The ISO 27001 mountain expeditionΒΆ
ISO 27001 certification is achievable for organisations of any size. It requires systematic effort, genuine commitment, and realistic expectations, but it is not mysterious or out of reach: thousands of organisations maintain certification successfully.
The climbing metaphor reflects the reality of the journey: it involves preparation, distinct stages, the right equipment (controls matched to risks), teamwork, occasional setbacks (audits reveal issues, plans need adjustment), ongoing effort (reaching the summit is not the end), and, at the top, the benefits make the climb worthwhile.
Compliance is treated as something derived from observed system behaviour rather than demonstrated through documentation alone. Controls encode assumptions about the environment they operate in. When a control fails to produce its intended effect, the question worth asking is not whether the procedure was followed but whether the assumption the control was built on fits the operational reality. The evidence that counts is not that a control exists and ran but that it produced the expected effect under realistic conditions: observations that are repeatable and can take the form of a penetration test, a simulated phishing exercise, a tabletop drill, a proof-of-concept, or a CTF scenario. Each stage of the journey reflects this framing.