The controls themselves are not hard to understand. Writing policies describing these controls is also not that hard. But: changing the way an organization is working, in terms of habits, documentation, information management, how we collaborate - that can be really, really hard. So even if the requirements in ISO 27001 and the controls guidance in ISO 27002 look straight forward from a technical point of view, it is not easy to change the way of working for a whole organization! It requires leadership, it requires resources, and enough competent people with internal social capital to help support and drive the change. This is why an ISO 27001 journey is usually not just smooth sailing.

Thank you for an excellent perspective! I really like the narrative story approach. Often I find reports too dry to provide the necessary context, the storytelling approach can provide a good antidote against that!

Hi, security consultant and service developer focusing on OT and DFIR. Working for an international consulting firm, based in Europe. Originally a chemical engineer. Big fan of knowledge sharing!