Yannick H.,
Too Long; Didn't Read
An ISMS must fit the company - not the other way around. Most implementations fail not because of technology, but due to excessive scope, lack of management buy-in, and the attempt to apply enterprise frameworks to SME resources. The pragmatic approach: Start small, expand gradually, and build a system that is truly lived - not just audited.
Why everyone is talking about ISMS now
More than 150,000 organizations worldwide are ISO 27001 certified. The number grows by 10-15% each year.
(ISO Survey / Industry Reports 2025)
That is not because everyone suddenly became security enthusiasts.
70% of IT service providers in Europe and North America require ISO 27001 from their suppliers.
In other words: no ISMS, no contract. At least not with enterprise customers.
Add to that cyber insurance policies, which increasingly require structured security management. And regulations like NIS2, which practically mandate an ISMS.
The question is no longer whether, but how.
What an ISMS actually is (and what it is not)
Before we get into implementation, a brief clarification.
An ISMS - Information Security Management System - is not a tool. Not software. Not a folder with policies.
An ISMS is a structured approach to managing information security.
It includes:
Governance: Who is responsible? How are decisions made?
Risk management: What risks do we have? How do we handle them?
Controls: Which measures do we implement?
Continuous improvement: How do we learn from incidents and audits?
ISO 27001 is the best-known standard for this - but not the only way.
Why most ISMS projects fail
Here it gets honest.
Most ISMS implementations fail not because of technology. They fail because of five predictable problems.
1. Scope too broad
The most common mistake: trying to certify the entire organization at once.
This works for large companies with dedicated compliance teams. For SMEs, it leads to overload, delays, and eventually abandonment.
Pragmatic approach: Start small. One department. One critical process. One location. Then expand.
2. Lack of management buy-in
Without commitment from the top, nothing happens. No budget. No prioritization. No enforcement.
If management sees an ISMS as an "IT project", it is doomed to fail.
Pragmatic approach: Position ISMS as a business issue. Translate risks into business language. Show ROI.
3. Risk analysis underestimated
Risk analysis is the heart of ISO 27001. And the part most people underestimate.
It is not about creating an Excel list with 500 theoretical risks. It is about understanding and prioritizing the real risks to your company.
Pragmatic approach: Focus on the truly relevant risks. Qualitative assessment instead of pseudo-quantification. Regular updates.
4. Documentation overload
An ISMS needs documentation. Policies, processes, evidence.
But: it does not need 500 pages of policies that nobody reads.
Pragmatic approach: Documentation that is actually used. Short. Clear. Current. Better ten pages that are actually used than a hundred pages of shelfware.
5. Checkbox mentality
"We need the certificate."
That is the wrong reason for an ISMS. If the goal is only the certificate, you get a system that passes audits - but no real security.
Pragmatic approach: Understand ISMS as a tool, not an end in itself. The certificate is a byproduct of good security practice.
The pragmatic path to an ISMS
Enough of the problems. Here is how it works.
Phase 1: Define scope
What goes in?
Not everything. At least not at the beginning.
Identify the area that:
Is most critical to the business
Is most demanded by customers or regulations
Can be delineated with a manageable effort
This can be:
The cloud infrastructure
The area processing customer data
A specific service or product
Deliverable: A clearly defined scope with documented boundaries.
Phase 2: Capture the current state
What do we already have?
Most companies already have security measures - they are just not documented or structured.
Which policies exist?
Which technical controls are active?
Which processes already exist?
This is not a criticism exercise. This is an inventory.
Deliverable: Gap analysis between the current state and ISO 27001 requirements.
Phase 3: Assess risks
What can go wrong?
Now it gets substantial. Identify the risks for your scope:
Which assets are critical?
Which threats exist?
Which vulnerabilities do we have?
What are the impacts if something happens?
Keep it practical. No theoretical scenarios that will never occur. Focus on what is realistic and can cause damage.
Deliverable: Risk assessment with prioritized risks and a treatment plan.
Phase 4: Implement controls
What do we do about it?
Based on the risk assessment: Which measures do we need?
ISO 27001 Annex A provides 93 controls as a reference. Not all are relevant for every company.
Choose the controls that:
Address your top risks
Fit your context
Can be implemented with manageable effort
Deliverable: Implemented controls with evidence.
Phase 5: Document and live it
How do we keep this going?
An ISMS is not a one-off project. It has to be lived.
Policies that people actually read
Processes that work in day-to-day operations
Training that sticks
Regular reviews and updates
Deliverable: A documented, functioning ISMS.
What you should take away
The ISMS must fit the company. Not the other way around. A pragmatic system that is actually used beats a perfect system that exists only in the audit.
Start small. The biggest mistake is too broad a scope. A clearly defined area that works is better than the entire organization struggling.
Management buy-in is not optional. Without commitment from the top, the ISMS becomes an IT project - and IT projects without business support fail.
Think in a risk-oriented way. Risk analysis is not bureaucracy - it is the core of the system. Invest time here.
Documentation that is lived. Ten pages that everyone knows are worth more than a hundred pages that nobody reads.
The certificate is not the goal. It is a byproduct. The goal is a company that understands and manages information security.
If you need support
We help SMEs build an ISMS that works - not just one that gets audited.
ISMS Readiness Assessment: Where do you stand? What is missing?
Pragmatic Implementation: SME-friendly approach, no enterprise overkill
Scope Definition: Finding the right starting point
CISO-as-a-Service: Ongoing ISMS support without a full-time CISO
Related articles:
Sources:
