“Letting Go of the Bicycle” on an ISO 27001 Project

Last Updated on January 13, 2024

In the course of any successful ISO 27001 project, there comes a point where primary ownership and responsibility for the information security management system (ISMS) transfers from the advisor or consultant, that is helping with the implementation, to the client organization that has to run and manage the ISMS going forward. I call this point “letting go of the bicycle.”
Some clients struggle with this transition, while others are highly motivated and push to accelerate the process. But either way it must happen, or the project will ultimately fail to deliver on its potential business value.
For example, I have a client right now that’s always asking me, “What can we do now?” “Where do we go to learn X?” They want to take responsibility for their ISMS and are working hard to build the necessary expertise. For them, success is a slam-dunk.
Meanwhile, I have another client that isn’t very interested in learning what they’ll need to know to take over their ISMS when our contract ends. They have a “check the box” mentality about their ISMS, and lack commitment to creating an information security culture. They may be able to eventually achieve an initial ISO 27001 certification for their ISMS with our help. But unless something changes it’s unlikely they’ll be able to maintain their certification long-term.

Why can’t organizations just keep their ISMS “training wheels” on forever? One big reason (besides burdensome cost) is that management involvement and ongoing support is one of the pillars of an ISMS. There’s really no way a consultant can substitute for in-house leadership—even a virtual CISO (vCISO) can only do so much (and this from an organization that sells vCISO services). A third-party organization, like us, will never have quite the authority to drive internal changes like your own management team holds.
On most ISO 27001 projects there’s a crucial tipping point during Phase 2, about 75-80% of the way through the project. This is where the “letting go” really needs to happen, if it hasn’t already.
By this time, we’ve delivered all the documentation (scope, risk management methodology, risk assessment, risk treatment plan, gap assessment, ISMS charter, ISMS manual, etc.). Now our client needs to operationalize their processes, mitigate some of their risks and develop/review whatever policies and procedures they need based on the findings in the gap assessment.
This is the time for internal socialization and communication about the ISMS. We advise this is the time our clients should be “pedaling hard”—operating and stress-testing everything while we as their advisor are right behind them.
It’s crucial a consultant or third-party firm is not the sole owner and operator of your ISMS; because, when it’s time for the certification audit you will need your own, in-house expertise to present your ISMS.
At the end of the day, no consultant or advisor can “do” ISO 27001 certification for you. The need for continuous improvement that is built into the recertification process means you need a security culture to keep your certification, not to mention maintain and operate your ISMS.
Internal support and management commitment are prerequisites to creating that culture and deriving the full financial and strategic value from the certification process.
If your business is considering ISO 27001 certification, contact Pivot Point Security. We specialize in helping organizations meet both their short- and longer-term information security goals.