- 1 The most common ISO 27001 failures are not caused by the standard's complexity — they are caused by inadequate preparation
- 2 Scope, ownership, evidence discipline, and risk management are the four areas that determine programme pace
- 3 Treating certification as a formalisation of existing practice moves significantly faster than building from scratch
ISO 27001 has a reputation for being slower and more expensive than expected. That reputation is deserved — but the reasons are more specific than most businesses realise, and more preventable.
The standard sets out a framework for establishing, implementing, maintaining, and continually improving an information security management system. The certification process involves an external audit that assesses whether the framework is genuinely embedded in how the organisation operates, not just documented.
That word — genuinely — is where most programmes run into trouble.
Auditors are experienced at distinguishing between organisations that have created documentation to describe an ISMS and organisations that are operating one. The difference is visible in evidence, in the consistency between policy and practice, and in the maturity of the risk management processes that underpin everything else. When that difference is significant, the audit fails or requires substantial remediation. When it is not, certification is manageable.
Readiness, in this context, is about closing that gap before the programme starts rather than discovering it during the audit.
Scope: the first and most consequential decision
Scope definition is the most important and most frequently mishandled step in an ISO 27001 programme.
The scope defines what is included in the ISMS — which systems, processes, data types, and locations fall within the boundary of the certification. This decision has direct consequences for how complex the programme is, how much evidence is required, and how long the certification journey takes.
The most common scoping mistake is making it too broad at the start. Organisations default to a comprehensive scope — “all IT systems and processes within the business” — without considering whether that breadth is actually necessary for the commercial purpose the certification is meant to serve.
In practice, many organisations can achieve the certification they need with a focused scope: the systems and processes involved in a specific service line, a specific data type, or a specific set of client-facing activities. A focused scope that is genuinely operationalised is worth more, commercially and reputationally, than a broad scope that is partially evidenced.
The second scoping mistake is leaving it ambiguous. Ambiguous scope creates scope creep, disagreements about what falls inside the audit boundary, and inconsistent evidence gathering. Resolving scope ambiguity late in a programme is disproportionately expensive.
Ownership: the accountability gap that stalls most programmes
ISO 27001 is not a project that can be owned collectively. It requires clear individual accountability at multiple levels — for the programme itself, for specific controls, for the risk management process, and for the ongoing operation of the ISMS after certification.
In many organisations, this is not established clearly before the programme starts. The result is that tasks move slowly, evidence is gathered inconsistently, and decisions about how to address identified gaps get stuck waiting for someone to make a call.
The most visible symptom is a programme that looks active but makes slow progress. Workstreams are underway. Documents are being drafted. Meetings are happening. But the controls are not operating consistently, the evidence is not compelling, and the programme is not ready for audit despite the apparent activity.
This is almost always a leadership and accountability problem. The fix is rarely more activity. It is more specific ownership: named individuals responsible for specific controls, a clear programme owner with authority to resolve decisions, and visible senior sponsorship that signals to the rest of the organisation that this is a genuine priority.
Evidence: the gap between how things are described and how they are done
This is the area that surprises most businesses when they first engage with the ISO 27001 audit process.
The standard requires evidence that controls are operating, not just that they have been defined. A policy document describing how access management works is not sufficient. The auditor will want to see evidence that the described process is what actually happens — access request records, review logs, joiners and leavers processes being consistently followed.
Many organisations discover during their first audit preparation that their documented processes and their operating practices have diverged significantly. The policy says one thing. The reality is something slightly different. Sometimes a lot different.
This gap creates remediation work that could have been avoided with earlier assessment. Understanding where documentation-to-practice alignment is weak — and closing those gaps before the audit rather than after — is one of the highest-value activities in the readiness phase.
Risk management: the foundation that everything else depends on
ISO 27001 is built on a risk-based philosophy. The controls implemented should be proportionate to the risks identified, and the risk identification and assessment process should be systematic, documented, and regularly reviewed.
For organisations that already maintain a structured approach to information security risk — even informally — this piece of the programme is manageable. For organisations that are starting from scratch, it is one of the most significant investments of time and thought in the entire programme.
The risk assessment process cannot be rushed without compromising the quality of everything that follows. If risks are not properly identified, the controls selected will not be appropriate. If they are not properly assessed, the prioritisation of remediation activity will be wrong. If they are not documented in a way that withstands audit scrutiny, the certification will be at risk.
Organisations that invest in getting the risk process right early — even if it takes longer than expected — find that the rest of the programme moves more cleanly as a result.
What the fastest programmes have in common
The ISO 27001 certifications we have seen delivered in six months or fewer share a consistent profile. The scope was defined early and defended clearly. Individual accountability was established before significant work began. The gap between documented process and operating practice was narrow — because the organisation had maintained reasonable security discipline before the programme started. Risk management was treated as a thinking exercise, not a template-filling exercise.
The programmes that take 18 months or longer are also recognisable. They started with broad scope, discovered partway through that it needed to be tightened. Ownership was diffuse, and decisions accumulated in a backlog. Evidence gathering revealed significant gaps between policy and practice. Risk management was left late and done quickly.
The trajectory of a programme is largely set in the first six to eight weeks. The decisions made in that period about scope, ownership, and evidence discipline determine whether the organisation will arrive at the audit well prepared or in remediation mode.
Relevant service CTA: Information Security & Readiness Support — practical support to scope, structure, and prepare ISO 27001 programmes that move with less friction and stronger evidence from the start.
Related posts: How Long Does ISO 27001 Actually Take for a UK SME? | DORA Explained for UK Firms | What UK Leadership Teams Still Get Wrong About Cyber Risk
Sources
ISO – ISO/IEC 27001 Information security management
NCSC – 10 steps to cyber security UKAS – Certification body guidance