There are numerous challenges in the course of ISO 27001 implementations, so we believe it is important to highlight those that we consultants hear most frequently as justification for delays and other impediments.
There is a phrase I would highlight that is often heard in the consulting process:
"I have more important things to do."
To remedy this situation, or to try to keep this thinking from directly impacting the evolution of the implementation, we need to define from the beginning who to allocate to the implementation team - to select those responsible for the success of the project and the Information Security Management System in general. We try to involve all top management members, so that they highlight the importance and criticality of this system and its processes within the organization and, above all, maintain information security.
"Why do we need to worry about this?"
The reasoning of many employees, often with roles relevant to the implementation of the service, goes through the assumption "this doesn't happen to us", referring to cyber-attacks that are all over the news.
Our work as information security consultants requires us to change this mindset, since any organization can be subject to suffer an attack for which it is not prepared and the security system and processes do not guarantee 100% protection. It is essential to understand that following the requirements and criteria for information security allows us to close many "doors" to make it as difficult as possible for hackers to enter and to ensure the protection of the company. To this end, we make it one of our main goals to teach the security processes implemented by ISO 27001 to all employees of each organization to which we provide our consulting services.
Our methodology has proven to be clear and efficient: we run training and information security awareness sessions, simulate incidents to see if the participants follow the defined processes, work on risk assessment and implement mitigation measures for those identified risks.