"The standard requires..."
"The standard requires keys to be changed every 3 months." "The standard requires that various suppliers be hired." "The standard requires that the alternate disaster recovery location be at least 50km away from the main location." Is that so? The standard says nothing of all this. Unfortunately, this is the kind of false information I usually hear. Many times, people confuse best practices with requirements of the standard, but the problem is that not all security rules are applicable to all types of organizations. And those who argue that this is established in the norm, have hardly ever read it.
"We'll let the IT department handle it"
This is the management's favorite: "Information security is all about information technology, isn't it?" Well, not exactly. The most important aspects of information security include not only IT measures, but also organizational issues and human resource management, which, in general, are outside the scope of the IT department. See also Information Security or IT Security."We will implement it in a few months"
It might be possible for you to implement ISO 27001 in two or three months, but it won't work; you will only get a bunch of policies and procedures that no one will take into account. Implementing information security means you have to implement changes, and this takes time.
Needless to say, you should implement only the security controls you really need, and analyzing what is necessary takes time; it's called risk assessment and treatment.
"This standard is nothing more than documentation"
Documentation is an important part of implementing ISO 27001, but it is not an end in itself. The most important thing is that you carry out your activities safely, and the documentation is there precisely to help you. In addition, the logs you generate will help you measure whether you achieved your information security goals and allow you to correct those activities that have not."The only benefit of the standard is to gain a marketing advantage"
"We're doing this just to get the certificate, aren't we?" Well, this is (unfortunately) the way 80 percent of companies think. I am not trying to discuss here whether or not ISO 27001 should be used for promotional and sales purposes, but it can also obtain other very important benefits; like preventing the WikiLeaks thing from happening to him. See also Four Key Benefits of ISO 27001 Implementation and Lessons Learned from WikiLeaks: What Exactly Is Information Security?The important thing here is that you first have to read ISO 27001 to be able to give an opinion about it, or, if you find it too boring (I admit it is) to read it, consult someone who really knows it. And try to see other advantages besides advertising. That is, increase your chances of making a profitable investment in information security.
Author: Dejan Kosutic
Source: Blog iso27001standard.com
