{"id":4754,"date":"2011-01-24T21:10:16","date_gmt":"2011-01-24T21:10:16","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/011\/01\/24\/5-greatest-myths-about-iso-27001\/"},"modified":"2026-01-16T07:59:11","modified_gmt":"2026-01-16T07:59:11","slug":"5-greatest-myths-about-iso-27001","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2011\/01\/24\/5-greatest-myths-about-iso-27001\/","title":{"rendered":"5 greatest myths about ISO 27001"},"content":{"rendered":"<p><div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><br \/>\nVery often I hear things about <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> and I don\u2019t know whether to laugh or cry over them. Actually it is funny how people tend to make decisions about something they know very little about \u2013 here are the most common misconceptions:<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">\u201cThe standard requires\u2026\u201d<\/h2>\n<p>\u201cThe standard requires passwords to be changed every 3 months.\u201d \u201cThe standard requires that multiple suppliers must exist.\u201d \u201cThe standard requires the disaster recovery site to be at least 50 km distant from the main site.\u201d Really? The standard doesn\u2019t say anything like that. Unfortunately, this kind of false information I hear rather often \u2013 people usually mistake best practice for requirements of the standard, but the problem is that not all security rules are applicable to all types of organizations. And the people who claim this is prescribed by the standard have probably never read the standard.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">\u201cWe\u2019ll let the IT department handle it\u201d<\/h2>\n<p>This is the management\u2019s favorite \u2013 \u201cInformation security is all about IT, isn\u2019t it?\u201d Well, not really \u2013 the most important aspects of information security include not only IT measures, but also organizational issues and human resource management, which are usually out of reach of IT department. See also <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2010\/03\/01\/information-security-or-it-security\/\">Information security or IT security<\/a>.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">\u201cWe\u2019ll implement it in a few months\u201d<\/h2>\n<p>You could <a href=\"https:\/\/advisera.com\/books\/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own\/\">implement your ISO 27001<\/a> in 2 or 3 months, but it won\u2019t work \u2013 you would only get a bunch of policies and procedures no one cares about. Implementation of information security means you have to implement changes, and it takes time for changes to take place.<\/p>\n<p>Not to mention that you must implement only those security controls that are really needed, and the analysis of what is really needed takes time \u2013 it is called risk assessment and risk treatment.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">\u201cThis standard is all about documentation\u201d<\/h2>\n<p><a href=\"\/27001academy\/iso-27001-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener noreferrer\">Documentation<\/a> is an important part of ISO 27001 implementation, but the documentation is not an end in itself. The main point is that you perform your activities in a secure way, and the documentation is here to help you do it. Also, the records you produce will help you measure whether you achieve your information security goals and enable you to correct those activities that underperform.<\/p>\n<div class=\"responsive-video-wrapper\"><iframe loading=\"lazy\" title=\"How Cybersecurity Training Reduces the Risk of Failure at the ISO 27001 Certification\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/4IXNKRK2SjQ?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">\u201cThe only benefit of the standard is for marketing purposes\u201d<\/h2>\n<p>\u201cWe are doing this only to get the certificate, aren\u2019t we?\u201d Well, this is (unfortunately) the way 80 percent of the companies think. I\u2019m not trying to argue here that ISO 27001 shouldn\u2019t be used in promotional and sales purposes, but you can also achieve other very important benefits \u2013 like preventing the case of WikiLeaks happening to you. See also <a href=\"\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/#benefits\" target=\"_blank\" rel=\"noopener noreferrer\">Four key benefits of ISO 27001 implementation<\/a> and <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2011\/01\/10\/lessons-learned-from-wikileaks-what-is-exactly-information-security\/\">Lessons learned from WikiLeaks: What is exactly information security?<\/a><\/p>\n<p>The point here is \u2013 read ISO 27001 first before you form your opinion about it; or, if it\u2019s too boring for you to read it (which I admit it is), consult with someone who has some real knowledge about it. And try to get some other benefits, other than marketing. In other words, increase your chances to make a profitable investment in information security.<\/p>\n<p><em>If you want to set up ISO 27001 Training Program for your employees,<\/em> <a href=\"https:\/\/advisera.com\/training-account\/iso-27001-training-awareness\/\" target=\"_blank\" rel=\"noopener\">sign up for a free trial<\/a> <em>of the Company Training Academy, the most practical way to organize company-wide training and awareness.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Very often I hear things about ISO 27001 and I don\u2019t know whether to laugh or cry over them. Actually it is funny how people tend to make decisions about something they know very little about \u2013 here are the most common misconceptions: \u201cThe standard requires\u2026\u201d \u201cThe standard requires passwords to be changed every 3 &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,1499,1500],"class_list":["post-4754","post","type-post","status-publish","format-standard","hentry","category-blog","tag-iso-27001","tag-myths","tag-misconceptions"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4754","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4754"}],"version-history":[{"count":2,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4754\/revisions"}],"predecessor-version":[{"id":104955,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4754\/revisions\/104955"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}