October 1, 2021

Last Updated on January 12, 2024


ISO 27001 certification is a significant undertaking that impacts many areas of your business. You want to be aligned with best practices from the outset. In our ISO 27001-as-a-Service business, we find that many clients start out with misconceptions or misinformation about ISO 27001 that require “course corrections” to ensure success.

One of these “course corrections” concerns the widespread belief that, since ISO 27001 is all about information security, it’s mainly an IT issue. So why not let the IT guys handle it?

To deflate this and other leading fallacies that businesses often have about ISO 27001 certification, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special podcast in response to client requests.

ISO 27001 addresses the full information lifecycle

“You really need to understand that ISO 27001 is about the full lifecycle of information,” John advises. “Remember: people, process, systems, right? So as an example, human resource management is important. Are the people that you’re hiring properly vetted and background screened? Are the people that you’re hiring appropriately qualified? Are the people that you’re hiring appropriately trained with regards to good security practices? Are they trained on your specific requirements for information security? Do you have good physical security? Because if you don’t have good physical security and [hackers] can walk into your office, it doesn’t matter if you’ve got good digital security.”

Don’t forget legal and compliance

Another key area of ISO 27001 involvement for most companies is legal and compliance. Does your organization understand and address the laws, regulations, client contractual obligations, etc. that it’s subject to?

“We did some work recently for a law firm, and we asked to see some contracts,” recalls John. “[Some of them] specifically cited that if you’re going to work with us, all of our work needs to be done on an isolated network, on dedicated systems. So, we asked, ‘Hey, are you guys doing this?’ And the answer was, ‘No, we didn’t realize that.’”

“That’s why you can’t just have IT and IS handle [ISO 27001 certification prep], right?” says John. “You should involve a good cross-section of the organization. A lot of people need to be involved.”

What’s Next?

Is your business on the path to ISO 27001 certification? Then don’t even think of missing this spot-on podcast with ISO 27001 expert John Verry: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security

Looking for some more information to help define a proven process for  ISO 27001 or other compliance needs ? Check out this blog post: EP#59 – John Verry – Governing Cybersecurity: A Process for Becoming Provably Secure & Compliant – Pivot Point Security