Working toward ISO certification for any standard proves to be challenging in all aspects. But challenges are what lead to growth, and many organizations embrace the challenge as a method of full business improvement.

But sometimes the challenges faced as companies work toward compliance are more difficult to control. When approaching ISO 27001 certification, the largest challenges don’t lie in the requirements of the standard itself, but in the company-wide adoption of the policies and best-practices necessary to prove compliance with the standard.

The most common misconception is that cybersecurity is solely the responsibility of the IT department. But it’s so much more than that. Creating a truly secure system of information management requires the attention of each and every team member. Our consultants work with organizations to address the big hurdles related to the people responsible for the success of the program and approach the overarching struggle in three pieces.


Leadership Buy-in


First and foremost, it’s important for the program manager to ensure that the leadership team has fully bought into the concepts and processes needed for a successful Information Security Management System (ISMS) to be implemented. Proper education of the risks associated with poor security management can help to paint the picture of necessity for the system, and having hard facts and figures related to potential profit loss due to an information breach can help drive home the impact that appropriate information protection could have on the company.

Additionally, as with all ISO standard, the leadership team will be required to hold regular management meetings to assess the effectiveness of the system and address any problems that may arise. Therefore, their commitment to the initiative must be unwavering and fully informed.


Program Adoption


After the leadership team has committed to the ISO 27001 certification process, companies must then begin educating their full teams on the importance of the program and preparing them for the adoption of new safeguards and protocols.

Perhaps the hardest struggle related to ISO 27001, implementation teams have their work cut out for them as they approach greater team engagement. Again, cybersecurity is mistakenly identified as an IT initiative, and employees are often annoyed by the seeming over-complication related to increased information protection. Anyone who has attempted to deploy new software through a company will understand the challenge of getting people on-board with new ideas, systems, and protocols.

Further, educating the greater team of the scope of information security can prove to be equally as challenging. Commonly associated with digital information and networks, employees fail to see how the protection of tribal knowledge, printed documents, and access to company information via personal devices can be as important to information security as strong passwords.


Human Error Control


Once the education has been completed and the leadership and greater team understand the impact a strong ISMS will make, organizations are then tasked with creating processes to protect their information. And while they can have the most fail-safe methods of protection ready to deploy, they must always account for the possibility of human error.

Even with the most stringent education and training policies, companies are at risk of simple mistakes made by employees. Security can sometimes simply be overlooked if an employee doesn’t have the ISMS initiative at the forefront of their focus, and information avenues that could result in a major breach aren’t always easily-identifiable. Additionally, even the most aware team members can be caught off guard by phishing emails, out-of-network attacks, and potential loss or corruption of files. Organizations must be diligent in their follow through of ISMS-related education and should be constantly vigilant in the providing of training and awareness initiatives to protect themselves from the potential of breach due to human error.

With the implementation of any standard, organizations willingly embrace the challenges related to the management system they are working to improve or employ. When our customers face struggles they are having trouble moving past, our group of expert consultants is prepared to offer advice based on years of experience in working through such issues. They’re able to provide out-of-the box solutions, key educational information, and action-driving statistics to help their clients succeed. As they work together toward compliance and embrace the challenges of achieving certification, they inevitably create positive change that results in whole-business improvement.

To learn about ISO 27001 requirements visit  or contact us at 866.354.0300.  We are happy to answer any questions you may have.