The conference room was silent. Uncomfortably silent.
I'd just finished reviewing the Stage 2 audit results for a technology company that had spent eighteen months and nearly $400,000 pursuing ISO 27001 certification. The lead auditor had identified 23 major non-conformities. Twenty-three. The certification was denied.
The CEO looked at me with a mix of anger and desperation. "How did this happen? We followed the standard. We hired consultants. We did everything by the book."
Except they didn't. And after fifteen years of guiding organizations through ISO 27001 implementations—some wildly successful, others spectacularly disastrous—I can tell you exactly where things go wrong.
Today, I'm going to share the mistakes that cost organizations millions, destroy timelines, and turn what should be a strategic advantage into an expensive nightmare. More importantly, I'll show you how to avoid them.
The $2 Million Documentation Disaster
Let me start with the most expensive mistake I've ever witnessed.
A financial services firm hired a Big Four consulting firm to help them achieve ISO 27001. The consultants did what consultants do: they documented everything. And I mean everything.
By month six, they had:
847 documented procedures
1,200+ pages of policies
340 work instructions
67 different forms and templates
It was comprehensive. It was thorough. It was completely unusable.
Employees couldn't find what they needed. Nobody read the documents. The documentation became shelfware—impressive binders gathering dust while people did whatever they thought was right.
When audit time came, the auditor asked a simple question: "Show me how you actually do this in practice." The employee pulled up their own unofficial process document—not the official 47-page procedure.
Major non-conformity. Failed audit. Eighteen months of work down the drain.
"The goal of ISO 27001 isn't to create documentation. It's to create a functioning information security management system that happens to be documented."
Mistake #1: Treating ISO 27001 as a Documentation Project
This is the most common mistake I see, and it kills more implementations than any other factor.
Here's what happens: Organizations read Clause 7.5 (Documented Information) and think, "We need to document everything!" They assign someone from the compliance team to write policies, procedures, and work instructions for every conceivable scenario.
Six months later, they have beautiful documents that bear no resemblance to how work actually gets done.
The Reality Check
ISO 27001:2022 requires surprisingly little mandatory documentation:
Required Document | What It Actually Needs | Common Over-Documentation |
|---|---|---|
Scope of ISMS | 2-3 pages defining boundaries | 50+ page documents with excessive detail |
Information Security Policy | 3-5 pages of high-level direction | 100+ page policy manuals |
Risk Assessment Methodology | Clear approach description | Complex theoretical frameworks |
Statement of Applicability | Control decisions and justifications | Lengthy explanations for every control |
Risk Treatment Plan | Actions, owners, timelines | Extensive project plans with every detail |
Risk Assessment Results | Identified risks and treatment | Massive risk registers with hundreds of entries |
What I Tell My Clients
Start with how work actually happens. Document that. Not how you wish it happened, not how some framework says it should happen, but how it actually, really, truly happens in your organization.
I worked with a 50-person SaaS company that created their entire ISO 27001 documentation set in under 100 pages. Total. Including policies, procedures, and records.
Their secret? They documented their actual practices, not theoretical ideals. When the auditor visited, employees could point to a document and say, "Yes, that's exactly what I do." They passed Stage 2 with zero non-conformities.
Practical Tip: For every document you create, ask yourself: "Will someone actually use this to do their job better?" If the answer is no, either simplify it or delete it.
Mistake #2: The Copy-Paste Catastrophe
Picture this: A company downloads an ISO 27001 policy template from the internet. They do a find-and-replace, changing "[Company Name]" to their actual company name. They call it done.
I've seen this hundreds of times. And it fails. Every. Single. Time.
Why Templates Become Traps
Here's what happened to a healthcare startup I consulted with in 2021:
They used a policy template designed for a 5,000-person enterprise. The template required:
A full-time Security Operations Center (they had 15 employees)
24/7 incident response team (everyone worked 9-5)
Dedicated business continuity coordinator (their CFO wore 12 hats already)
During the audit, the auditor asked, "Tell me about your SOC operations."
Blank stares.
"It's in your policy," the auditor said, pointing to their own document.
They'd committed to controls they couldn't possibly implement. Major non-conformity.
The Template Truth Table
Template Type | When It Works | When It Fails | Success Rate |
|---|---|---|---|
Generic Industry Template | Never use as-is | When copied without adaptation | 5% |
Consultant's Template | Good starting point only | When treated as final document | 35% |
Previous Company's Docs | Useful for structure | Different business model/size | 20% |
Custom-Built Documents | Time-consuming but effective | When not maintained | 85% |
How to Actually Use Templates
Templates are starting points, not finished products. Here's my process:
Start with the template structure (sections, flow, general logic)
Interview people who do the work (how do they actually do it?)
Document the reality (not the template's ideal)
Add your specifics (tools, names, timeframes that match your organization)
Test with actual users (can they follow it?)
I helped a manufacturing company adapt an ISO 27001 template to their needs. We spent three weeks interviewing employees, observing processes, and documenting what actually happened. The final policies looked nothing like the template—but they reflected reality.
Audit result? Zero non-conformities and glowing feedback about how well-aligned their documentation was with actual practice.
"A template is like a recipe. You still need to cook the meal, taste it, and adjust the seasoning. You can't just serve the recipe and call it dinner."
Mistake #3: The Risk Assessment Theater
Let me share my favorite disaster story—and trust me, I use "favorite" with heavy sarcasm.
A company created a risk register with 487 identified risks. Four hundred and eighty-seven. They'd spent three months in conference rooms brainstorming every possible thing that could go wrong.
"What if a meteor hits the data center?" "What if an employee is actually a spy?" "What if quantum computers break all our encryption?"
These were actual entries in their risk register.
During the audit, the auditor asked: "Which of these risks have you actually treated in the past year?"
