ISO 27001: More Than a Certificate on the Wall
ISO 27001 is the global gold standard for information security management. But achieving certification is one thing — effectively implementing the underlying controls is something else entirely. In practice, Nexus-7 consistently observes that organisations underestimate, misimplement, or simply skip the same Annex A controls.
The revised ISO 27001:2022 contains 93 controls divided into four categories: organisational, people, physical, and technological. Below, we discuss the ten controls that are most frequently absent or insufficiently addressed in practice.
1. Threat Intelligence (A.5.7)
Most organisations do not systematically collect information about current threats relevant to their sector. They rely on generic news sources instead of targeted threat intelligence feeds. Without a current threat landscape, you lack the context to prioritise your security measures.
What you should do: Join an ISAC (Information Sharing and Analysis Centre) for your sector, configure automated feeds, and integrate threat information into your risk assessment process.
2. Information Security in Supplier Relationships (A.5.19-5.22)
Supply chain security is one of the most underestimated risk factors. Organisations set requirements for their own employees but forget that suppliers work with the same data and systems. The recent wave of supply chain attacks — from SolarWinds to MOVEit — demonstrates how devastating this can be.
What you should do: Establish mandatory security requirements for all suppliers, conduct periodic assessments, and include the right to audit in contracts.
3. Information Security in Project Management (A.5.8)
Security is rarely included as a standard component in project planning. The result: systems go live without adequate security measures, and fixing them afterwards costs three times as much.
What you should do: Integrate a security gate into every project phase. No go-live without security sign-off.
4. Configuration Management (A.8.9)
Many organisations lack standardised, documented configurations for their systems. Servers, network equipment, and applications are configured ad hoc, making security misconfigurations one of the most common vulnerabilities.
What you should do: Implement configuration baselines, use Infrastructure as Code where possible, and conduct monthly configuration audits.
5. Information Security Awareness, Education and Training (A.6.3)
Yes, nearly every organisation has 'something' resembling security awareness. But in most cases, it amounts to an annual e-learning module that employees click through as quickly as possible. That is not awareness — that is a compliance checkbox.
What you should do: Implement continuous, behaviour-focused awareness programmes. Measure not just knowledge, but actual behaviour. Nexus-7's Q-Method approach offers a scientifically grounded methodology for exactly this.
6. Data Masking (A.8.11)
Test and development environments often contain copies of production data, including personal data and business-critical information. Data masking is systematically forgotten, leaving sensitive data in places where security is typically lower.
What you should do: Implement automatic data masking for all non-production environments and incorporate this into your SDLC procedures.
7. Monitoring Activities (A.8.16)
Most organisations have logging in place. But active monitoring — actually analysing those logs for anomalous behaviour — is often missing. Research by IBM shows that it takes an average of 204 days to detect a data breach. That is nearly seven months during which attackers have free reign.
What you should do: Invest in SIEM/SOC capability (in-house or outsourced), define detection use cases, and regularly test whether your monitoring actually works.
8. ICT Readiness for Business Continuity (A.5.30)
Business Continuity Planning (BCP) at many organisations covers office space and communication, but the ICT component is treated as an afterthought. Can you restore your critical systems within the agreed timeframe? Most organisations have never realistically tested this.
What you should do: Conduct at least an annual full disaster recovery test. Not on paper, but actually restoring systems from backups.
9. Secure Development Life Cycle (A.8.25-8.31)
Organisations that develop software — and there are more than you think, even if it is 'just some scripts' or 'an internal portal' — rarely have a formal Secure Development Life Cycle (SDLC) in place. Code reviews, static analysis, and security testing are often optional.
What you should do: Implement security gates in your development pipeline: SAST, DAST, dependency scanning, and mandatory code reviews for security-sensitive functionality.
10. Information Deletion (A.8.10)
What happens to data you no longer need? And to equipment being decommissioned? In many organisations, old laptops containing corporate data sit in a cupboard, and databases are never cleaned up. This is not only a security risk but also a GDPR violation.
What you should do: Implement a data retention policy with automatic deletion, and ensure certified destruction of storage media.
The Bigger Picture: Compliance versus Real Security
The common thread through these ten points is clear: many organisations treat ISO 27001 as a compliance exercise rather than a framework for actual security. They complete the documents, pass the audit, and return to business as usual.
But cybercriminals do not read your policy documents. They look for the gaps that emerge when policy and practice diverge. And precisely those gaps are exposed by the ten points above.
How Nexus-7 Helps
Nexus-7 combines technical assessment with behavioural analysis based on the scientific Q-Method. Where traditional audits look at documents and technical configurations, Nexus-7 also maps the human element: how do your employees think about security, and how do they behave in practice?
This approach aligns seamlessly with ISO 27001, helping organisations bridge the gap between paper compliance and actual resilience — including the ten blind spots described above.
Want to know how your organisation scores on these 10 critical controls? Schedule a free demo and discover how Nexus-7 takes your ISO 27001 implementation to the next level.
