Skip to content

Lessons from implementing ISO 27001 in a decentralized organization

Discover how we successfully implemented ISO 27001 in a decentralized, team-of-teams organization, overcoming unique challenges with distributed decision-making to achieve information security excellence.

Image for ISO 27001 concept. Businessman choose ISO 27001 for information security management system (ISMS). requirements, certification, management, standards. stock photo

In May 2025, Clarasys was successful in achieving ISO/IEC 27001:2022 (“ISO 27001”); a huge achievement for the business, and one that underscores our ongoing commitment to maintaining the highest standards in managing information/cyber security and protecting sensitive data owned or handled by us.

Implementing ISO 27001 at Clarasys has been a transformative journey aimed at enhancing our existing Information Security Management System (ISMS), and implementing a suite of new measures which further bolster how we look after the information we process. However, being an organization with distributed decision-making, a flat hierarchy, and a team-of-teams organizational structure could present unique challenges when it comes to implementing prescriptive standards and management systems. It makes it harder to centralize processes and decisions without potentially having a damaging impact on your culture and people’s autonomy. We flipped this on its head - and took it as an opportunity to design a management system which works within our culture, engages people in the design/approach, and fosters a “mindset of security” across the business in every decision. 

What was important to us / why did we want to get ISO 27001?

Prior to gaining ISO 27001, we have held CyberEssentials Plus for many years and have never experienced a significant security breach - testament to our consultant’s diligence in protecting the information they process. Even though we don’t develop software, we know how important our clients’ data is, and they trust us to treat it with the same care and attention as they would themselves.

However, changes in the market and increasingly sophisticated cyber threats meant we wanted to give Information Security a louder “voice at the table”, and from our research, we learned that ISO 27001 would allow us to incorporate infosec risks and opportunities into strategic decision-making at Clarasys. The ISMS implemented as part of this project would give us a structured way of gaining greater visibility and control over infosec threats and opportunities, and improve our responsiveness to InfoSec threats and opportunities in an ever-evolving world.

It was a no-brainer - we knew that getting ISO 27001 would give our clients, our people and our partners confidence that we protect their data, but we needed to do it in a way that worked for us, and faced some challenges other “teal” organizations may encounter.

Specific challenges when implementing ISO 27001 in less hierarchical organizations

At Clarasys, our decentralized decision-making and team-of-teams model posed unique implementation challenges - we wanted to instil a culture of information security, rather than just creating tick box compliance exercises for people to mindlessly follow. As a firm, we focus on trust, collaboration and open, non-hierarchical communications and decision-making - something that from the outset was potentially at odds with the more authoritative tone required for ISO 27001 policies and controls. 

While beneficial for agility and innovation, our structure meant we needed a tailored approach to ensure every team was aligned with the ISO 27001 framework. Our approach to policy creation required us to engage multiple teams, proactively gather feedback from the business and create multiple iterations of each draft before landing on the version which we were confident we could implement (and stick to)!

An extensive communications and training strategy sought to teach colleagues the “mindset of information security” so they could apply their own critical thinking to a specific problem and determine how best to implement a certain control or policy. This was especially important given (a) decentralized decision making and (b) the number of different scenarios our consultants can face day-to-day, no two projects are structured identically, and different clients may have different specific IT or security requirements. We couldn’t be too prescriptive, but we needed our people to understand how to assess infosec risks and make decisions which protected the data they were processing.

By engaging multiple teams, having multiple comms channels (from different voices in the business), ensuring leadership (at all levels of the business) were bought into the impact of a successful audit, and by committing full-time resources to this project, we ensured its success and didn’t have to compromise on what is important to us as a firm.

Stay tuned for our next blog, which will include some specific tips you can apply to your approach to implementing centralized management systems in your distributed business!

Find out how we can help your business thrive ]