Let’s be honest: if you’ve ever tried to read ISO 27001 cover to cover, you’ve probably found yourself muttering something like, “Well that sounds lovely… but what does it actually mean?”
You’re not alone.
The truth is, ISO 27001 is full of high-level, broad-stroke statements — the kind of “good governance” advice that sounds like it came straight out of a corporate self-help book. These are what we call motherhood statements. Things no one can disagree with, but which don’t actually tell you how to get things done in your specific business.
And guess what? That’s entirely by design. It’s a feature of the standard, not a bug.
What matters most isn’t what the standard says in theory. It’s how your business interprets and implements it in practice.
To make sense of ISO 27001 (and all standards, really), you first need to crack the language code. Specifically, you need to understand the difference between “shall” and “should” (semantics, right?!).
Here’s a quick definition for those of you still following along:
Now, here’s where it gets really interesting…
In ISO 27001, the word “shall” appears 156 times.
The word “should”? Just three times.
That’s no accident.
The standard is built around the idea that businesses must define and implement security controls that are appropriate to their own context. It doesn’t prescribe exactly how to do things – just that they shall be done.
In contrast, ISO 27002 – the guidance framework that supports the implementation of 27001 – goes the other way entirely:
So, what’s the point? ISO 27001 isn’t here to tell you exactly how to run your cyber security program. It’s here to say, you shall do these important things — like identify your risks, have a plan, and improve it over time.
But how you do those things? That’s up to you.
This is where a lot of businesses go wrong. They assume ISO 27001 is a one-size-fits-all checklist. They pull controls straight from ISO 27002, paste them into a policy, and promise the world: “We monitor all assets in real time, audit logs daily, and review access permissions every Tuesday before lunch.”
Only… they don’t.
And when audit time rolls around? Things fall apart, quickly.
The better approach — the smarter, more sustainable approach — is to be realistic. Work out what you actually do. Then define what good looks like for your business. Document it. Improve it. Repeat.
Because ISO 27001 doesn’t care if you’re a fintech unicorn or a three-person consultancy. It just wants to know that you’ve taken security seriously in a way that makes sense for your organisation.
Here’s something most people won’t tell you: you can have a big risk appetite and still be compliant.
You might decide, based on your business context, that you’re comfortable with certain risks. And then you might document that decision, show your working, and put some controls in place. Guess what? You’re still playing by the compliance rules.
Want to allow staff to use their own laptops? Fine. Just document the risk, mitigate what you can, and explain how you’re managing it.
Want to skip full-disk encryption on your office desktops because they never leave the building? Fine. Just document why you think the physical security controls are sufficient, assess the risk, and be ready to explain your rationale if someone asks.
Want to skip a specific control in ISO 27002 because it doesn’t apply to your business model? Also fine. Just don’t pretend it’s there when it isn’t.
The key is transparency and consistency. Own your decisions. Back them up. That’s real governance.
Here’s a more effective way to interpret and implement ISO 27001:
Remember: ISO 27001 is simply asking you to identify your risks and take reasonable steps to manage them. If you decide that you have a big risk appetite, that’s your call. As long as it’s defined, documented, and agreed upon internally, you can still be ISO 27001 compliant.
At de.iterate, we’re not here to drown you in paperwork or sell you another bloated compliance tool. We’re here to help you understand what you shall do, figure out what you should do (if it makes sense), and build a cyber security framework that actually works for your team.
Our platform:
Because cyber security isn’t about ticking every box. It’s about knowing which boxes matter, and why.
Don’t treat ISO 27001 like the holy grail. Instead, treat it like a map: one that helps you get where you want to go, not where someone else thinks you should end up.
You shall take security seriously.
You should do it in a way that’s honest, practical, and built for your business.
And you’ll be in much better shape if you stop pretending you do everything already, and start showing how you’re improving every day.