Failed ISO 27001 certification isn't always the result of a poorly configured firewall or an incomplete continuity plan. Often, it's a poorly managed filing cabinet, an obsolete procedure or an incomplete logbook that brings it all crashing down.
According to audit data, documentation is the leading cause of non-compliance in ISO 27001 certification. Missing documents, out-of-date versions, inconsistencies between what is written and what is applied: every document error opens a breach in the ISMS and compromises the credibility of the entire system.
The good news? These errors are perfectly avoidable, provided you are aware of them and structure your ISO 27001 documentation methodically from the outset.
This is the most dangerous illusion: buying a "ready-to-use" ISO 27001 documentation package on the Internet and believing that the job is done. In reality, these generic document bases are rarely adapted to your company's specific context.
The problem: These models cover general cases, but ignore your business processes, infrastructure, real risks and corporate culture. The result: hollow policies, inapplicable procedures and inadequate controls.
The impact on auditing: the auditor immediately detects copy-paste. He asks questions about the concrete application of procedures and discovers that nobody is following them, because they do not correspond to reality on the ground. Certification is compromised.
How to avoid it: Use templates as a starting point, never as a finished product. Involve operational staff in the drafting process to ensure that each document reflects your actual practices. Customize each policy and procedure to suit your context, risks and objectives.
Excel for asset registers, SharePoint for policies, Google Drive for procedures, a wiki for instructions, e-mails for approvals... Welcome to document chaos.
The problem: Without a centralized system, it's impossible to guarantee consistency, traceability and version control. Who validated which version? Where is the latest update? Who is responsible for the review? No one knows.
The audit impact: The auditor asks to see a document, and you present three different versions from three different sources. The confusion reveals a lack of document governance.
How to avoid it: Centralize document management in a single system that covers the entire lifecycle: creation, validation, distribution, updating, archiving. Define a clear document management procedure specifying responsibilities, validation circuits and versioning rules. Ideally, use an integrated ISMS platform like Oversecur to automate these processes and guarantee traceability.
You've written an exemplary security incident management procedure. On paper, everything is perfect. In reality, nobody follows it, either because it's too complex, or because it doesn't correspond to the tools and processes actually in place.
The problem: In ISO 27001, an unimplemented procedure is worse than no procedure at all. It reveals a discrepancy between the documented system and the actual system, which calls into question the credibility of the entire ISMS.
The audit impact: The auditor questions operational staff in the field and discovers that they do not know the procedure, or that they are applying a method that is totally different from what is written down. Result: major non-conformity due to lack of consistency between documentation and practices.
How to avoid it: Only write what you can actually apply. Involve operational teams in the drafting process to ensure that procedures are understandable and applicable. Test each procedure before final approval, and adjust it if necessary.
ISO 27001 documentation must form a coherent whole. The risk analysis prioritizes the risks, the treatment plan selects the measures, the Statement of Applicability (SoA) justifies the controls selected, and the policies/procedures describe their implementation.
The problem: Too many companies draw up these documents in isolation, without ensuring overall consistency. The result: a risk analysis that identifies a critical risk of unauthorized access... but no corresponding access control policy in the system.
Audit impact: The auditor checks the traceability between risks, controls and evidence. If the link is broken (a risk without an associated control, a control in the SoA without a corresponding procedure, a procedure without a record of implementation), this is an immediate non-conformity.
How to avoid it: Build your documentation sequentially and logically:
Use the treatment plan to check that each risk to be treated is covered by the right controls, including the right documents.
Many companies focus on security policies, operational procedures and risk analysis, but forget to formalize how they manage their documentation.
The problem: Without a document management procedure, it's impossible to guarantee consistency, traceability and version control. Who creates documents? Who validates them? Where are they stored? How are they updated? Who is responsible for them? Without clear answers, the document system becomes uncontrollable.
Audit impact: The auditor checks the control of documented information. If you can't demonstrate a clear circuit of creation, validation, distribution and updating, you're in non-compliance.
How to avoid it: Write a document management procedure that describes :
This procedure becomes the backbone of your document governance. In fact, it's the very first to be written.
A document written today becomes obsolete tomorrow, unless it is regularly reviewed and updated. Yet many companies create their policies and procedures... and then forget them.
The problem: processes evolve, tools change, risks transform. If documentation is not kept up to date, it loses all value and even becomes an audit liability.
Audit impact: The auditor consults a procedure dated 2021, which refers to a tool that no longer exists or a process that has been modified. He asks to see proof of document review and discovers that no review has been carried out since the initial certification. Non-compliance guaranteed.
How to avoid it: Assign a review manager for each document. Define a suitable review frequency (annual for policies, half-yearly for critical procedures). Integrate document reviews into the ISMS schedule, and track their completion via indicators. Use tools that generate automatic alerts when the review date approaches.
There are two extremes to avoid: writing hundreds of pages of procedures that no-one will ever read, or producing minimalist documentation that doesn't cover the standard's requirements.
The problem: Too much documentation weighs down the system, complicates maintenance and discourages users. Too little documentation leaves unclear areas, prevents traceability and exposes you to non-conformities.
Audit impact: In the first case, the auditor discovers contradictory, redundant or inapplicable documents. In the second case, the auditor finds gaps in the coverage of mandatory requirements.
How to avoid it: Apply the " juste nécessaire " principle:
Keep your documents short, clear and action-oriented. Avoid unnecessary jargon and convoluted wording. Each document must be easy to read, understand and apply by the people concerned.
Never write alone. Involve field teams in the drafting process to ensure that procedures reflect reality and are applicable on a day-to-day basis.
Clarify the terms used internally: policy, procedure, process, instruction, record. Avoid confusion by standardizing document vocabulary from the outset.
Don't make security a separate domain. For example, integrate security incident management into the overall incident management process. This simplifies documentation and facilitates adoption by teams.
The more you delegate document review responsibilities, the easier it will be to keep your documentation up to date. Appoint owners for each document and make them accountable.
ISO 27001 documentation that is accurate, clear and under control is not an administrative burden, but a strategic management tool. It structures processes, clarifies responsibilities, facilitates the integration of new employees and proves compliance during audits.
Successful certification means accepting that documentation is a living system, regularly reviewed, aligned with reality in the field and steered by clear governance.
Do you want to avoid these mistakes and structure solid documentation from the outset? Feel Agile supports companies in building, improving and automating their ISO 27001 documentation system. Discover our proven method for transforming documentation into a performance driver.
2025 FeelAgile
