowned author within the industry, authoring books such as IT Governance: An International Guide to Data Security and ISO27001/ISO27002 (the UK Open University’s post-graduate information security textbook) and Nine Steps to Success – An ISO 27001 Implementation Overview.

Alan is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.

View more information on Alan Calder here.

If you would like help, support or guidance in creating your own ISO27001 success story, contact IT Governance at or on +44 (0)845 070 1750.