ISO 27001

Avoiding common pitfalls

title: Avoiding common pitfalls description: Learn from others' mistakes and keep your ISO 27001 project on track sidebar_position: 3

Avoiding common pitfalls

You've started your ISO 27001 journey and want to avoid falling into known traps. This article helps you recognize and solve the biggest mistakes before they slow down your project.

The biggest misconception: ISO 27001 tests our systems

The problem: Many companies think ISO 27001 is a technical test of their IT systems and software. They focus exclusively on firewalls, antivirus programs and password complexity.

Why this is wrong: ISO 27001 is a management standard, not a penetration test. It's about how you organize information security, not whether your systems can be hacked.

Warning signs:

  • Your IT department thinks they're solely responsible
  • Management says "this is something for the techies"
  • You focus only on technical security measures
  • You expect auditors to hack your systems

Practical solution: Involve the entire business:

  • Management must be actively involved (not just provide budget)
  • HR plays a role in personnel policy and awareness training
  • Legal helps with contracts and privacy legislation
  • Operations handles physical security and emergency plans

Concrete management tasks:

  • Establish an information security policy
  • Allocate budget and time to security
  • Discuss security risks in management meetings
  • Participate in the annual management review

How Tidal helps:

  • Information security policy template to complete and approve
  • Budget and time process in the "Information Security Objectives" document
  • Management review template makes board meetings effective
  • Roles and responsibilities read and appoint in corresponding policy document

Pitfall 2: Expecting ISO 27001 to prescribe everything

The problem: Teams look for an exact checklist: "Tell us precisely what we need to do." They treat Annex A as mandatory shopping list.

Why this doesn't work: ISO 27001 provides a framework, not a cookbook. Each organization must choose measures that fit their specific risks.

Warning signs:

  • You implement all 93 controls "to be safe"
  • You copy measures from other companies without thinking
  • Team asks "but what exactly should we do?"

Practical solution: Start with your own risks:

  1. What would cause real damage in your business?
  2. Which information is critical for your business?
  3. Where are your biggest vulnerabilities?

Example risk-driven approach:

  • Consultancy: Laptop stolen → encryption + remote wipe policy
  • Webshop: Payment data leaked → PCI-DSS compliance + monitoring
  • SaaS company: Database misconfiguration → access control + change management

How Tidal helps:

  • Business context wizard helps you clarify where your risks lie (and where they don't!)
  • Guided risk assessment helps you identify specific threats
  • Controls are already mapped to risks, so you don't have to determine this yourself
  • Implementation instructions are already added to most controls
  • Gap analysis shows where you really need to take action
Tip

Rule of thumb: If you can't tell a story about why a measure is important for your business, don't implement it.

Pitfall 3: Defining scope too broadly or unclearly (especially for larger organizations)

The problem: "We'll certify everything, then we're sure to be good." This leads to unmanageable complexity and high costs.

Why this causes problems:

  • Many more audit days and thus costs
  • Complex risk analysis with many irrelevant matters
  • Difficult maintenance because everything must be monitored

Warning signs:

  • Your scope document is longer than 2 pages
  • You include systems "to be safe"
  • Audit quote is higher than expected

Practical solution: Focus on business critical information:

  • Which systems contain customer data?
  • Where are your most important business processes?
  • What would cause real damage in an incident?

Example of good scope definition: "Development, hosting and support of our SaaS application, including customer data and source code. Excluding: office network, HR systems, financial administration."

How Tidal helps:

  • Scope support helps you make the right choices step by step
  • Business impact analysis (BIA) shows which assets are truly critical
  • Risk and asset linking helps you determine which measures you need to take per IT asset
Warning

Changing scope after certification costs extra audit days. Better to start narrow and expand later.

Pitfall 4: Documentation only for the auditor

The problem: Teams think: "We write this down so the auditor is satisfied." Documents are put in a folder and forgotten.

Why this is counterproductive: Documentation should help you work better, not appease auditors. If you don't use your documents, you can't see if your measures work.

Warning signs:

  • Procedures that nobody knows or follows
  • Documents that haven't been updated since the audit
  • "We do it differently than described, but what we do is correct"

Practical solution: Document how you really work:

  • Start by observing what teams currently do
  • Only write down what you actually want to enforce
  • Make procedures as simple as possible
  • Test whether new employees can follow the procedure

Example of good vs. bad documentation:

Bad: "Incident response procedure: 47 steps, 12 pages" Good: "For security incident: 1) Isolate system, 2) Call CISO (mobile number), 3) Document in Tidal"

How Tidal helps:

  • Policy templates that also concretely describe how to best implement measures
  • Tidal AI support can help you find inconsistencies between documentation and evidence
  • Automatic reminders for periodic tasks

Pitfall 5: More documentation = better compliance

The problem: "If we document everything extensively, we're sure to be compliant." This leads to 200-page policy documents that nobody reads.

