Welcome to Protify.

In accordance with cookie legislation and our privacy policy, we only place strictly necessary functional cookies. 😊

For visitor analysis, we use Google Analytics (also cookieless). May we also place some Google Analytics analytical cookies to gain a better understanding?

Do not start with Annex A

Written by Protify

Informative

We see it happen often. A project team starts enthusiastically with ISO 27001. Everyone wants to move quickly, so the focus immediately shifts to concrete measures. And we understand that. Nice and practical.

And that is exactly where things often go wrong. Many teams dive into Annex A as if it were a list of standards. For example, you install a firewall, implement backup management or enforce access rights.

How do you ensure that this does not become a collection of technical solutions? By first identifying what your organization truly needs. This allows you to prevent implementing controls that sound impressive but actually solve little.

First think, then determine, then manage

WISO 27001 is built around a management system. This means that the organization helps itself in a structured and risk driven way to make choices. The main point is therefore not which measures you take, but the fundamental question:

How do you ensure that risks and opportunities are managed?

• Chapter 6 asks organizations to identify risks and establish objectives and planning.
• Chapter 8 focuses on execution and risk management in operational processes.

Only after these questions have been answered does Annex A become relevant. Annex A is therefore not a checklist but a collection of possible measures.

Why this approach works

Organizations that start directly with controls often notice that:

• management support is not sustainable in practice;
• measures are applied in the wrong place;
• responsibilities remain unclear;
• the ISMS mainly creates additional burden for the organization.

The implementation becomes more effective and manageable when management, customers and suppliers are involved first. With this approach, you implement measures that genuinely contribute to objectives, reduce risks and create demonstrable value for the organization. Annex A is then no longer just a burden or checklist, but a conscious choice of appropriate measures that address the real risks.

Before implementing any measure, always ask the following questions:

  1. What problem are we addressing?
  2. Which risks or needs are involved?
  3. Which objectives do we want to achieve?
  4. Which controls fit best?
  5. How do we continue improving?

Organizations that follow this structure build a sustainable and manageable management system.

Would you like help implementing ISO 27001? We are happy to do so. Schedule a no obligation introductory meeting.

Avatar photo

Protify

For more information, please follow us on LinkedIn

Other articles on our website

Prepare yourself: revision of the 9001 standard is coming. Focus themes to maintain your current certification.