ISO 27001 readiness projects rarely fail because of budget. They stall because of two structural issues: sequence and ownership. In our work with Dutch SMEs and mid-market organisations preparing for certification — or rebuilding a stalled programme — three misconceptions appear in almost every project. None of them are unreasonable. All of them quietly add twelve to twenty-four months to a certification path that should take six to nine.

This article explains the three patterns, the underlying clauses of ISO/IEC 27001:2022 that they conflict with, and the practical sequence we recommend for SMEs entering scope of ISO management system work in 2026 and 2027.

Misconception 1: “ISO 27001 is an IT project”

ISO/IEC 27001:2022 is a management system standard. The Annex A control set — the 93 controls grouped under organisational, people, physical and technological themes — is the part that most clearly touches information technology. It is also the smallest part of what the standard actually requires.

The bulk of certification effort sits in clauses 4 to 10: context of the organisation, leadership, planning, support, operation, performance evaluation and improvement. These clauses are organisational, not technical. When a Chief Information Security Officer leads certification alone, three predictable problems follow:

• HR controls (joiners, movers, leavers; disciplinary process; awareness training) are drafted without HR ownership, and rarely survive contact with real onboarding workflows.
• Supplier and contractual security (Annex A 5.19–5.23) is written without procurement or legal in the room, so the requirements never make it into actual purchase orders or master service agreements.
• Top management treats the certificate as a deliverable to be received rather than a system to be owned. This is the single most common cause of a major nonconformity at the first surveillance audit.

Clause 5.1 of ISO/IEC 27001:2022 requires top management to demonstrate leadership and commitment with respect to the information security management system. This is not a delegable obligation.

In practice, certification programmes that succeed on a realistic timeline are sponsored by a non-IT executive — typically the Chief Operating Officer, Chief Financial Officer, or General Counsel — with the CISO acting as the operational lead. This shift reframes information security from a cost centre to a governance topic, which is also where regulators and large customers increasingly want to see it discussed.

Misconception 2: “We will do the risk assessment after the policies are written”

This is the most expensive reverse-order mistake in the standard, and it is remarkably common. A team begins by writing thirty or forty policies — access control, cryptography, supplier security, incident response — because policies feel like tangible progress. The risk assessment is then performed against the completed policy set.

Clause 6.1.2 of ISO/IEC 27001:2022 requires the organisation to define and apply an information security risk assessment process, and to use the results as the basis for determining the necessary controls.

Control selection is meant to follow risk treatment. When the order is reversed, three issues compound. First, the organisation ends up implementing controls it does not need — which inflates cost and audit fatigue. Second, real risks remain unaddressed because no analytical exercise ever surfaced them. Third, the Statement of Applicability (Annex A.6.1.3 d) cannot defensibly explain why each control is included or excluded, because the justification is retrofitted.

A defensible sequence places risk assessment in the first six weeks of the project, immediately after scope definition. The policy work is then proportional, traceable, and far easier to maintain. The same principle applies when the organisation simultaneously implements ISO 9001 or ISO 14001 — risk-based thinking is now the common backbone of all three standards.

Misconception 3: “Once we are certified, we are done for three years”

The certificate is valid for three years. The management system has no such grace period. Surveillance audits occur annually, typically in months 12 and 24 of the certification cycle. Internal audits (clause 9.2) and management reviews (clause 9.3) are not optional inputs to those surveillance visits; they are explicit clauses of the standard.

Regulatory context has reinforced this expectation. The NIS2 Directive, transposed into Dutch law as the Cyberbeveiligingswet, references information security management practices that align with ISO/IEC 27001 as a practical baseline for essential and important entities. The Digital Operational Resilience Act (DORA) similarly expects financial entities to demonstrate continuous operation of their ICT risk management framework. Both regimes look for evidence of operation, not the presence of a framed certificate.

A management system that stops running between audits is one incident — or one regulatory inspection — away from a major nonconformity.

The practical correction is to plan the first internal audit and the first management review into the calendar before the certification body issues the certificate. Evidence of operation begins on day one of certification, not at month eleven when the first surveillance audit is announced.

What this looks like in practice

For SMEs considering ISO 27001 in the next twelve to eighteen months, three practical steps reliably reduce the timeline and improve the quality of the resulting system:

• Appoint a non-IT executive sponsor. The COO, CFO, or General Counsel is typically the right choice. The CISO leads operationally; the sponsor ensures organisational reach into HR, procurement, and finance.
• Perform the risk assessment in week two, not month six. Use the output to drive policy scope, the Statement of Applicability, and the prioritisation of Annex A controls.
• Plan internal audit and management review before certification is issued. A short annual cycle, mapped to the calendar, prevents the “three-year silence” pattern that fails the first surveillance audit.

None of this is glamorous. All of it is the difference between an ISO 27001 certificate that opens commercial doors and one that quietly becomes an internal cost item with no operational meaning.

The commercial case for getting it right

ISO 27001 sits at an unusually useful intersection in 2026. Customers, insurers, and regulators all begin to expect it at approximately the same growth stage — typically a Series B financing round, the first enterprise client win, or the first contract that falls under NIS2 or DORA scope. A credible certification, supported by visible operation of the management system, can replace dozens of bespoke security questionnaires and shorten enterprise procurement cycles materially.

A certificate without an operating system behind it is the opposite — a paperwork burden that no sophisticated buyer trusts. The standard is rigorous precisely because the market has learned to distinguish between the two.

Where Royaal Project can help

We run short ISO 27001 readiness scans for SMEs and mid-market organisations: a gap analysis against the 2022 version of the standard, a risk-based scoping of the management system, and a realistic timeline before the organisation commits to a certification body. The scan typically completes within two weeks and produces a working list — not a legal opinion — that the internal team can act on directly.

For organisations that already have other ISO management systems in place, we map integration opportunities with ISO 9001 and ISO 14001 to avoid duplicate policies, duplicate audits, and duplicate management reviews. Where contractual security obligations cross into supplier and customer contracts, we work with legal and procurement to translate Annex A requirements into operational clauses rather than aspirational language.

To discuss whether an ISO 27001 readiness scan is the right next step for your organisation, please visit royaalproject.com or book an introductory conversation through the contact page.

This article describes observed practice patterns and best practices. It is not legal advice.