You can have the best firewalls money can buy. You can deploy zero trust architecture. You can automate logging, monitoring and access controls until your dashboards glow.
And then Dave from Sales clicks a phishing link.
Welcome to the reality of information security: Your biggest risk isn’t always technical. It’s human.
ISO 27001 recognises this. In fact, one of the quiet truths of the standard is that an ISMS isn’t just a collection of controls. It’s a reflection of behaviour. Because at the end of the day, policies don’t make decisions. People do.
Let’s talk about the human side of your ISMS, and why it might be the most important control you manage.
It’s tempting to think security is primarily an IT problem. Install the right tools. Configure the right settings. Tick the right controls. But social engineering attacks don’t bypass your firewall. They bypass your judgement.
Phishing emails. Business email compromise. Pretexting calls. Impersonation scams. Deepfake voice messages. These attacks don’t exploit vulnerabilities in code. They exploit trust, urgency, authority, curiosity and fear.
In other words: human psychology.
That’s why ISO 27001 doesn’t just require technical safeguards. It includes explicit expectations around awareness, training and competence (see Clause 7.2 and 7.3 in particular). Because without cultural adoption, your ISMS is just paperwork.
Most organisations technically “comply” with security awareness requirements.
They run annual training. Staff click through modules. There’s a quiz at the end. Everyone scores 100%. Compliance box: ticked.
But let’s be honest, if training only happens once a year and feels like an HR obligation, it won’t change behaviour.
Effective security awareness should be:
Security culture forms through repetition and reinforcement, rather than one-off eLearning.
If your team still says, “I didn’t think that applied to me,” you’ve got a culture gap, not a training gap.
If you want to measure your security culture, don’t look at your policy library. Look at how your organisation responds to social engineering. When someone receives a suspicious email, do they:
The difference isn’t technical capability. It’s psychological safety and awareness. High-maturity organisations create environments where:
An ISMS thrives in a culture of transparency. It collapses in a culture of blame.
ISO 27001 embeds human factors throughout the standard. Beyond training and awareness, it touches:
These aren’t technical controls. They’re behavioural scaffolding. For example, it’s not enough to define access control in a system. People must understand why least privilege matters. It’s not enough to publish an acceptable use policy. Staff must understand how their behaviour impacts risk. An ISMS works when behaviour aligns with policy.
Security culture isn’t fluffy. It’s measurable. If you want to understand how well your ISMS is embedded, look at indicators like:
But here’s the key: don’t just measure participation. Measure outcomes. If phishing click rates are decreasing, reporting rates are increasing, and policy breaches are trending downwards, your culture is improving. If everyone completed training but risky behaviour remains unchanged, you’ve created compliance, rather than competence.
Culture flows from the top. If leadership treats security as an afterthought, staff will too. If executives bypass controls “just this once,” everyone notices. If leaders openly discuss risk, model good behaviour, and support security initiatives, adoption increases dramatically.
ISO 27001 places strong emphasis on leadership commitment for a reason. An ISMS cannot succeed if security is siloed in IT. Security needs to be visible at board level, discussed in management reviews, and integrated into strategic decisions. Otherwise, it becomes performative.
Building a strong security culture doesn’t require theatrics. It requires consistency.
The goal isn’t to create paranoia. It’s to build informed vigilance.
At de.iterate, we understand that compliance isn’t just about controls. It’s about behaviour. Our platform helps you:
Instead of treating human factors as a soft topic, you can embed them into your ISMS with structure and visibility. Because auditors don’t just ask whether training occurred. They ask whether it’s effective.
You can invest in the most advanced security stack available. But if your people aren’t aligned, engaged and informed, the system won’t hold.
An effective ISMS isn’t just about protecting systems. It’s about empowering people to protect them.
Technology enables security. Culture sustains it.
And when your people understand their role in the bigger picture, compliance stops feeling like an obligation, and starts feeling like ownership.
That’s when your ISMS truly comes alive.