David Watson, one of the earliest exponents of the ISO 27001 standard and one of the most well known industry figures highlights some of the most common errors and mistakes in Information Security Management Systems, he has encountered over recent years:
-
There is frequently a lack of traceability of the controls in the Statement of Applicability (SoA) to the Risk Assessment and Treatment Process (and back to the SoA);
-
Risk Assessments often just look at technical risks and forget that the organization is a business with business risks;