How to Operationalise Your ISMS with Just Two Concepts: Habits and Recurring Tasks

Written By Bodil Biering

Most security programs stall out after the policies are written.

You finally document everything—access control, backups, vendor reviews—but nothing changes in practice.

Why? Because policies don’t run themselves.

Here’s the truth: If your security tasks don’t show up in someone’s calendar or habits, they won’t happen.

Good news: you don’t need to build a complex ISMS to fix this. You just need two concepts:

  • Habits

  • Recurring Tasks

Let’s break it down.

 

Habits = What You Expect from People

Think of habits as the security behaviors you want to see:

  • Lock your screen when you leave your desk

  • Use a password manager

  • Report phishing attempts

These are small actions, done regularly, by individuals.

If they don’t happen, your policies aren’t being followed—even if they look good on paper.

The problem? Most teams never measure this.

At CyberJuice, we use lightweight habit surveys to track what’s actually happening. It’s not about catching people out—it’s about making security visible and improving over time.

 

Recurring Tasks = What the Business Has to Maintain

These are calendar-based responsibilities:

  • Review user access every 90 days

  • Test your backups monthly

  • Update your risk register once a quarter

Every ISO 27001 or NIS2 control can be mapped to one of these.

Recurring tasks are your operations. They’re what turn a policy from a dusty PDF into an actual practice.

The trick? Don’t bury them in a spreadsheet. Put them in the same tools you already use—Asana, Notion, Jira, whatever your team runs on.

 

What This Looks Like in Real Life

Let’s take a common example: "We require MFA for all users."

  • Habit: People actually use MFA on all accounts (including ones not auto-enforced)

  • Recurring Task: IT audits the MFA status every quarter

Without both, you don’t really have control.

 

Why This Works

  • Simple: You don’t need to memorize 114 ISO controls

  • Actionable: You know exactly what to check and track

  • Scalable: As your team grows, you can assign and automate

Security isn’t about having a binder of policies. It’s about being able to answer:

  • What do we expect people to do?

  • Are they doing it?

  • Who owns the recurring work?

 

Make Your ISMS Real

If you’ve already written your policies but aren’t sure how to operationalise them, start here:

  • List the habits you expect from individuals

  • Map each policy to a recurring task

You don’t need consultants or compliance software bloat.

You need clarity, structure, and a rhythm.

That’s exactly what CyberJuice gives you.

 

Next step:

Use our free plan to map habits and tasks to your existing policies

📊 Or book a 15-min Security Culture Snapshot to see where you stand

Bodil Biering https://www.bodilbiering.com
Next

Too Many Tools, Not Enough Control: Fixing Your SaaS Stack