The Ugly Side of ISO 27001 Compliance. What Happens if You Get it Wrong?

12 Jul / 2023

Cyber Security

We’re going to be candid and frank here. ISO 27001 audits, and any cybersecurity compliance audits at all, can be hard to achieve and stressful to execute. Not only do they take incredible time and resources, laden amongst already busy day jobs, but they are often subject to Executive Leadership, investor and stakeholder scrutiny. 


It’s tough, every organisation has skeletons in their closet and “audit-time” rarely ever brings cheer.

So, what happens if you’re the poor soul responsible for responding to auditors and coordinating compliance control and, by some freak-of-nature, the audit report comes back less-than-impressive?

In this blog, we outline the steps you can take to save face, regain compliance control and build a robust cybersecurity posture all in one. 


First, a quick look at some consequences of not achieving/adhering to ISO 27001: 


  • Your risk of data breaches and data leakage increases which can lead to financial losses, litigation costs, reputational damage etc.
  • Inadequate cybersecurity measures can increase the likelihood of system failures and malicious activity which interrupts business operations.
  • You can lose a great competitive advantage, or even some customers, who value ISO 27001 compliance adherence.

The consequences of not meeting ISO 27001 compliance can be large. This means added scrutiny, enquiry and possible interrogation may happen after a failed audit.


If your ISO 27001 audit experience has resulted in a negative response, here is how you handle it:

Encourage open dialogue with the auditors on their key concerns: there may have been documentation or scenarios that the auditors were not privy to. Request to speak with them to seek further clarification on their concerns and supply additional information if available.

Own the responsibility: if set-up properly, ISO 27001 compliance should be a company-wide responsibility, but many organisations fall to finger-pointing and blame when they fail an audit. Owning the responsibility, and seeking to make reparations, helps to remediate much faster.

Communicate widely: from a communications perspective this is not a time to go quiet on your stakeholders or team. Communicating the audit key findings, root problems, underlying causes and remediation plans to the wider audience will help to keep all parties informed and will encourage buy-in for remediation efforts.

Find quick wins: if part of your failure of an ISO 27001 compliance audit has something to do with not having cybersecurity monitoring, data loss prevention solutions or simple web filtering solutions - then a quick win would be to wrap all of these components into a managed service that is hosted by a cybersecurity specialist such as Cythera - ideally something that can be deployed within weeks. 

Play the long game: ISO 27001 compliance is a year round and decades long game. To implement it is tough, but to achieve ongoing compliance is tougher - managing policies, changing regulations, adherence to procedures and paper trails across multiple repositories for the long term is a big project. Seek to build a long term, and scalable, compliance solution that is built on the foundation of automated compliance tooling and compliance monitoring services, that are aligned with your cybersecurity objectives. Cythera offers a solution to this, as outlined below. 


Is there a way to get quick wins while also building for the long game?

Yes, Cythera works with leading ISO 27001 compliance technologies, coupled with expert cybersecurity capability, to provide businesses with a comprehensive and optimised approach to compliance, that gives time back to IT teams without replacing jobs. We do this by:

  • Automating the creation, management, and version control of documentation required for ISO 27001 compliance specific to Australian organisations.
  • Providing templates, workflows, and collaboration tools to streamline the process of developing policies, procedures, and control documentation applicable to ISO 27001 and other Australian cybersecurity legislation.
  • Automating risk assessment, risk analysis, calculation of risk levels, and frameworks for implementing risk management.
  • Automating control implementation and monitoring, including the assignment of responsibilities, tracking of progress, and reports that can be used across the organisation for proactive communication purposes.

Cythera can also monitor, in real-time, the effectiveness of controls, identifying gaps and potential non-compliance issues before they become damaging. 

Want to know more? Download our latest business case guide template or meet with us to discuss in person or via video.


Resources

You may be interested in

Does Your Organisation Need Cyber Security Training?

If you’re serious about protecting your company, then the only answer is yes! New employees are onboarded are expected to understand and abid…

Read More arrow_forward

Why You Shouldn’t Be Reusing Passwords In 2020

Who out there has been guilty of reusing a password? We’re all guilty of it! Results from a recent Google survey discovered that at least 65% …

Read More arrow_forward

Cyber Insurance And Penetration Testing: How Australian Businesses Can Mitigate Cyber Risk

Cyber Insurance And Penetration Testing: How Australian Businesses Can Mitigate Cyber RiskIn the early 2000s, cyber insurance was a relatively n…

Read More arrow_forward