# Common Mistake Here are common mistakes that can lead to non-compliance with ISO 27001 requirements: 1. **Lack of Documented Information**: * Incomplete or missing documentation of policies, procedures, and controls. * Outdated documents not reviewed and updated regularly. 2. **Inadequate Risk Assessment**: * Failure to conduct comprehensive risk assessments. * Incomplete identification, evaluation, and treatment of risks. 3. **Non-existent or Ineffective Security Policies**: * Absence of key security policies or poorly defined policies. * Policies not aligned with organizational objectives and regulatory requirements. 4. **Poor Access Control Management**: * Inconsistent application of access controls. * Excessive or unreviewed access rights. * Lack of periodic access reviews. 5. **Insufficient Incident Response**: * No documented incident response plan. * Ineffective response to security incidents. * Lack of incident tracking and documentation. 6. **Inadequate Training and Awareness**: * Lack of regular information security training for employees. * Employees unaware of their security responsibilities and protocols. 7. **Non-compliance with Legal and Regulatory Requirements**: * Failure to identify and comply with applicable legal, regulatory, and contractual requirements. * Inadequate measures to protect personally identifiable information (PII). 8. **Poor Management of Third-Party Risks**: * Lack of security requirements in supplier agreements. * Inadequate monitoring and review of third-party services. 9. **Weak Change Management Processes**: * Uncontrolled changes to information systems. * Lack of formal change management procedures. 10. **Inadequate Business Continuity Planning**: * Missing or ineffective business continuity plans. * Lack of regular testing and review of business continuity measures. 11. **Improper Monitoring and Logging**: * Insufficient logging of security events. * Lack of regular review and analysis of log data. 12. **Physical Security Lapses**: * Inadequate physical security controls for facilities and equipment. * Poorly defined procedures for securing physical access. 13. **Weak Cryptographic Practices**: * Improper management of cryptographic keys. * Inconsistent use of encryption controls. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://calvin-lai.gitbook.io/calvin-lai-security/iso-27001/common-mistake.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.