7 Common Misconceptions About ISO 27001

In our previous blogs, we outlined what is ISO 27001 and the ISO 27001 controls. However, there are a number of ISO 27001 misconceptions that prevent businesses from getting certified.  

We have created the following list to clear a few of these misconceptions and simplify what the standard strives to achieve for your organization. 

ISO 27001 is just the responsibility of your IT department

The ISO 27001 is not just a standard upheld by your IT department, it involves your entire business and it is the responsibility of every department that processes information. 

Although IT security like firewalls and antivirus plays an important role in safeguarding your company from data breaches, the ISO 27001 standard equally helps departments like HR, onboard and offboard employees safely or your facility managers secure the premises of your organization, including controlling visitor access. 

Setting up an ISMS is complicated 

This is a common misconception amongst organizations, the complicated name may give you the impression that a non-technical individual may struggle to understand how to set up an Information Security Management System. 

However one of the main objectives of the ISO 27001 standard is to simplify and break down the process for every individual in your organization, providing detailed guidelines and steps throughout your information security journey. 

The ISO 27001 standard is a rigid framework

Another common misunderstanding when it comes to the standard is that it is extremely prescriptive when it comes to setting up an ISMS. However the opposite is true, ISO 27001 simply sets the outcomes expected and it is up to the organization’s discretion as to how they go about achieving these outcomes. 

For example, looking at Annex A.7 Human Resource Security - where the objective is to make sure that employees and contractors understand their responsibilities. The standard doesn’t force an organization to educate and train their employees in a certain way, the outcome is simply stated and your organization is allowed the freedom to reach that outcome however they choose to. 

Organizations are forced to implement all 14 Controls of ISO 27001

The ISO 27001 includes 14 controls but organizations are not required to implement every single one of these controls. These controls are a simple list of options that you may choose to implement as per the requirements of your organization. Through a risk assessment and gap analysis are two procedures that assist an organization in identifying possible risks and prescribing controls that will help mitigate them. 

ISO 27001 isn’t worth the time, money, and overall effort of your organization 

Many organizations may look at the standard and decide that it isn’t worth the time, money, and overall effort. According to a report carried out by IBM in 2020, it was estimated that the cost of a data breach was AU $3.35 million per breach, which is a 9.8% increase from 2019. In 2020 it was also discovered that the cost of a lost/stolen record was 163 dollars, an increase of 3.8%. 80% of these incidents in 2020 resulted in the exposure of customer personally identifiable information (PII). Apart from the monetary costs, it costs organizations huge amounts of time to identify and contain the breach, 211 days on average for businesses without proper information security standards. 

Looking at these statistics it is irrefutable that information security needs to be taken seriously by every organization regardless of its size. ISO 27001 can get your ISMS up to a globally accepted standard. 

Security breaches are unlikely to happen to my business

There is a statement by many leaders globally, ‘it is not a matter of if I will get attacked, it is a matter of when I will get attacked’, cyber crime is at an all time high and criminals don't discriminate based on size, industry or geography. According to a report created by the Office of the Australian Information Commission (OAIC), 1051 organizations in the year 2020 alone reported security breaches. Security breaches whether they are due to human error or malicious acts by cybercriminals are an increasingly prevalent threat for small to large businesses. However safe you may feel your organization is, there is a high risk that it may experience its security breach, therefore it is important to be well equipped when it happens, an ISMS accredited by ISO 27001 can help you achieve this.

ISO 27001 accreditation will make my business invincible to cyber attacks

Even though the ISO 27001 standard may provide your organization with a long list of benefits, making your business breach-proof is unfortunately not one of them. The ISO 27001 standard although it doesn't prevent breaches altogether, it does an excellent job of equipping your organization with the tools to better defend itself in the event of a cyber attack. 

To summarise, getting ISO accredited does involve significant effort and resources from your organization. However, with the steady rise in cyber attacks, taking information security seriously needs to be a priority for your organization, the benefits of the ISO 27001 standard outweigh its drawbacks.

Is your business looking to align systems and processes to achieve the ISO 27001 certification? The team at StickmanCyber can help with ISO 27001 assessment and implementation and get you aligned with the gold standard of information security management.


Similar posts


Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.