Biggest Challenges to Implementing ISO 27001

Nicky Whiting Headshot
Written by Nicky Whiting
Director of Consultancy
12/05/2022

In today’s world where information security is fundamental to businesses to protect their systems, network and data, compliance to ISO 27001 is crucial. ISO 27001 is an internationally recognised set of standards that helps organisations manage their information security by establishing, implementing, and maintaining an information security management system (ISMS). The aim of an ISO 27001 certification is for businesses to demonstrate that their ISMS aligns with security best practices, and as a result, helps to protect personal data, improve your security posture, and reinforce your reputation with customers, partners, and the supply chain network.

We have seen a growing trend of our customers seeking help with ISO 27001 implementation due to customer pressures. Supply chain security is a key factor in businesses pursuing ISO 27001 implementation, with up to 40% of cyber threats occurring indirectly through the supply chain. While the journey to ISO 27001 compliance is a step in the right direction, implementing ISO 27001 is not without its challenges.

The process of ensuring your ISMS meets the international standard takes time, resources, expertise, and a long-term outlook from all parties involved within the organisation. While there are undoubtedly obstacles along the way, this blog will help you identify the key challenges of implementing ISO 27001 and how to overcome them, so you can consider the best way to navigate the process before and during your ISMS implementation.

Internal resources

If you are at the stage of implementing the ISMS within your business, you are already aware of the numerous benefits that ISO 27001 certification will bring to your organisation, such as helping to drive new business opportunities, enriching your businesses security culture, and supporting the protection of personal data. However, this doesn’t make the scope of the project any less daunting.

Lack of internal resources, such as time and expertise, is one of the main reasons for project delays when building an effective information security management system. It is the responsibility of senior management to make sure suitable resources are available. Here’s how you can prepare to execute an ISMS successfully within your business to combat these barriers to implementation:

  • Hiring a project lead

    For your ISO 27001 certification, you will need a project leader who has extensive knowledge and experience of implementing ISO 27001 with the ability to lead a variety of stakeholders. It is beneficial for the project lead to understand the business and hold an objective outlook on its current processes and practises. This will ensure greater success of achieving ISO 27001 certification and support the success of your information security programme.

    A vCISO is the ideal candidate to lead your ISO 27001 project. A virtual chief information security officer (vCISO) is an outsourced security expert that can help your business develop and manage security strategies to improve your business’s security posture.

    Using their expertise of information security and knowledge of the requirements for ISMS implementation, virtual CISOs can deliver better management of ISO 27001 and help prepare organisations for audits and recertification. Furthermore, you can ensure your internal team has access to information and insight from the vCISO when needed, reducing delays and stress on your existing workforce.

  • Working with your team

    To successfully implement ISO 27001, you need to work as a team and ensure your employees understand the importance of information security. Everyone in your business has a part to play to successfully achieve certification. Involvement from departments across the business is required to understand what input is required from them and to help employees keep track of the project.

    By sharing the responsibility of ISO 27001 implementation across the business and enriching your security culture, your business can ensure employees across all departments take on the responsibility of ISO 27001, embedding information security and compliance processes and procedures into everyday working practices.

  • Hiring internally

    If outsourcing a vCISO isn’t an option, many companies will look at organisational restructuring to allow for ISMS project management in readiness for ISO 27001 certification. Here, the advantage is that not only can staff pivot within the company and upskill in their roles, but the core project team will already be aware of pressures within your business that may cause blocks in the road on the journey towards ISO 27001 compliance.

Stakeholder buy-in

ISO 27001 is a top-down approach that requires the board to be totally committed to supporting its implementation. With board-level buy-in and collaboration from senior stakeholders, your business can take a holistic approach towards implementing an ISMS with a better chance of success. Without board-level buy-in, the project is doomed to fail as achieving compliance will require changes to existing working practices throughout the organisation and involvement from all departments, particularly from IT, HR, Sales, Procurement, and the Finance team.

Having said that, big organisational changes can produce tensions if they are mismanaged. To help things run smoothly and lead your organisation through unchartered territory, we recommend the following:

  • Project management

    One mistake that many companies make is appointing the head of IT to run the implementation. ISO 27001 is an information security standard, and while it recognises the importance of IT, its goal is to maintain the security of information by enriching security practices across the organisation. Therefore, project management should be appointed to someone with prior experience of implementing the standard, such as a vCISO, to ensure ISO 27001 controls are successfully met.

  • Project planning

    It’s easy to feel frustrated when there’s no end in sight to a project that’s time consuming. Without proper planning, you’ll find that your ISMS takes far longer to implement than it would with a well-structured project plan.

    When executing an ISMS, the project plan needs to be realistic with an achievable timescale. Good project planning should build in contingency plans and set expectations of what the timeline is for ISMS implementation. Stakeholders will also quickly grow frustrated if postponements and lack of timekeeping interfere with the smooth running of the business.

    Often, timelines are driven by the need to have ISO 27001 certification within a specific timeframe. For example, to satisfy a tender or contract. If this is the case, outsourcing your ISO 27001 project will ensure you save time and have the necessary resources available to implement an ISMS and achieve certification within the required time.

  • Education, education, education

    Your employees may be confused about the necessity of this labour-intensive project if you haven’t educated them on the importance of information security, and the benefits that the business will see from achieving certification. Lack of knowledge will create inevitable pushback when the project requirements interfere with their workloads.

    That’s why it’s essential to fully communicate the necessity of ISO 27001 certification – explain why your organisation is going through the process, why your employees are fundamental to the project and what they can expect in terms of disruptions and contributions. Having their buy-in will ensure everyone is working towards a common goal, rather than resisting it.

  • Regular roundups

    Clear, continuous communication is essential for ensuring everyone is updated with the project. This provides a platform for questions, raising any issues that might be causing delays, and ensuring employees are aware of any resulting changes to the business as part of the implementation.


In summary

ISO 27001 implementation can be complex for businesses that don’t understand the project or how to successfully implement an ISMS to achieve certification. However, with the support of ISO 27001 experts, astute project planning and collaboration between employees, implementation can be a lot less daunting for businesses.

The challenges we’ve outlined in this blog can be overcome by understanding your existing security environment and the importance of ISO 27001 (remember, it’s not a tick-box exercise!). Maximising internal resources such as upskilling employees, applying security training, and understanding how the implementation and management of an ISMS can help to instil a security culture, will ensure your business benefits from greater cyber resilience in the future.

Let us help you implement ISO 27001

At Bulletproof, we have the expertise your organisation needs to successfully implement ISO 27001. We may need to start with a Gap Analysis to identify which areas of your information security need to be improved and create a tailored implementation to plan to deliver the most cost-effective compliance possible.

Learn more

Related resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

For more information about how we collect, process and retain your personal data, please see our privacy policy.