Common ISO/IEC 27001 Pitfalls and How to Avoid Them

By Megan Turner, Technical Specialist of Information Security, NSF-ISR

With cyberattacks at an all-time high, it’s necessary for businesses to implement cybersecurity programs and practices. However, many companies either do not know how to improve their information security or their information security teams are overburdened by heavy workloads and pressures placed on their roles in recent years. On average, security teams are responsible for over 830,000 potential security risks (WRAL TechWire), which requires meticulous attention to ensure the risks do not result in a breach. This comes as over 340 million people have been affected by data breaches in 2023 (IT World Canada News), and over 560,000 new pieces of malware are detected every day (

With such a high volume of risks, companies understand they need to ramp up cybersecurity to protect their data and many seek certification to ISO/IEC 27001: Information Security Management to help do that. The current cyber conditions reveal companies have no time to waste in improving their cybersecurity.

Analysis performed by NSF-ISR on ISO/IEC 27001 audits reveals several areas within the standard where businesses seeking certification commonly falter. This includes challenges in the Operations Security, Access Control, and Supplier Relationships sections of the standard. These common gaps are crucial points in companies’ cybersecurity practices for keeping data secure. There are strategies organizations can implement to not only strengthen their information security, but also help them meet the requirements within the ISO/IEC 27001 standard.

Operations Security

NSF-ISR has identified a 16% non-conformity rate in the Operations Security section of the ISO/IEC 27001 audits. The overarching purpose of the Operations Security domain is to address the need for controls to secure operations of an organization’s system, protecting the confidentiality, integrity, and availability of the information it holds.

Change management is the specific control within Operations Security where the most non-conformities are identified. This control manages changes that affect information security, such as implementing a system enhancement, resolving software bugs, and conducting network modifications or updates. When implementing change management, it is recommended that a policy is established to define what constitutes a change, what the procedure is for implementing a change, and identifying who is responsible throughout the process. As part of the established process, it is also recommended that each update goes through a risk assessment to assess any potential vulnerabilities that could be introduced and that updates are thoroughly tested prior to implementation. A strong change management process can not only help your organization with meeting the requirements of ISO/IEC 27001, but also significantly reduce risks and improve the reliability of your systems.

Another area of Operations Security where cybersecurity gaps exist is the management of technical vulnerabilities. Technical vulnerabilities are like unlocked doors in a physical environment and are easy entry points for cyber criminals to gain access to a company’s systems or infrastructure. To protect company information, it is key that a strong vulnerability management system is in place. To strengthen an organization’s vulnerability management system, take inventory of the company assets, utilize resources to collect information on vulnerabilities associated with the assets, create a process for assessing risks with the identified vulnerabilities and apply appropriate controls to mitigate risks.

Vulnerability management can also include educating employees about the risks of utilizing unsupported versions of programs. Companies can mitigate this cybersecurity risk by requiring the use of supported versions. When a company’s personnel know and understand vulnerability risks and what it takes to keep information secure, the organization becomes safer and less prone to breaches.

Access Control

Preventing unauthorized access within information systems is the general purpose of ISO/IEC 27001’s Access Control domain. You would not allow your neighbor to view your personal bank statements and have access to your passwords, would you? Of course not. Visibility and access to an organization’s information like financial accounts, proprietary product information, or legal records should be treated with the same care. However, you may be surprised that NSF-ISR reports that 15% of non-conformities fall under the category of Access Control, which outlines requirements for this area of security.

For the same reason that locks should be changed when new owners move into a house, access rights should also be changed when an employee moves into a different role within an organization, or their employment is terminated. Review of user access rights is the specific control within the Access Control domain where the most non-conformities have been identified.

When looking to enhance the process for reviewing access rights, companies may consider implementing tools that help identify anomalies, such as excessive employee access or dormant accounts. Through this review process, companies may discover essential updates are needed to employee access rights. This could provide a company with valuable insights into continual improvement opportunities within its management system. For example, companies may uncover that employees who have moved into different roles still have access from a previous role, demonstrating that the process following an employee role change may need to be improved.

Supplier Relationships

Supplier Relationships stands as the third most common area where NSF-ISR identifies non-conformities. 13% of non-conformances have been identified within this domain. When a company utilizes a third-party partner, they need to ensure that the relationship is effectively managed to minimize security risks. One of the most common gaps identified is a lack of evidence that ongoing supplier monitoring is occurring. The process of managing supplier relationships extends beyond assessing supplier risks during the procurement process. Equally important is the ongoing need for regular supplier monitoring. A method for implementing this control could include establishing a vendor performance scorecard that includes metrics and key performance indicators (KPIs) to assess supplier compliance. This scorecard can also collect information about security assessment reports and address any contractual agreements that need to be reviewed at regularly occurring meetings. Having this method in place can provide companies with insight to quickly address any deficiencies or non-compliance.

Additionally, it is necessary to have a plan in place for supplier changes to ensure security is maintained throughout the transition process. It is important that this planning is done prior to the initiation of supplier relationships and should include expectations around securely returning and disposing of information assets (if applicable), managing records, and continuing confidentiality responsibilities following the termination of the contract. It is important to remember that while supplier relationships may be beneficial, it is imperative to minimize potential risks.

Increasing Cybersecurity

If your company has not evaluated its cybersecurity processes yet, consider starting with the three outlined – Operations Security, Access Control, and Supplier Relationships, as these are common areas where notable improvements can be made. Even if your company is not seeking ISO/IEC 27001 certification, there is value in evaluating where you can enhance your cybersecurity considering the current digital space we are living in and the need to minimize information security risks.

There are many different facets within information security so building out an information security plan may seem overwhelming, particularly for understaffed and overworked security teams. To get started, figure out what process works best for your organization. This process might begin with your company compiling a list of all the areas in your information security that need enhancements. Then, prioritize these areas based on the level of risk they would pose if their security controls remained unimproved, and initiate actions from there.

Companies can also make information security an organization-wide effort, particularly if they are small to midsized, to help increase the process. Call on manager-level employees to help identify appropriate team processes but be sure to have the information security team evaluate proposals to ensure they are in line with best practices. Lastly, remember that while building out effective cybersecurity processes may take time, implementing or improving one task at a time is more advantageous than not starting at all.


No posts to display