Incorrect Assumptions Banner

6 Incorrect Assumptions About ISO 27001

Published 18 December 2023

There’s lots of information out there about ISO 27001, but it’s often hard to uncover what’s accurate. You may assume that it’s a complex and costly standard that only applies to large organisations or those in highly regulated industries. However, this is an incorrect assumption and may prevent you from realising the benefits of becoming ISO 27001 certified. 

In reality, it is a flexible and adaptable standard that can be tailored to the specific needs and risks of any organisation, regardless of its size, sector or location. ISO 27001 helps to establish, implement, maintain, and improve an information security management system (ISMS) that protects your information assets from various threats and ensures compliance with legal and contractual obligations.  

Despite this, as a cyber security consultant, I’ve heard many interesting and (sometimes funny) things regarding security standards and frameworks. In this blog, I will debunk six incorrect assumptions I’ve heard people make about the ISO 27001 standard. 

Watch On Demand: ISO 27001 Webinar

1. “ISO 27001 Implementation Is Too Complex, Especially for Small Businesses.” 

ISO 27001 is the international standard that defines the requirements of an Information Security Management System (ISMS). Certification to the standard demonstrates that your organisation has defined and put in place best-practice information security processes. These practices are adaptive and work for any size of an organisation; I have personally implemented them in a business with two people and in organisations with over 2,000 people.  

It is worth remembering that ISO 27001 is a "risk based" management system that involves identifying the risks an organisation faces, in addition to the impact and likelihood of the risk happening. No two organisations are the same which means that the risk differs for a company that has 10 people, compared to a company that has 10,000 people.  

Begin by first identifying what data and information assets you have, where it is, and the actual safeguards that will protect these assets. Do this by conducting an ISO 27001-based gap analysis, which helps your organisation understand the current security posture and alignment to the standard. Then look at either risks to specific assets or risks presented by specific scenarios and you are on the journey towards certification. 

2. “ISO 27001 Implementation Needs Penetration Testing.” 

One of the requirements of ISO 27001 is to conduct regular risk assessments and implement appropriate controls to mitigate the identified risks. In this respect, penetration testing can help organisations comply with ISO 27001 by providing evidence of the effectiveness of their security controls, identifying gaps and areas for improvement, and demonstrating due diligence to stakeholders and regulators. 

As such, penetration can be a useful tool to identify and address vulnerabilities in the ISMS, but it isn’t mandatory. Control Annex A5.36 Compliance with policies, rules and standards for information security, states "Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed." This can include Penetration Testing, but Vulnerability Assessments are also appropriate. If you decide to perform penetration testing, it should be done by qualified and independent testers, following a clear scope and methodology.  

 3. “ISO 27001 Implementation Takes Many Years to Achieve.” 

You may think that ISO 27001 implementation takes years to achieve, but this is not necessarily true. How long it takes depends on your organisation’s size, the maturity of existing processes and the resources you have available to drive improvements. A realistic range is anywhere from 6 to 18 months for medium-sized organisation and in some cases, it can take less than 3 months from start to finish. 

There are mandatory documents, records, and activities that need to be carried out regularly within the ISMS, but it is a compliance programme. It is advisable not to ignore ISO 27001 because you think it will take years to implement. 

You can speak to qualified and experienced security consultants at Bridewell, who understand what it takes to implement the Standard. Throughout your project, we can support you, present the complex aspects of the standard in a clear and concise delivery model from carrying out an initial gap analysis all through to certification. 

4. “ISO 27001 Implementation Costs a Fortune.” 

An implementation project can be time-consuming and difficult, especially if you have no prior management system experience and are relying on a trial-and-error approach. However, implementing the standard can have many benefits, such as: 

  • Improving customer trust 
  • Helping to improve your information security posture 
  • Reducing the risk of data breaches and other security incidents 
  • Complying with business, legal, contractual, and regulatory requirements  
  • Avoiding financial costs associated with data breaches  
The exact cost of ISO 27001 consulting services really depends on the scope and objectives of the project, the level of maturity of the existing system, and the choice of certification body and consultants. The best way to estimate the cost of implementation is to conduct a gap analysis and a risk assessment, and then develop a realistic budget and timeline based on the specific needs and goals of your organisation.  

5. “ISO 27001 Implementation Can Stop All Data Breaches.” 

ISO 27001 can help prevent data breaches as it requires organisations to implement policies and procedures for access control, encryption, backup, incident response, vulnerability management, security training and awareness and so on. These can reduce the risk of unauthorised access, data loss or corruption, or delayed recovery. 

However, a data breach can still occur if robust processes and procedures are not in place to prevent user error, or users do not know how to handle and protect sensitive information. Therefore, ISO 27001 implementation is not a silver bullet that can stop all data breaches. It is a best practice that can improve the overall security posture of an organisation and demonstrate its commitment to information security. But it also requires continuous monitoring, improvement and adaptation to changing threats and environments. 

6. “ISO 27001 Implementation Makes You GDPR Compliant.” 

If your business handles personal data of EU citizens, you should have heard of the General Data Protection Regulation (GDPR). While ISO 27001 can help you meet some of the requirements of GDPR, such as ensuring data confidentiality, integrity, and availability, it does not cover all of them. 

For example, ISO 27001 does not address the specific rights of data subjects, such as the right to access, rectify or erase their data. Nor does it specify how to handle data breaches, data protection impact assessments, or data protection officers. 

Therefore, ISO 27001 implementation alone is not enough to make you GDPR compliant. However, ISO 27001 can be a useful tool to support your GDPR compliance efforts, as it provides a framework for establishing and maintaining a robust information security management system that can reduce the risks of data breaches and violations. 

If you'd like to learn more about ISO 27001, watch our webinar On-Demand:  ISO 27001 Changes - What We've Learned from the 2022 Update.


Daniel Ityokyaa

Senior Cyber Security Consultant