Sign in Subscribe
6 min read ISO 27001

Annex A Is Not a Security Strategy

Most organizations mistake Annex A for a security strategy. It isn’t. The greatest cybersecurity failures of the next decade may not come from missing controls, but from unchallenged assumptions about cloud, AI, resilience, and dependency.
Share
Annex A Is Not a Security Strategy
Photo by Marcus Woodbridge / Unsplash

Why ISO/IEC 27001 Certification Does Not Mean Your Organization Is Secure

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

I have seen organizations celebrate cybersecurity success many times.

  • The audit is complete.
  • The certification has been awarded.
  • The board receives the presentation.
  • The certificate is framed.
  • The LinkedIn post is published.

For a brief moment, everyone breathes easier.

The organization has achieved ISO/IEC 27001 certification.

Security appears under control.

But what if the greatest risks facing the organization never appeared in the audit at all?

What if the most dangerous assumptions were never challenged?

And what if the organization’s strongest controls were protecting systems while leaving strategic vulnerabilities untouched?

These questions have become increasingly relevant over the past few years.

Not because ISO/IEC 27001 has become less valuable.

Quite the opposite.

The standard remains one of the most effective frameworks available for establishing systematic information security management.

The problem lies elsewhere.

Too many organizations mistake Annex A for a security strategy.

And Annex A was never designed to be one.

The Original Purpose of Annex A

To understand the problem, it helps to understand what Annex A actually is.

Annex A is a catalog of controls.

It provides organizations with a reference set of security measures that can be selected based on risk.

The controls are useful.

They are proven.

Many are essential.

Without them, most organizations would struggle to maintain even basic cybersecurity hygiene.

  • Access control.
  • Cryptography.
  • Supplier security.
  • Incident management.
  • Logging and monitoring.
  • Backup and recovery.
  • Vulnerability management.

These are fundamental capabilities.

Every mature organization should possess them.

But controls and strategy are not the same thing.

A fire extinguisher is important.

A building evacuation plan is important.

Neither is a business strategy.

Yet many organizations treat Annex A as if implementing its controls automatically produces security.

That assumption deserves closer examination.

The Dangerous Question Nobody Asks

Consider a hypothetical organization.

It has implemented every relevant Annex A control.

  • Identity management is mature.
  • Privileged access is governed.
  • Security monitoring is active.
  • Backups are tested.
  • Awareness training is mandatory.
  • Supplier reviews are performed.
  • Incident response procedures exist.
  • The organization passes every audit.

Now ask a different question.

Can the organization still fail?

The uncomfortable answer is yes.

Absolutely.

Because cybersecurity failures increasingly emerge from areas that controls alone cannot solve.

The challenge is no longer simply protecting technology.

The challenge is governing complexity.

The Shift From Technical Risk to Strategic Risk

For decades, information security focused primarily on technical weaknesses

Attackers exploited vulnerabilities.

Organizations deployed controls.

Risk was reduced.

That model still matters.

But today’s largest exposures often look very different.

They emerge from:

  • Technology concentration
  • Cloud dependency
  • AI adoption
  • Geopolitical uncertainty
  • Data sovereignty conflicts
  • Organizational decision-making
  • Leadership assumptions

These are not primarily technical problems.

They are governance problems.

And governance problems rarely appear inside control catalogs.

The Cloud Dependency Nobody Wants to Discuss

Most organizations spend enormous effort evaluating cloud providers before migration.

Architecture reviews are conducted.

Security assessments are completed.

Contracts are negotiated.

Compliance requirements are mapped.

Then the migration succeeds.

At that point, many organizations consider the risk largely addressed.

The CISO should ask a different question.

What happens if we need to leave?

The conversation usually becomes uncomfortable.

Nobody wants to discuss exit costs immediately after investing millions in migration.

Nobody wants to explain why a supposedly strategic platform cannot realistically be replaced.

Nobody wants to calculate the operational consequences of dependency.

Yet dependency itself is a risk.

Not because providers are untrustworthy.

But because concentration reduces flexibility.

And flexibility is one of the foundations of resilience.

Annex A contains supplier controls.

It does not ask whether your organization can survive without the supplier.

That is a strategic governance question.

Security Versus Control

One of the defining cybersecurity challenges of the next decade may not be protection.

It may be control.

Organizations increasingly entrust critical functions to external ecosystems.

Cloud providers host data.

Identity providers authenticate users.

Software vendors operate critical business processes.

AI platforms influence decisions.

The question is no longer merely whether these services are secure.

The question is who ultimately controls them.

Who controls the encryption keys?

Who controls privileged access?

Who controls identities?

Who controls operational continuity?

Who controls the conditions under which access can be granted or denied?

An organization may be technically protected while gradually losing strategic control over its own information assets.

The distinction matters more than many executives realize.

The AI Governance Blind Spot

When ISO/IEC 27001:2022 was finalized, generative AI had not yet transformed the technology landscape.

Today, organizations deploy AI at extraordinary speed.

Employees use public AI services.

Departments deploy AI assistants.

Technology teams experiment with autonomous agents.

Business leaders demand rapid adoption.

Yet governance often lags behind implementation.

Many organizations have no clear answers to questions such as:

Who approves AI use cases?

Who owns the risks?

Who validates outputs?

Who governs autonomous decision-making?

Who monitors model behavior?

