Top 10 ISO 27001 Nonconformities We See in Startups

After auditing over 100 organizations, patterns emerge. Startups fail on the same controls, for the same reasons, audit after audit. Here are the 10 nonconformities I see most frequently, why they happen, and how to fix them before your external auditor arrives.

1. No MFA on All Production Systems

Control: A.8.5 (Secure Authentication)

MFA gets enabled for "important" accounts but isn't systematically enforced. Shadow IT, personal accounts, and service accounts slip through.

Fix: Enable MFA enforcement at the organizational level in your identity provider — not per-user opt-in. Require hardware keys or authenticator apps. Disable SMS as a second factor. Set a deadline after which non-MFA accounts are suspended.

2. Terminated Employees Retain Access

Control: A.6.5 (Responsibilities After Termination)

User accounts remain active after employees or contractors leave. HR termination and IT deprovisioning happen in separate systems with no integration.

Fix: Create a formal offboarding checklist covering every system. Automate deprovisioning through SCIM or IdP lifecycle management. Target SLA: accounts disabled within 24 hours of termination. Run quarterly reconciliation between HR roster and active accounts.

3. No Periodic Access Reviews

Control: A.5.15 (Access Control)

Access rights are never reviewed after initial provisioning. Role creep accumulates as employees change teams.

Fix: Define review cadence — quarterly for privileged access, semi-annually for standard access. Assign reviewers (department managers), export current access from each system, and track decisions. Archive completed reviews as evidence with reviewer signatures and dates.

4. No Formal Incident Response Plan

Control: A.5.24 (Incident Management Planning)

The organization has no documented plan for detecting, responding to, and recovering from security incidents. Response is entirely ad hoc.

Fix: Write an Incident Response Plan covering severity levels, roles, communication channels, escalation procedures, evidence preservation, and post-incident review. Run a tabletop exercise at least annually. Store the plan where the team can find it during an actual incident.

5. No Backup or DR Testing

Control: A.8.13 (Information Backup) + A.5.30 (Business Continuity)

Backups exist but have never been tested. The organization cannot confirm data can actually be restored within acceptable timeframes.

Fix: Schedule quarterly restore tests for critical data. Document each test: what was restored, from which backup, how long it took, whether data was complete. Define Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each critical system.

6. Admin Accounts Used for Daily Work

Control: A.8.2 (Privileged Access Rights)

At a 5-person startup, everyone is an admin. No separation between privileged and daily-use accounts.

Fix: Create separate admin accounts distinct from daily-use accounts. Admin accounts should have no mailbox, no browser profile, and no persistent sessions. Enforce stronger MFA (hardware key) on admin accounts. Audit admin account usage for non-admin activities.

7. No Vulnerability Scanning Program

Control: A.8.8 (Technical Vulnerability Management)

Infrastructure and applications aren't regularly scanned. "We use managed services, so we're fine."

Fix: Enable cloud-native scanning (AWS Inspector, GCP Security Command Center). Enable GitHub Dependabot and CodeQL. Run infrastructure scans monthly and dependency scans on every PR. Define remediation SLAs: Critical = 7 days, High = 30 days, Medium = 90 days.

8. No Centralized Logging

Control: A.8.15 (Logging)

Logs exist in individual services but aren't aggregated. No single place to search for security events across the environment.

Fix: Enable audit logging on all cloud services. Route logs to a central destination (CloudWatch, Cloud Logging, SIEM). Set retention to at least 365 days. Create alerts for critical events — failed logins, privilege escalation, resource deletion.

9. No Change Management Process

Control: A.8.32 (Change Management)

Changes to production are made without documented approval. Deploying from a laptop is the norm.

Fix: Enable branch protection on all production repositories. Require PR reviews before merge. Use CI/CD pipelines for deployments. Document emergency change procedures with post-hoc review requirements.

10. Missing or Outdated Policies

Control: A.5.1 (Policies for Information Security)

Policies were written once for a sales questionnaire and forgotten. They describe aspirational state, not reality.

Fix: Identify required policies (information security, access control, acceptable use, incident response, data classification, change management, business continuity, vendor management). Write or update each to reflect actual current practices. Set annual review dates and assign owners. Have employees acknowledge policies.

The Pattern

If you look across all ten, the common thread is that startups treat security as a one-time setup rather than an ongoing process. Access is provisioned but never reviewed. Plans are written but never tested. Policies are signed but never updated.

ISO 27001 is fundamentally about demonstrating that your security controls are operating, not just that they exist.

What to Do Next

If you see your organization in this list, don't panic. Every company I've audited has had findings. The ones that pass certification are the ones that found and fixed their issues before the external auditor arrived.

Start with the top three — MFA enforcement, terminated access cleanup, and access reviews. These are the most frequently cited findings and often the fastest to fix.

Need a structured assessment? Book an internal audit and we'll identify exactly what needs attention.