Why compliance often fails and what it reveals
Across industries, organisations invest in ISO standards to strengthen resilience, security, and risk management. Yet during audits and real-world disruptions, many discover that compliance has been treated as a checklist rather than a living discipline. Clause 8 of ISO 27001, criticality analysis in ISO 22301, and risk assessment under ISO 31000 are three areas where failures consistently surface, revealing deeper issues in ownership, alignment, and adaptability.
Clause 8 of ISO 27001: The Operational Discipline Gap
ISO 27001 (Information Security Management Systems) requires organisations to plan, implement, and control processes needed to meet information security requirements. Clause 8 looks deceptively simple, yet it is where many organisations falter during audits.
The most common failure is the disconnect between documented controls and day-to-day operations. Policies exist, risk treatment plans are approved, but operational teams are neither aligned nor monitored against them. Auditors frequently identify outdated procedures, unmanaged changes to systems, and controls that were designed once but never revisited.
Effective operational planning demands ownership, measurable control objectives, and continuous oversight. Without integrating information security into routine workflows and change management, compliance becomes performative and Clause 8 is often the first place that illusion collapses.
ISO 22301: The Criticality Analysis Mistake
ISO 22301 (Business Continuity Management Systems) sets requirements for preparing organisations to withstand disruptions. One of the most persistent mistakes in its implementation is the superficial handling of Business Impact Analysis (BIA).
Organisations often confuse MTPD (Maximum Tolerable Period of Disruption), RTO (Recovery Time Objective), and RPO (Recovery Point Objective), treating them as interchangeable time targets rather than analytically distinct concepts. MTPD defines the maximum tolerable disruption to the organisation, while RTO and RPO are recovery objectives derived from that threshold, not guesses based on convenience or IT capability.
Too often, BIAs are driven by technology teams alone, ignoring operational, reputational, and regulatory impacts. This results in unrealistic recovery targets that collapse during real incidents. A robust criticality analysis requires cross-functional input and a clear understanding of business priorities, ensuring continuity strategies are driven by impact, not assumption.
ISO 31000: Moving Beyond Risk Matrices
ISO 31000 (Risk Management Guidelines) provides principles and frameworks for managing risk. Traditional risk matrices, with their neat grids and fixed scores, are increasingly inadequate for modern risk environments.
Risk cannot be meaningfully reduced to static likelihood-impact combinations divorced from organisational context. Complex interdependencies, emerging threats, and rapid change demand a more nuanced approach. Organisations must evolve toward dynamic, context-driven risk assessments that reflect the realities of interconnected systems and shifting landscapes.
The Bigger Picture
Across ISO 27001, ISO 22301, and ISO 31000, the common thread is clear: organisations often treat standards as checklists rather than living disciplines. Compliance is not about documentation alone; it is about embedding practices into everyday operations, aligning teams across functions, and continuously adapting to change.
We help organisations move beyond surface-level compliance to embrace standards as tools for resilience, security, and sustainable growth.
Partner with BSB Edge to strengthen your compliance journey and avoid the pitfalls that hold organisations back.
- Nandini Menon
Leave a Reply