Audits & Certification
The Reality Check Your ISMS Actually Needs Internal audits are where most organizations either build genuine security maturity or engage in elaborate self-deception. I've reviewed hundreds of internal audit programs over the years, and the pattern is depressingly consistent: organizations treat internal audits as a checkbox exercise, then
Implementation
The Three Activities That Transform Your Security (Without Breaking Your Budget) Here's what I learned from watching a manufacturing company spend $80,000 on fancy security tools while leaving their admin passwords written on sticky notes under keyboards: throwing money at security doesn't work. Smart execution
Implementation
The Core Team Structure That Actually Works Let's cut through the theoretical noise. ISO 27001:2022 doesn't mandate specific job titles or org charts—it requires clear assignment of roles, responsibilities, and authorities per Clause 5.3. But after auditing hundreds of organizations, I can tell
Implementation
The $85,000 Compliance Theater Last month, a client showed me their "ISO 27001 compliance platform" that cost them $85,000 annually. Beautiful dashboards. Impressive integrations. Automated evidence collection that pulled data from seventeen different systems. The auditor's dream, right? During their certification audit, I found
Implementation
Last month, I watched a 15-person accounting firm achieve ISO 27001 certification for £12,000 total—including audit fees. Meanwhile, a tech company down the road spent £150,000 and failed their first attempt. The difference wasn't their size or sector. It was understanding what ISO 27001 actually
Documentation & SoA
Every certification audit I conduct follows the same pattern in its opening hours: I request documentation. Not because I enjoy watching management representatives scramble through SharePoint folders and email archives, but because documentation tells me everything about whether an ISMS is real or theater. The difference between organizations that sail
Documentation & SoA
The Evidence-Based Reality of Policy Effectiveness During a recent certification audit at a tech startup, I asked the development team lead about their organization's Clean Desk Policy. "Oh yeah, we have that," he said, gesturing to the cluttered workspace around us—laptops open to client code,
Documentation & SoA
The Documentation Reality Check I've walked into countless audit rooms where the CISO proudly presents a perfectly bound documentation set—three inches thick, color-coded tabs, every paragraph numbered. "We've documented everything," they announce. Then I ask to see how these procedures actually work in
Implementation
Month 1: Foundation and Scoping Decisions The first month determines whether you'll be certified in 6 months or still struggling in 18. I've watched organizations waste entire quarters debating scope boundaries while their competitors achieved certification with laser-focused implementations. Week 1-2: Define Your Scope (Clause 4.
Documentation & SoA
The Copy-Paste Disaster: When Templates Trump Reality The Statement of Applicability is where most certification audits succeed or fail. I've watched more organizations stumble here than on any other ISMS component—not because they don't understand the SoA's importance, but because they fundamentally misunderstand
Documentation & SoA
Understanding What ISO 27001:2022 Actually Requires Every Statement of Applicability I review contains at least one exclusion that makes me raise an eyebrow. Not because organizations shouldn't exclude controls—they absolutely can and should when justified—but because most exclusions read like someone wanted to avoid the
Documentation & SoA
I've reviewed thousands of Information Security Management System documents over my career, and if you held a gun to my head and forced me to evaluate an organization's entire security posture based on a single artifact, I'd ask for the Statement of Applicability every