But is it actually effective?
As a compliance consultant, external CISO, and auditor, I visit many organisations. Large and small. In healthcare, government, and the IT sector.
And what strikes me: there is no shortage of management systems — quite the contrary. There is often a beautifully designed ISMS, a neatly compiled risk register, and a folder full of policy documents. The certificate hangs on the wall. The auditor was satisfied.
But when I ask: "Which risks truly keep you up at night?" — silence falls. Or I get the risk register read to me. Literally.
That is when I ask myself: this system is certifiable, but is it truly effective?
The difference between a certificate and an effective system
Let me be clear: certification is valuable. It forces organisations to think about structure, responsibilities, and processes. But a certificate says something about the design of your system — not about how well it actually works.
In my work, I roughly see three categories:
1. The paper system
Everything is neatly documented. Policies, procedures, risk assessments — it is all there. But it does not live. Employees do not know the documents. Managers do not act on the outcomes. The system exists *for* the auditor, not *for* the organisation.
2. The checkbox system
A step further. Here, measures are implemented, but mainly because they have to be. The risk assessment is a fill-in exercise. The internal audit a formality. Boxes are ticked, not thoughts provoked. The system runs, but nobody checks whether it actually leads anywhere.
3. The living system
This is where it gets interesting. In these organisations, the management system is not an end in itself, but a means. Risks are discussed in management meetings — not as a box to tick, but because it genuinely helps the organisation make better decisions. Incidents lead to real improvements, not just updating a logbook.
What makes the difference?
After years of auditing and advising, I see several patterns in organisations that get it right:
1. Ownership sits in the right place
The management system does not belong to "the CISO" or "the quality manager". It belongs to the organisation. The management team feels ownership of the risks and actively steers on measures. Not because the standard requires it, but because they understand it protects their organisation.
In organisations where it does not work, the system is often delegated to one person who keeps everything running single-handedly. When that person leaves, the house of cards collapses.
2. Risk management is a conversation, not a spreadsheet
The best risk assessments I have seen were not complex Excel sheets with probability-times-impact matrices. They were conversations. With the right people at the table. Where there was honest discussion about what could go wrong and what that would mean.
A risk assessment filled in by one person behind a desk inherently lacks the perspective of the people who deal with those risks on a daily basis.
3. There is genuine learning from incidents
Every organisation has incidents. The difference lies in what you do with them. In effective systems, I see incidents leading to fundamental questions: *Why did this happen? What does this tell us about our assumptions? Should we adjust our risk profile?*
In ineffective systems, the incident is registered, a corrective measure is noted, and everyone moves on. Until the next incident.
4. The internal audit is a mirror, not a rubber stamp
The internal audit is perhaps the most undervalued instrument in a management system. When done well, it holds a mirror up to the organisation. It reveals the gap between what you say you do and what you actually do.
But too often, the internal audit is a ritual. The same questions, the same answers, the same conclusion: *"The system functions adequately."* While everyone knows there are areas for improvement.
5. The system adapts
The world changes. Threats change. Regulations change. An effective management system moves with them. Not reactively — *"oh, there is a new law, let's quickly sort something out"* — but proactively. By regularly evaluating whether the system still aligns with the organisation's actual risks.
The management review is crucial here. Not as a mandatory annual exercise, but as a moment when the management team critically asks: *Is our system doing what it should? Does it protect us? Or are we fooling ourselves?*
Why this matters
I am not writing this to lecture organisations. I am writing this because I see many organisations investing enormous amounts of time and money in compliance — and then extracting too little value from it.
A management system that only exists to maintain the certificate is a missed opportunity. It costs time, it costs money, and it causes frustration among employees who feel they are doing paperwork that leads nowhere.
But a management system that truly works — that is a strategic instrument. It helps you see risks you would otherwise have missed. It helps you make better decisions. It gives you the confidence that your organisation is prepared for what lies ahead.
My challenge to you
If you are reading this and recognise your own organisation in category 1 or 2: that is no shame. Most organisations start there. The question is whether you are willing to take the step towards a system that truly works.
Start small. Ask yourself three questions:
If you can answer "yes" to all three, you are in good shape. If not — that is the starting point for a valuable conversation.
---
*Stephan Brinkhuis is a compliance consultant, external CISO, and external auditor. He helps organisations build management systems that are not only certifiable, but also genuinely contribute to risk mitigation.*
