ISO 27001 is not just a bunch of controls?

Its pretty obvious to me that ISO 27001 is not just a list of control objectives. I say that based on my own experience participating in several ISO 27001 working groups leading to the 2013 version combined with my experience auditing many ISO 27001 organizations.

Its obvious that IT/ICT was given the task to implement ISO 27001 and ignored clause 4 - 10 because governance and risk management fell outside their scope which became a big problem for those seeking registration /certification.Once a company attempts to adopt ISO 27001 and fails they find lots of excuses like, its complex, it expensive, its disruptive... what all of this means is that they either got bad advice from some third party advisory service or a contractor who didn't understand its purpose and function either.

What ISO has been attempting to clarify is the purpose and function of ISO 27001, its not just a bunch of control objectives - its a management system. To be fair IMIT and ICT never had a lot of management systems until ITIL was created, but IM/IT and ICT are changing and catching on slowly.

There are several techniques available to help move this transformation along, for example I treat ISO 27001 ISMS as a list of the most common risks that can negatively impact information during its handling by the Enterprise. I have taken the time to run through the entire list and create descriptions of the specific risks that each control point was designed to mitigate. Define the risks and each associated trigger points with scenarios, very important communication tool.

If the first technique doesn't work then I recommend OCTAVE or Use Cases. A big part of the process is transformation, getting managers on the same page with topics like scope and assets will help them along the way. Getting them to think about what they are trying to accomplish, whats important to themselves and their respective organizations. i.e. data, information, knowledge. Not just digital formats either, humans contain tacit, implicit and explicit knowledge and play a major role in achieving the organizations mission, but the road ahead can be tricky with shifting priorities, resource constraints, compliance issues, dominating personalities, etc...  

ISO 27001 is not just a list of control objectives, its a list of common risks to information handling so approach it that way when implementing it!! :-)