5 greatest myths about ISO 27001


Very often I hear things about ISO 27001 and I don’t know whether to laugh or cry over them. Actually it is funny how people tend to make decisions about something they know very little about – here are the most common misconceptions:

“The standard requires…”

“The standard requires passwords to be changed every 3 months.” “The standard requires that multiple suppliers must exist.” “The standard requires the disaster recovery site to be at least 50 km distant from the main site.” Really? The standard doesn’t say anything like that. Unfortunately, this kind of false information I hear rather often – people usually mistake best practice for requirements of the standard, but the problem is that not all security rules are applicable to all types of organizations. And the people who claim this is prescribed by the standard have probably never read the standard.

“We’ll let the IT department handle it”

This is the management’s favorite – “Information security is all about IT, isn’t it?” Well, not really – the most important aspects of information security include not only IT measures, but also organizational issues and human resource management, which are usually out of reach of IT department. See also Information security or IT security.

“We’ll implement it in a few months”

You could implement your ISO 27001 in 2 or 3 months, but it won’t work – you would only get a bunch of policies and procedures no one cares about. Implementation of information security means you have to implement changes, and it takes time for changes to take place.

Not to mention that you must implement only those security controls that are really needed, and the analysis of what is really needed takes time – it is called risk assessment and risk treatment.

“This standard is all about documentation”

Documentation is an important part of ISO 27001 implementation, but the documentation is not an end in itself. The main point is that you perform your activities in a secure way, and the documentation is here to help you do it. Also, the records you produce will help you measure whether you achieve your information security goals and enable you to correct those activities that underperform.

“The only benefit of the standard is for marketing purposes”

“We are doing this only to get the certificate, aren’t we?” Well, this is (unfortunately) the way 80 percent of the companies think. I’m not trying to argue here that ISO 27001 shouldn’t be used in promotional and sales purposes, but you can also achieve other very important benefits – like preventing the case of WikiLeaks happening to you. See also Four key benefits of ISO 27001 implementation and Lessons learned from WikiLeaks: What is exactly information security?

The point here is – read ISO 27001 first before you form your opinion about it; or, if it’s too boring for you to read it (which I admit it is), consult with someone who has some real knowledge about it. And try to get some other benefits, other than marketing. In other words, increase your chances to make a profitable investment in information security.

To implement and maintain ISO 27001 more easily, check out the Conformio compliance software.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.