Compliance365 
13 Things Most People Don’t Know About ISO 27001 & the ISMS
1/22/2026 · Compliance365
ISO 27001 is everywhere, but the Information Security Management System (ISMS) behind it is still widely misunderstood.
Many teams think ISO 27001 is about documents and technical controls. In reality, it’s a practical business system for how you make decisions, manage risk, and prove trust over time.
This article shares 13 things most people don’t know about ISO 27001 & the ISMS—with plain-English examples you can use in leadership briefings, roadmaps, and audit conversations.
1️⃣ An ISMS isn’t a security framework — it’s a business operating model
Most people treat ISO 27001 like a security checklist. In reality, the ISMS is a repeatable way your business manages risk — across people, process, and technology.
- Without an ISMS: decisions depend on who is in the room; controls drift when people change roles.
- With an ISMS: risk, approvals, exceptions, and reviews follow a predictable system, regardless of who’s on leave or which team is involved.
✅ Outcome: Security becomes a stable part of how the business runs, not a side project owned by IT.
2️⃣ ISO 27001 doesn’t measure how secure you are — it measures how well you manage risk
There is no “perfect security” score in ISO 27001. Auditors care whether you understand your risks and manage them deliberately.
- Risks are identified and rated.
- Actions are chosen and justified.
- Decisions are recorded and reviewed.
Two certified organisations can look very different technically — and still both be compliant — because the focus is on governance, not perfection.
3️⃣ You can be ISO 27001 certified with accepted risks
Many teams assume every risk must be fixed before certification. Not true. ISO 27001 fully supports risk acceptance when it’s documented, approved, and reviewed.
- A legacy system can’t support MFA.
- You add compensating controls and a retirement plan.
- Risk is accepted by management and revisited on a schedule.
🧭 Reality: ISO 27001 expects grown-up trade-offs, not fantasy security with unlimited time and budget.
4️⃣ Less than 10% of the ISMS is technical
ISO 27001 is often labelled as “an IT standard”, but most clauses relate to:
- Leadership and roles
- Policies and awareness
- Risk and planning
- Monitoring and improvement
Controls like access, logging, and backups are important—but they sit inside a much larger management system.
💡 Insight: The hardest part of ISO 27001 is usually governance and behaviour, not configuring a firewall rule.
5️⃣ The ISMS is one of the few frameworks that forces continual improvement
Many frameworks are “point in time”. ISO 27001 builds continuous improvement into its core:
- Annual internal audits
- Regular management reviews
- Corrective actions tracked through to closure
- Metrics and trends reviewed, not just stored
It’s a living system, not a one-off project.
6️⃣ The Statement of Applicability (SoA) is your most powerful security document
The SoA is often treated like a box-ticking spreadsheet. Done properly, it becomes your single source of truth for how security works in your organisation.
- Which controls are in place.
- Which are excluded—and why.
- Where evidence lives.
- Who owns what.
Example SoA snippet (plain-English view)
| Control | Applicability | Reason / Notes | How We Implement It | Evidence Location | Owner |
|---|---|---|---|---|---|
| A.5.18 – Access reviews | Applicable | Critical for controlling who can access production systems. | Quarterly review of Entra ID groups and privileged roles; leavers removed within 24 hours. | SharePoint > ISMS > Evidence > A.5.18 – Access reviews | Head of IT |
| A.8.16 – Logging & monitoring | Applicable | Required to detect unauthorised or suspicious activity. | Defender, Sentinel and application logs retained for 12 months with daily alert triage. | SharePoint > ISMS > Evidence > A.8.16 – Logging & monitoring | Security Lead |
| A.8.13 – Backup & restore | Applicable | Needed to recover from data loss or ransomware. | Daily backups of production databases; quarterly restore tests with documented results. | SharePoint > ISMS > Evidence > A.8.13 – Backup & DR tests | Platform Owner |
| A.5.7 – Remote working | Not applicable to scope | Scope is limited to data centre operations only; no remote access for in-scope systems. | Managed via separate corporate policy outside the certified scope. | SharePoint > ISMS > SoA & Scope | CISO / ISMS Manager |
In a mature ISMS, every row in the SoA tells a short story: why the control matters, how you run it, where proof lives, and who is accountable.
