ISO 27001: The Four Most Common Post-Certification Pitfalls

Author: Gene Geiger, CPA, CISSP, CCSK, QSA, PCIP, ISO 27k LA, and Partner at A-LIGN.

Becoming ISO 27001 certified is a rigorous process for most organizations but the work should not stop after receiving the sought after certification. We want to ensure that your organization does not fall victim to these common pitfalls so that your information security management system (ISMS) continues to operate as designed and subsequent audits flow smoothly. Take a look at the four most common problems to help your company stay on track after certification.

Failing to Schedule the Internal Audit and Management Review

The completion of the internal audit and management review are critical to the success of the ISMS. A-LIGN reviews these activities during each audit activity and looks to ensure the quality-level and completeness are in line with the requirements. These activities build on each other as the internal audit feeds into the management review, and then both feed into the continuous improvement cycle.

You should ensure that the internal audit is scheduled well in advance of the surveillance audit, so the management review and continuous improvement activities have time to be performed. We start the surveillance audit approximately nine months after initial certification is received, so a typical timeline would be to start the internal audit six to seven months after certification.

Changes in Key Personnel

Many times the ISMS is implemented by an individual who fields many of the questions during an audit and has overall responsibility for the ISMS.  If that person leaves the company, the ISMS can fall apart.  In order to help prevent this, we recommend that all companies designate a back-up person who has a general understanding of the ISMS. If your primary ISMS manager moves into a different position or to another company, ensure that the designated backup steps in to ensure that the ISMS continues to function.

Failing to be Vigilant

It is common for organizations to breathe a sigh of relief upon receiving the initial certification, but at times they may go too far into “relaxation mode.” ISO 27001 defines the ongoing processes that should be in place throughout the year, not just during the audit. The management controls, including periodic meetings, documented approvals for decision, meeting minutes of oversite committees, etc., must be maintained to evidence that the ISMS continues to function.  This is also true of controls defined in the statement of applicability.

Companies should ensure the ISMS is a living process that is built into the culture of the organization so that it continues to function as designed after certification is received.

Not Considering Environmental Changes

ISO 27001 requires that any changes in the environment be considered through the risk assessment process and any new or modified controls flow in to the statement of applicability. It also requires that A-LIGN be notified and a new certificate issued if there are changes to the scope or statement of applicability.  When changes are considered in the environment that may impact the scope of certification, it is important to review and update the ISMS documentation to ensure it correctly reflects the environment post-change.

These top pitfalls are all easily remedied through management oversight and following the controls as defined in your ISMS. Establishing a long-term ISMS framework can help to create an ongoing culture of security in your organization and help to ensure smooth surveillance audit cycles.

Have questions about ISO 27001? 

Contact our ISO 27001 professionals at or call 888-702-5446.

It’s Time For An Upgrade: Switching from ISO 27001:2005 to 2013

A-lign ISO 27001 SealAs a reminder a new version of ISO 27001 has been issued and the deadline for updating your company’s ISO 27001 program from 2005 to 2013 is quickly approaching.  There are some significant changes to ISO 27001 in the newest 2013 edition.  Utilizing the guidelines in ISO 27001:2013 will improve the standardization and operations of the information security program in your organization.

For more details on changes in the 2013 standard please refer to our guide:  8 Step Guide to Bring Your Current ISMS from ISO 27001:2005 to ISO 27001:2013 

27001:2013 Released

  • New Implementations – The deadline for new implementation has expired as ISO/IEC 27001:2005 is no longer allowed as of October 1, 2014
  • Transition (Including Surveillance Reviews) – Can be performed (2005 to the 2013 standard) until October 1, 2015
  • Complete Transition – After October 1, 2015 all new certifications are required to use the 2013 standard

Key Changes

  • Realignment of the management system requirements to clauses 4 through 10
  • Risk assessment focus to risk owners
  • Controls Annex realignment and additional controls

Key Implementation Steps

  • Review current process and management system documentation
  • Update Statement of Applicability (SoA) based on the new framework
  • Update documentation
  • Ensure internal audits and management review are being planned and performed

We can answer any of your questions regarding the new version of ISO 27001.  

Please contact us by phone at 888-702-5446 or by email at