# Common Mistake Here are common mistakes that can lead to non-compliance with ISO 27001 requirements: 1. **Lack of Documented Information**: * Incomplete or missing documentation of policies, procedures, and controls. * Outdated documents not reviewed and updated regularly. 2. **Inadequate Risk Assessment**: * Failure to conduct comprehensive risk assessments. * Incomplete identification, evaluation, and treatment of risks. 3. **Non-existent or Ineffective Security Policies**: * Absence of key security policies or poorly defined policies. * Policies not aligned with organizational objectives and regulatory requirements. 4. **Poor Access Control Management**: * Inconsistent application of access controls. * Excessive or unreviewed access rights. * Lack of periodic access reviews. 5. **Insufficient Incident Response**: * No documented incident response plan. * Ineffective response to security incidents. * Lack of incident tracking and documentation. 6. **Inadequate Training and Awareness**: * Lack of regular information security training for employees. * Employees unaware of their security responsibilities and protocols. 7. **Non-compliance with Legal and Regulatory Requirements**: * Failure to identify and comply with applicable legal, regulatory, and contractual requirements. * Inadequate measures to protect personally identifiable information (PII). 8. **Poor Management of Third-Party Risks**: * Lack of security requirements in supplier agreements. * Inadequate monitoring and review of third-party services. 9. **Weak Change Management Processes**: * Uncontrolled changes to information systems. * Lack of formal change management procedures. 10. **Inadequate Business Continuity Planning**: * Missing or ineffective business continuity plans. * Lack of regular testing and review of business continuity measures. 11. **Improper Monitoring and Logging**: * Insufficient logging of security events. * Lack of regular review and analysis of log data. 12. **Physical Security Lapses**: * Inadequate physical security controls for facilities and equipment. * Poorly defined procedures for securing physical access. 13. **Weak Cryptographic Practices**: * Improper management of cryptographic keys. * Inconsistent use of encryption controls.