When it comes to cyber security and compliance, most organisations start with good intentions. They download comprehensive information security policies that cover as much ground as possible=, and aim to demonstrate strong governance.
But in the rush to meet perceived expectations, it’s all too easy to fall into a common trap: writing aspirational policies that sound good on paper – but simply aren’t implemented, or sustainable in practice.
It’s a dangerous misstep. Because when your policies don’t reflect reality, compliance becomes a future-problem, or worse ends up a box-ticking exercise. Either way, your risk posture is misrepresented, and you lose sight of what really matters: building a sustainable, and continuously improving management system.
Here at de.iterate, we often see businesses – especially those preparing for audits or certifications overcommit in their policy documents. They write lofty statements like: “We conduct quarterly reviews” and ‘all critical risks are reviewed monthly”. Their policies say they enforce complex controls and mature governance.
But, and here’s where the problems start, when it comes time to demonstrate these policies in practice, the evidence just isn’t there.
Why does this happen?
What’s often overlooked is that these standards are not rigid checklists. ISO 27001 is designed to be scalable, flexible, and business-driven. It encourages organisations to assess their own risks, decide on their risk appetite, and design controls that suit their specific context – not someone else’s.
ISO 27002 Information security, cybersecurity and privacy protection — Information security controls offers a catalogue of suggested controls to support ISO 27001 implementation. But it’s a guidance document, not a rulebook. It’s not intended to be applied word-for-word in any organisation.
Using ISO 27002 as a rigid “how-to” manual leads to complexity, over-engineering, and ultimately, non-compliance. Instead, your policies and controls should be designed around your business – your size, sector, risk appetite, and resources.
Ask:
There’s no benefit in claiming you encrypt every device or conduct real-time vulnerability monitoring if that’s not sustainable. It’s better to be transparent about what you do now, document your real risks and plan your improvement activities around the business – think of it as sustainable compliance.
ISO 27001 is not about being perfect – it’s about being honest and improving. A strong Information Security Management System (ISMS) isn’t a set of static documents; it’s a living framework that should evolve as your business changes.
At de.iterate, we encourage clients to adopt a continuous improvement mindset:
This approach not only aligns with ISO 27001 principles – it positions your organisation to succeed in a world where threats and technologies are constantly evolving.
How de.iterate Can Help
At de.iterate, we help businesses implement Management Systems that are achievable, evidence-based, and grounded in continuous improvement. Our platform is designed to:
In short, we help you turn compliance into something meaningful – not just something mandatory.
Compliance is not about creating perfect policies. It’s about creating realistic ones – and then improving them over time. By focusing on continuous improvement rather than aspirational ideals, you not only meet your obligations – you build a stronger, more resilient business.