✅ Outcome: One document that can answer “how secure are we?” for executives, customers, and auditors.
7️⃣ ISO 27001 eliminates duplicated work across other frameworks
A well-designed ISMS will cover most of the heavy lifting for frameworks like SOC 2, Essential Eight, NIST CSF, DISP, ISM, CPS 234, and ISO 27701.
| Topic | ISO 27001 | Other Frameworks | Plain-English Meaning |
|---|---|---|---|
| Access reviews | A.5.18 | SOC 2 CC6.1, NIST PR.AC-1, Essential Eight maturity | We regularly check who has access and remove what’s not needed. |
| Logging & monitoring | A.8.16 | SOC 2 CC7.2, NIST DE.AE-2 | We monitor systems and detect unusual or risky behaviour. |
| Supplier risk | A.5.19 | SOC 2 CC3.3, NIST ID.SC-3 | We assess and manage risk from vendors and partners. |
| Backup & recovery | A.8.13 | SOC 2 CC7.3, NIST PR.IP-4 | We can recover quickly if something goes wrong. |
One evidence run can satisfy several frameworks when everything is driven from the ISMS.
8️⃣ ISO 27001 scope is not “everything” — and smart scoping is your superpower
One of the biggest misconceptions is that ISO 27001 must cover the entire organisation. In reality, you choose the scope.
- A single SaaS platform.
- Just the production environment.
- A specific business unit or geography.
💡 Smart move: Start with the product or environment your buyers care about most, then expand the ISMS over time.
9️⃣ The ISMS is the most scalable security program you can build
Because the ISMS focuses on how decisions are made, not just which systems are in scope, it scales naturally as you grow.
- Phase 1: Certify the core platform or service.
- Phase 2: Add customer support and operations.
- Phase 3: Extend to additional regions, products, or business units.
The model stays the same — only the scope expands.
1️⃣0️⃣ Most ISO failures are caused by governance gaps, not technical gaps
When organisations fail ISO 27001 audits, it’s rarely because they missed a single control. It’s usually because the system isn’t running properly.
- Management reviews haven’t been done.
- Risk registers and SoA haven’t been updated.
- Internal audits are missing or incomplete.
⚠️ Risk: Great technical controls with weak governance still equals a failing ISMS.
1️⃣1️⃣ ISO 27001 can reduce workload when implemented correctly
A modern ISMS doesn’t mean more spreadsheets. With the right design, it automates evidence collection using the tools you already own.
- Entra ID exports for access reviews.
- Intune and Defender reports for device compliance.
- Purview reports for DLP, labels, and audit logs.
- SharePoint version history for document evidence.
Instead of chasing people for screenshots, you have scheduled, repeatable evidence runs.
1️⃣2️⃣ ISO 27001 makes leadership explicitly accountable
ISO 27001 doesn’t let executives stay in the background. The standard requires leadership to:
- Approve the ISMS scope and policy.
- Provide resources.
- Set risk appetite and objectives.
- Review performance and improvements.
✅ Result: Security becomes a business priority with clear sponsorship, not an IT cost centre.
1️⃣3️⃣ “Document what you do, and do what you document” is the core ISMS principle
This simple phrase captures the heart of ISO 27001:
- Document what you do: Describe your real processes in clear, practical language.
- Do what you document: Follow those processes consistently and keep evidence.
It doesn’t mean heavy documentation. It means honest processes with proof.
💡 Practically: If your policy says quarterly access reviews, you actually run them, store the reports, track findings, and close actions.
Why these ISMS truths matter
The ISMS is not a document library or a checkbox exercise. It’s the engine room that powers security, privacy, and AI governance across your organisation. When it works well, it reduces duplicated effort, speeds up audits, and gives leadership a clear picture of risk.
Next steps
Explore our ISO 27001 services, try the ISO 27001 readiness checklist, or book a roadmap call to design an ISMS that actually works for your team — and your auditors.
Found this useful? Get the ISO/Privacy/AI readiness checklists.
Browse resources
