3 typical hurdles when getting started with ISO 27001

This uncertainty is understandable. The language is unfamiliar, the thinking patterns are new, and it feels like you need to memorize half the standard just to get going.

Three hurdles come up again and again when companies tackle ISO 27001 for the first time:

1. The introduction sounds too abstract.
   ‍You hear terms like business impact analysis, RTO, asset structure — but you can't quite picture what they mean for your day-to-day work.

2. Information security is misunderstood as an IT issue.
   ‍Suddenly the conversation shifts to firewalls, backups, and access controls. But that's missing the point. The real question is a business one.

3. There is no clear starting point.
   ‍Should you start with information? Risks? Systems? Measures? Nobody's quite sure where to begin.

‍

The classic way: Starting with technology

The natural instinct is to dive into the tech side. You kick off with systems, vulnerabilities, firewalls, backups, permissions. It's not wrong — but it's often the wrong place to start. Here's why: information security quickly becomes an IT problem. And with the number of systems you're running, it becomes overwhelming fast.

‍

Why the technical approach falls short

Here's the real problem: you're asking the wrong question. The question isn't "How do we secure our systems?" The question is: "What does our company need to protect to stay in business?" Or put differently: What are the actual security risks hiding in how we work every day — in our business processes?

Information security isn't an IT problem. It's not even primarily a technical discipline. It's not about locking down systems for their own sake. It's about keeping your company able to deliver reliable services, process information correctly, and keep critical processes running — even when things go wrong. That's a business question, not a tech question.

‍

The better way: Start with business processes

Business processes are your best entry point. Here's why:

They're already familiar.

• They're part of your daily work.
• Many companies have already documented them for quality management.
• Everyone in the relevant departments understands them directly.

They create a bridge between two worlds.

This is the real payoff: business processes connect ISO 9001 (quality management) and ISO 27001 (information security) seamlessly. Instead of starting with abstract concepts like "assets," you anchor information security to something that already exists in your company.

You're not learning a new language. You're just asking new questions about processes you already know.

‍

This is where the methodology suddenly gets simple

And this is exactly where the methodology suddenly becomes much simpler: Information is not processed in isolation, but always in a business process. A sales process processes different information than development, development processes other than purchasing, and each of these processes depends on specific resources — assets.

‍

Rethinking assets: primary and secondary

Systems, laptops, employees, rooms or external service providers are therefore no longer regarded as loose objects, but as a means of processing information in the business process.

With this point of view, the terms also become more tangible:

• Primary assets are the information and business processes that are important for the company.

• Secondary assets are the resources with which this information is processed, such as the CRM system, the ERP system, the sales representative's laptop, the cloud service or even the employees themselves.

‍

Determine the protection goals correctly: confidentiality, integrity, availability

The major methodological advantage is that the protection goals can now also be derived cleanly.

‍

Confidentiality and integrity: derived from the information

Confidentiality and integrity result from the information. When customer data, contract data, calculations or personal data are processed in the company, the following questions arise immediately:

• Who can see this information?

• How correct, complete and unchanged must they be?

‍

Availability: derived from the business process

Availability, on the other hand, does not primarily result from information, but from the business process. The decisive question here is how long a process can fail before it causes business-critical damage.

For many companies, it is precisely this distinction that is a decisive aha moment. Because it makes the methodology easier to understand:

• Confidentiality and integrity depend on the content.

• Availability depends on business operations.

This turns an abstract security model into a comprehensible, business-oriented order.

The methodological principle: five clear steps

All of this can be broken down to a simple methodological principle:

1. Primary assets are business processes and information. This is where the real business value that needs to be protected lies.

2. Confidentiality and integrity are derived from the information. This is because information defines who can see something and how correct content must be.

3. Availability is derived from the business process. The business question counts here: How long can the process take?

4. Secondary assets are the resources of the process. Systems, devices, employees or rooms process the information in the process.

5. Risks become concrete in terms of resources. This is the best place to identify, evaluate and treat them.

‍

Why this order also stops activists in their tracks

And this order also has another advantage: It prevents activism. Especially when cyber risks are present, there is a great desire to implement measures immediately. Multi-factor authentication, backup hardening, awareness training, network segmentation — it all makes sense, no question about it.

But without a proper derivation, it often remains unclear:

• Which measures bring the greatest benefit first?

• Which processes or information actually drive the need for protection?

Getting started via business processes creates exactly the structure that many companies lack:

• It builds on existing process landscapes from ISO 9001.

• It connects department, management and IT using a common logic.

• It turns the language of the standard into a workable corporate perspective.

Information security is thus becoming much more concrete and finally what it should be at its core: a contribution to the stability and security of the company.

‍

The most important insight for companies

Perhaps this is even the most important insight to start with: You don't have to directly master every detail of the standard when getting started with ISO 27001, you first need comprehensible access. And it's right in front of you: with the business processes that your company manages every day anyway.

‍

Read part two: How it works in practice

In the second part, exactly this logic becomes concrete. I will then give a practical example of the methodology — the evaluation of the information security of the sales process of a medium-sized mechanical engineering company.