Why this backfires: Too much documentation causes:

  • Procedures that are too complex to follow
  • Maintenance that costs more time than it's worth
  • Employees who give up and ignore procedures

Warning signs:

  • Your policy document is longer than 20 pages
  • New employees ask "do I really have to read all this?"
  • Updates cost more than a workday per document

Practical solution: Focus on workable documents:

  • One to three pages per procedure as rule of thumb
  • Bullet points instead of complete sentences
  • Visual aids like flowcharts
  • Concrete examples instead of abstract rules

Example of streamlined policy:

Instead of: "Password policy: minimum 12 characters, uppercase, lowercase, numbers, special characters, don't reuse last 24 passwords..."

Use: "Passwords: use long passwords, a password manager (1Password, Bitwarden), and two-factor authentication for all critical IT systems."

How Tidal helps:

  • Template library with proven short procedures
  • Consistent formatting keeps documents organized
  • Automatic version control prevents documentation chaos
  • Review workflows ensure documents stay current

Pitfall 6: ISO 27001 as annual paperwork exercise

The problem: "We're certified, now we just need to update documentation annually for the surveillance audit."

Why this threatens certification: ISO 27001 requires continuous improvement. Auditors want to see you actively working on security, not just updating papers.

Warning signs:

  • Months without attention to information security
  • Risk assessment only updated before audit
  • Incident response plan is never tested
  • Security training exists only on paper

Practical solution: Build in rhythm and monitoring:

  • Monthly compliance check (30 minutes in Tidal)
  • Quarterly meetings about security incidents and trends
  • Annual risk assessment review
  • Continuous monitoring of critical systems

Concrete activities per quarter:

  • Q1: Update risk assessment, plan security training
  • Q2: Work on automatic tests that fail and IT security setup
  • Q3: Review access rights, monitor progress of security awareness program
  • Q4: Internal audit and management review, planning for next year

How Tidal helps:

  • Automatic monitoring of technical measures
  • Compliance dashboard shows real-time status
  • Periodic tasks ensure you don't forget anything
  • Trend analysis helps you identify improvement points

Pitfall 7: Overloading team without buy-in

The problem: ISO 27001 becomes one person's project while the rest of the team watches. When implementation is finished, nobody else knows how it works.

Warning signs:

  • Project leader does everything themselves "because it's faster"
  • Team says "this isn't my responsibility"
  • Everything stops when project leader is absent

Practical solution: Distribute responsibilities and knowledge:

  • IT manager: Technical measures and monitoring
  • HR manager: Personnel policy and awareness training
  • Operations: Physical security and incident response
  • Management: Policy and strategic direction

Concrete involvement:

  • Let each team member 'own' one control domain
  • Plan a short monthly update meeting
  • Document in Tidal who is responsible for what
  • Train backup people for critical roles

How Tidal helps:

  • Role-based access ensures everyone sees their part
  • Task assignments with clear responsibilities
  • Collaboration features like @mentions to promote communication between team members

Signs your project is going the wrong way

Recognizing warning signs

Scope creep:

  • More and more systems are added "to be safe"
  • Audit scope estimate grows from 3 to 6 days
  • Team asks "should we include this too?"

Process paralysis:

  • More than 2 weeks discussion about one procedure
  • Documents get version 0.8, 0.9, 0.95...
  • "We need to make this perfect before we continue"

Implementation fatigue:

  • Meetings are postponed "due to busy schedule"
  • Deadlines are repeatedly postponed
  • Team says "this takes much longer than promised"

Recovery strategies

For scope creep:

  1. Stop and redefine what's really business critical
  2. Make a "phase 2" list for expansions later
  3. Calculate impact of current scope on time and budget

For process paralysis:

  1. Set hard deadlines for document approval
  2. "Good enough is perfect" - version 1.0 may be imperfect
  3. Implement first, optimize later

For implementation fatigue:

  1. Remind of business value - why are we doing this?
  2. Celebrate small wins - completed milestones
  3. Get external help if the team gets stuck

Tidal support for problems:

  • Expert consultation when you get stuck
  • Project health check with concrete improvement points
  • Accelerated implementation with proven shortcuts

Still stuck?

Send an email to support@tidalcontrol.com, and we'll get back to you as soon as possible.

Info

Gather support info: Note exactly where you're stuck, which steps you've already tried, and what your next deadline is. This significantly speeds up the solution.

Prevention is better than cure

The 3 most important success factors:

  1. Management commitment - Not just budget, but also time and attention
  2. Realistic planning - Divide the project into goals you can achieve per week
  3. Practical approach - Implement what works, not what's perfect

Next step: With these pitfalls in mind, you can confidently continue with your implementation. For detailed guidance on specific topics, see the ISO 27001 reference guide.

Tip

Maintain project momentum: As soon as your team recognizes a pitfall, address it within a week. Small problems quickly become big delays.

Next
ISO 27001 reference guide