There are many things to consider avoiding when attempting to implement an ISMS. Some of the most popular approaches are also some of the most time consuming, and ultimately, provide you with nothing but useless shelfware.

Product / Toolkit based approach

• Offers the ease of obtaining generic pre-written "policies"
• Can only cover those controls addressable by "policy"
• Cannot address controls that require an organizational component
• Cannot justify selection of controls
• Is not defensible
• Creates a false sense of security

Linear approach

• Broadly follows the guidelines presented in the ISO Standard
• Implements the ISMS by following the guidelines to the letter, not spirit and intent
• Sometimes performed by internal teams without external assistance
• Several vendors use this 'closed' approach, or use hybrid approach that combines the strength of product based approach as well
• The approach is not easily extensible, thereby limiting the ISMS to a specific part of the organization after attaining certification

Other Shortcomings

• Incomplete Risk Assessment Process
• Incomprehensive Asset Listing
• Lack of Assurance for Controls Effectiveness
• Improper Interpretation of Controls
• Scope Minimization or Maximization
• Difficulties in Developing Comprehensive BCP Plan