Blog
ISO 27001 Webinar

ISO 27001 is not an IT project. It’s organisational change.

ISO 27001 certification isn’t about tools or checklists. It’s about proving your organisation can govern security, manage risk, and scale with confidence.

Ben Carrick · February 3rd 2026
Person with red hair and green glasses smiling while seated with a laptop, talking to another person about the Apple IT support, in a patterned outfit and navy headscarf, surrounded by lush indoor plants.

When organisations decide to pursue ISO 27001 certification, it’s often framed as a technical task. Something for IT to manage alongside everything else.

In this conversation with Ben Carrick, Strategist at LeftBrain, he challenges this assumption and unpacks some of the most common reasons ISO 27001 programmes struggle to get off the ground.

“Your MSP can’t get you certified, because it was never an IT project to begin with.”
Ben Carrick Strategist, LeftBrain

Why ISO 27001 is so often misunderstood

In many organisations, ISO 27001 is handed to an IT team or an MSP with the expectation that it can be implemented like any other technical project.

The problem is that ISO 27001 isn’t designed to test tools. It’s designed to test how an organisation governs information security.

“That’s where we see stalled implementations, failed audits, and non-conformities,” Ben explains. “IT teams are great at technical controls, but they’re not set up to run a governance programme.”

Auditors are looking for evidence that security is understood, owned, and actively managed across the business. That includes leadership involvement, clear accountability, and sensible risk decisions, not just configurations and documentation.

For organisations supplying into the public sector or operating within government and defence supply chains, this becomes even more visible. Government-assured cyber security is about confidence, not box ticking.

Why MSP-led ISO 27001 rarely holds up

Many MSPs position themselves as ISO 27001 providers. In practice, what they often deliver is limited to technical hardening and surface-level compliance.

“Real ISO requires governance, risk management, policy architecture, organisational processes, and leadership involvement,” Ben says. “Your MSP can’t get you certified, because it was never an IT project to begin with.”

This is where organisations start to feel friction. Policies don’t reflect how teams actually work. Risk registers exist but aren’t used. Security decisions lack ownership.

ISO 27001 sits firmly within compliance and risk, not just IT operations. Without that shift in mindset, certification becomes slow, painful, and fragile.

What ISO 27001 should look like in practice

A successful ISO 27001 programme starts by understanding the business itself.

“It’s all about the mission,” Ben explains. “The business wants to grow. Information security isn’t box-ticking. It needs to be embedded into how the company actually functions.”

Rather than dumping documentation on teams, ISO 27001 works best when delivered in structured, focused phases. Clear objectives, defined scope, and steady progress keep teams engaged and aligned.

Security becomes part of everyday decision-making. Policies are practical. Risk management is active, not theoretical. The Information Security Management System becomes a living system that supports growth rather than slowing it down.

This is where strategic cyber, not IT, really matters. ISO 27001 stops being a hurdle and starts becoming a business asset.

Security leadership, built in

For many organisations, ISO 27001 is only one part of a wider assurance journey. It often sits alongside Cyber Essentials, public sector procurement requirements, or ongoing audit readiness.

Rather than building a full internal security function, many teams bring in external leadership through vCISO services or Virtual CISO support in the UK.

“ISO 27001 is not something that can be outsourced. But it does involve partnership.”
Ben Carrick Strategist, LeftBrain

That partnership provides qualified leadership, governance oversight, and strategic direction. It helps organisations make the right calls, answer security questions with confidence, and maintain momentum long after certification.

ISO 27001 as proof, not paperwork

ISO 27001 certification sends a clear message. It shows clients, investors, and partners that security is governed, intentional, and aligned with how the business operates.

Auditors aren’t looking for perfection. They’re looking for clarity. Clear ownership. Sensible decisions. Evidence that leadership is engaged and risk is understood.

When ISO 27001 is treated as organisational change rather than an IT project, it becomes exactly what it was designed to be: a framework for trust, resilience, and secure growth.

Ready to fast-track your ISO journey?

We deliver ISO 27001 audit readiness through a focused, four-sprint programme that keeps your team aligned and progress moving.

Book a call