Who is accountable when the system makes a mistake?

An organization can remain fully compliant with Annex A while possessing no meaningful AI governance whatsoever.

The standard has not failed.

Reality has simply moved faster than the control catalog.

The Difference Between Awareness and Culture

One of the most common misconceptions in cybersecurity is that awareness creates culture.

It does not.

Awareness teaches people what the rules are.

Culture determines what people do when following the rules becomes difficult.

Every experienced CISO has encountered situations where:

Employees knew the policy.

Managers understood the process.

Teams recognized the risk.

And yet the wrong decision was still made.

Why?

Because culture ultimately governs behavior under pressure.

Most significant cybersecurity incidents contain a cultural dimension.

Someone chose convenience over security.

Someone ignored a warning.

Someone accepted an undocumented exception.

Someone remained silent.

No control can completely eliminate those behaviors.

Leadership influences them.

Culture shapes them.

Governance sustains them.

Annex A addresses awareness.

It cannot create culture.

Recovery Is Not Resilience

Many organizations proudly report that they maintain backups.

This is important.

But backups and resilience are not synonymous.

The question is not whether data can be restored.

The question is whether the organization can continue functioning during disruption.

Can salaries still be processed?

Can critical services still be delivered?

Can leadership still make decisions?

Can customers still be served?

Can projects still move forward?

Technology recovery is necessary.

Organizational resilience is something larger.

Many organizations discover the difference only during crisis.

The Board-Level Risks Missing From Most Security Programs

If I were to ask a board of directors about their greatest concerns, the discussion would rarely begin with malware signatures or firewall configurations.

The conversation would likely focus on issues such as:

  • Dependency on a handful of technology providers
  • Regulatory uncertainty
  • Data sovereignty
  • AI governance
  • Supply chain disruption
  • Operational resilience
  • Geopolitical instability

These concerns are entirely rational.

They represent risks capable of affecting organizational survival.

Yet many security programs continue focusing primarily on control implementation.

This creates a dangerous imbalance.

Organizations become increasingly effective at managing operational security while remaining insufficiently prepared for strategic disruption.

The Real Purpose of the Modern CISO

This evolution changes the role of the CISO.

Historically, the CISO was often viewed as the owner of controls.

Today, the role increasingly resembles that of a governance architect.

The responsibility is no longer limited to asking:

“Are controls implemented?”

The more important question becomes:

“Which assumptions could still fail despite those controls?”

That shift changes everything.

It moves cybersecurity closer to strategy.

Closer to resilience.

Closer to executive decision-making.

Closer to the long-term sustainability of the organization itself.

Beyond Annex A

Annex A remains essential.

Organizations need strong controls.

They need operational discipline.

They need security processes.

They need technical capabilities.

None of that changes.

But modern security leadership requires additional layers.

The first layer is controls.

The second layer is governance.

The third layer is strategic resilience.

Most organizations invest heavily in the first.

Many invest partially in the second.

Very few systematically develop the third.

That may become one of the defining differentiators between organizations that merely achieve compliance and organizations that remain resilient in an increasingly uncertain world.

Final Reflection

The greatest cybersecurity failures of the coming decade may not originate from missing controls.

They may originate from unchallenged assumptions.

Assumptions about cloud providers.

Assumptions about AI.

Assumptions about geopolitical stability.

Assumptions about organizational behavior.

Assumptions about resilience itself.

Annex A can help organizations implement controls.

It cannot challenge assumptions.

That responsibility belongs to leadership.

And increasingly, it belongs to the CISO.

Because the future of cybersecurity will not be determined solely by how well we protect technology.

It will be determined by how well we govern the dependencies, decisions, and assumptions upon which our organizations increasingly rely.

Publication Note & Disclaimer

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

You might also like...

17
Jun
The Most Dangerous Sentence in Information Security? “That’s Not in Scope.”

The Most Dangerous Sentence in Information Security? “That’s Not in Scope.”

The most dangerous security gap is often not a vulnerability—it is an exclusion. Why ISMS scope is not documentation, but a governance decision that determines what an organization chooses to see, govern, and ultimately protect.
6 min read
16
Jun
The Security Requirements Nobody Wants to Write

The Security Requirements Nobody Wants to Write

Security is no longer defined by the controls you implement, but by the dependencies you govern. The modern CISO’s role is not merely to protect systems—it is to ensure the organization remains in control when its assumptions fail.
5 min read
16
Jun
Privacy Is Complicated. Information Security Is Complex.

Privacy Is Complicated. Information Security Is Complex.

Privacy is complicated. Information security is complex. Boards, CISOs, CIOs and DPOs must understand the difference to build governance that creates real trust — not just documentation.
13 min read
16
Jun
Digital Trust Frameworks and the Quiet Erosion of Security Governance

Digital Trust Frameworks and the Quiet Erosion of Security Governance

Digital Trust Frameworks promise alignment across cybersecurity, privacy, AI and resilience. But what happens when governance quietly disappears into operations? A CISO perspective on why accountability—not architecture—is the true foundation of digital trust.
5 min read
11
Jun
When Compliance Becomes Too Complex for Spreadsheets

When Compliance Becomes Too Complex for Spreadsheets

Global compliance is too complex for spreadsheets. This article explains why GRC software can strengthen a global ISMS — but only when it supports accountability, risk ownership and real security decisions.
11 min read

Member discussion