Halenza Consulting GmbH
.
Halenza Consulting GmbH
.
Kontakt
Practicality Over Paper Tigers – Start with the “Why”
IsmsIso 27001

Practicality Over Paper Tigers – Start with the “Why”

An Information Security Management System (ISMS) according to ISO 27001 can be a powerful tool – or an expensive paper tiger.

Arne Halenza
Arne Halenza

Start with the Why – But Be Honest

The first and most important question is simple: Why do we want an ISMS, and why do we want it certified according to ISO 27001? But beware of quick answers. Statements like “because the customer demands it” or “as long as we get the certificate” are honest, but they rarely lead to a sustainable ISMS in the long run.

Question your motivation honestly:

  • Is it just about compliance? If so, at least be honest with yourself. Do you want to get certified with minimal effort, or do you aim to fully meet the requirements? Both are legitimate – but the approaches differ fundamentally.
  • Do you have a genuine internal drive? Then it gets interesting. What specific risks concern you? Are confidentiality, integrity, and availability equally important to you, or do you have priorities? How risk-averse are you really? Some companies talk about innovation but act extremely risk-averse – that doesn’t add up.
  • Strategic Considerations: Does an ISMS fit your corporate strategy? Can it help you enter new markets or create competitive barriers? Or is it simply necessary to remain in your current market?

The Biggest Mistake: “IT Will Handle It”

Here’s a classic scenario we encounter repeatedly: “We’ll delegate the ISMS project to the IT department.” This approach shows a fundamental misunderstanding of the ISMS concept. It’s not just a technical certification.

An ISMS affects all business processes. The requirements come from the business units, users, and management. IT can implement technical solutions, but it cannot independently define which information is worth protecting or how business processes should run.

Therefore – Involve Stakeholders from the Start:

  • Management (strategic alignment)
  • IT Department (technical implementation)
  • Business Units (process requirements)
  • Users (practical applicability)

Without this involvement, you end up with Schrödinger’s ISMS – it exists and doesn’t exist at the same time. It’s “there” in some form, but people work around the described processes. Often for good reason, as the ISMS is frequently dysfunctional and hinders work. A management representative scrambles to patch things up before audits, cobbling together evidence and documentation to keep the certificate from being revoked.

What Do We Really Want to Achieve?

Compliance catalogs provide a guide, but they are just a framework. In implementation, you often have significant leeway. The key question is: What is your “fixed point” – the benchmark against which all measures must be aligned?

Without this fixed point, you’ll make arbitrary decisions that may harm the business while believing you’re protecting it. Or you’ll overlook critical aspects. In the end, the front door is highly secure, while the side window is left open.

Take a Holistic View of Risks – The Example of AI

A current example illustrates the issue: dealing with artificial intelligence. The risk-minimizing strategy would be simple: don’t use AI, wait, and see what happens.

But what about the complementary risk? If you don’t use AI systems now, you’re taking significant risks too. You risk falling behind, becoming less efficient, and being overtaken by competitors.

Other Examples of Complementary Risks:

  • Access Permissions: The “need-to-know principle” is considered standard. But what happens if you handle permissions too strictly? You create information silos, stifle innovation, and encourage duplicate work. You trade the risk of data leakage for the risk of inefficiency and stagnation.
  • Device Security: We lock down employees’ laptops – no software installations, web filters everywhere. Meanwhile, external freelancers use their own devices and only need to sign a contract stating they’re responsible for their own security. Where’s the logic in that?

Conclusion: Think Before You Act

A successful ISMS doesn’t start with choosing tools or implementing measures. It starts with strategic questions:

  • Why do we really want this?
  • Who is affected, and who needs to be involved?
  • What do we specifically want to achieve?
  • Which risks are we willing to take, and which are we not?

Only by answering these questions honestly will your ISMS become a practical tool that provides real value to all stakeholders. Anything else is an expensive paper tiger.

The ISO 27001 standard is a tool – how you use it determines success or failure. Start with the “why,” not the “how.”

Share this article:
Back to all posts