Skip to main content
Book a Demo

Why Unachievable Policies Undermine Compliance—and What To Do Instead

When it comes to cyber security and compliance, most organisations start with good intentions. They download comprehensive information security policies that cover as much ground as possible=, and aim to demonstrate strong governance.

But in the rush to meet perceived expectations, it’s all too easy to fall into a common trap: writing aspirational policies that sound good on paper – but simply aren’t implemented, or sustainable in practice.

It’s a dangerous misstep. Because when your policies don’t reflect reality, compliance becomes a future-problem, or worse ends up a box-ticking exercise. Either way, your risk posture is misrepresented, and you lose sight of what really matters: building a sustainable, and continuously improving management system.

The Problem with “Perfect Policies”

Here at de.iterate, we often see businesses – especially those preparing for audits or certifications overcommit in their policy documents. They write lofty statements like: “We conduct quarterly reviews” and ‘all critical risks are reviewed monthly”. Their policies say they enforce complex controls and mature governance.

But, and here’s where the problems start, when it comes time to demonstrate these policies in practice, the evidence just isn’t there.

Why does this happen?

  • Policy templates are copied and pasted without tailoring to business context
  • External pressure from clients or regulators encourages overpromising
  • Internal silos mean technical, legal, and operational teams aren’t aligned
  • Misinterpretation of standards like ISO 27001 or ISO 27002 leads to unrealistic expectations

What’s often overlooked is that these standards are not rigid checklists. ISO 27001 is designed to be scalable, flexible, and business-driven. It encourages organisations to assess their own risks, decide on their risk appetite, and design controls that suit their specific context – not someone else’s.

ISO 27002 is Guidance, Not Gospel

ISO 27002 Information security, cybersecurity and privacy protection — Information security controls offers a catalogue of suggested controls to support ISO 27001 implementation. But it’s a guidance document, not a rulebook. It’s not intended to be applied word-for-word in any organisation.

Using ISO 27002 as a rigid “how-to” manual leads to complexity, over-engineering, and ultimately, non-compliance. Instead, your policies and controls should be designed around your business – your size, sector, risk appetite, and resources.

Ask:

  • What threats are most relevant to us?
  • What controls do we already have in place?
  • If I implement this new control, will it move the dial on a business risk?
  • What will we realistically implement, and what are we capable of doing over time?

There’s no benefit in claiming you encrypt every device or conduct real-time vulnerability monitoring if that’s not sustainable. It’s better to be transparent about what you do now, document your real risks and plan your improvement activities around the business – think of it as sustainable compliance.

The Case for Continuous Improvement

ISO 27001 is not about being perfect – it’s about being honest and improving. A strong Information Security Management System (ISMS) isn’t a set of static documents; it’s a living framework that should evolve as your business changes.

At de.iterate, we encourage clients to adopt a continuous improvement mindset:

  1. Start with the truth. Document what you actually do today – even if it’s not ideal.
  2. Identify your gaps. Use your risk assessments, internal audits, or gap analysis to highlight where you’re falling short.
  3. Prioritise actions. Not every control needs to be implemented immediately. Focus on high-impact risks and essential controls first.
  4. Create a roadmap. Build a plan with timelines, responsibilities, and milestones to close the gap over time.
  5. Monitor and review. Use internal reviews, management input, and external feedback to adapt your program as your business grows.

This approach not only aligns with ISO 27001 principles – it positions your organisation to succeed in a world where threats and technologies are constantly evolving.

How de.iterate Can Help

At de.iterate, we help businesses implement Management Systems that are achievable, evidence-based, and grounded in continuous improvement. Our platform is designed to:

  • Map policies and controls to your actual business operations
  • Identify and document current-state compliance
  • Highlight gaps and track your improvement over time
  • Demonstrate progress to auditors, customers, and stakeholders
  • Provide Assurance through evidence-based compliance activities
  •  Reduce the complexity of standards like ISO 27001 by focusing on what matters most

In short, we help you turn compliance into something meaningful – not just something mandatory.

Compliance is not about creating perfect policies. It’s about creating realistic ones – and then improving them over time. By focusing on continuous improvement rather than aspirational ideals, you not only meet your obligations – you build a stronger, more resilient business.

Tags:

deiterate-platform

Get your ducks in a row with de.iterate

Subscribe to our newsletter for all the latest tips, tricks and insights to improve your GRC program.

Related Articles