They'd treated 12. Out of 487.
The rest? Theater. Pure theater designed to impress auditors rather than manage actual risk.
The Risk Assessment Reality
Here's a framework that actually works:
Risk Category | Focus Areas | Typical Number of Risks | Treatment Priority |
|---|---|---|---|
Critical Business Assets | Revenue systems, customer data, IP | 15-25 risks | Treat immediately |
Regulatory Requirements | Compliance-mandated protections | 10-20 risks | Mandatory treatment |
Operational Dependencies | Critical vendors, key systems | 20-40 risks | Risk-based prioritization |
Common Attack Vectors | Phishing, ransomware, access abuse | 15-30 risks | Based on threat landscape |
Total Manageable Risks | Realistic scope for most organizations | 60-115 risks | Continuous treatment cycle |
My Risk Assessment Rule
If you can't explain a risk to a non-technical executive in one sentence, it's probably not a real risk—it's a theoretical exercise.
I worked with a fintech company that had a 200-risk register. We spent two days cutting it down to 54 risks. How?
Simple test: "If this risk materializes next week, would it significantly impact the business?"
If the answer was no, we deleted it.
The 54 remaining risks? They treated every single one within the year. The auditor praised them for having the most practical risk management program he'd seen.
The Risk Theater Warning Signs
Watch out for these red flags in your risk assessment:
Warning Sign | What It Means | How to Fix |
|---|---|---|
More than 150 identified risks | Risk assessment paralysis | Focus on what actually matters to the business |
Risks unchanged for 2+ years | Static, not dynamic assessment | Regular review with real-world updates |
No risks treated in 6+ months | Theater, not management | Prioritize and take action |
Every risk rated "High" | No real prioritization | Use objective criteria for rating |
Risks written in security jargon | Not understood by business | Translate to business impact |
Mistake #4: The Scope Screw-Up
A pharmaceutical company wanted ISO 27001 certification for their "IT systems." Sounds reasonable, right?
During implementation, they secured their servers, networks, and applications. They implemented access controls, encryption, and monitoring. They did excellent work.
Then came the audit.
The auditor observed that research scientists were emailing unencrypted clinical trial data to external partners. "That's not in scope," the company protested. "We're only certifying IT systems."
"But those emails flow through your IT systems," the auditor pointed out. "And that's sensitive information requiring protection under Annex A control 5.24."
The scope was too narrow. It excluded critical information flows. Failed audit.
Defining Scope: The Make-or-Break Decision
Your scope determines everything: what you need to protect, what controls apply, what gets audited, and ultimately, whether you succeed or fail.
Scope Approach | Pros | Cons | Success Rate |
|---|---|---|---|
Too Narrow ("Just the web application") | Easier initially | Likely to fail audit, misses real risks | 15% |
Too Broad ("Entire organization") | Impressive certificate | Overwhelming, expensive, unmanageable | 30% |
Business-Aligned ("Customer data processing systems") | Matches actual risk | Requires careful definition | 80% |
Iterative ("Start small, expand yearly") | Manageable growth | Takes time to cover everything | 75% |
How to Define Scope Properly
I use a simple framework with clients:
Step 1: Identify Your Crown Jewels
What data, if compromised, would destroy the business?
What systems, if unavailable, would stop operations?
What processes are critical to your value proposition?
Step 2: Map the Boundaries
What systems store, process, or transmit that data?
What people have access to those systems?
What facilities house those systems?
What vendors connect to those systems?
Step 3: Check the Interfaces
Where does data enter the scope boundary?
Where does data leave the scope boundary?
How do you control those flows?
Step 4: Document Crystal Clear
Here's a scope statement I helped craft for a SaaS company:
"This ISMS applies to the infrastructure, applications, and processes involved in delivering the [Product Name] platform to customers, including:
Customer data storage and processing systems
Product development and deployment environments
Customer support and success operations
Corporate IT systems that access customer data
All personnel with access to the above
The primary data center and backup facility
Excluded from scope: Marketing website (no customer data), HR systems (separate management), physical product manufacturing (different entity)."
Clear. Specific. Defensible.
"A good scope statement should allow a new employee to read it and understand exactly what's protected and what's not—without asking follow-up questions."
Mistake #5: The Control Selection Chaos
Here's how the conversation usually goes:
Client: "Which of the 93 Annex A controls do we need to implement?"
Bad Consultant: "All of them! You want to be secure, don't you?"
Me: "It depends. Let's look at your risks."
ISO 27001:2022 has 93 controls in Annex A. That's a lot. And here's the secret nobody tells you: you don't need all of them.
In fact, implementing controls you don't need is worse than not implementing them at all.
The Control Selection Matrix
Your Situation | Typical Applicable Controls | Often Excluded Controls | Key Consideration |
|---|---|---|---|
Small SaaS (< 50 people) | 65-75 controls | Physical security (cloud-only), supplier relationships (few vendors) | Focus on cloud and application security |
Enterprise (1000+ people) | 85-93 controls | Few exclusions possible | Comprehensive coverage needed |
Manufacturing | 70-80 controls | Mobile device policies (limited use) | Heavy OT/IT integration focus |
Healthcare Provider | 80-90 controls | Development controls (buy vs build) | HIPAA alignment critical |
Financial Services | 85-93 controls | Almost no exclusions | Regulatory requirements overlap |
The $300,000 Control Mistake
A client once insisted on implementing Control 8.8 (Management of technical vulnerabilities) despite having zero IT infrastructure—they were 100% cloud-based with SaaS applications.
"But it's a control in the standard," they argued.
They spent six months and over $300,000 building a vulnerability management program for infrastructure they didn't own or control. Their cloud providers already handled it.
During the audit, the auditor asked why they'd implemented this control. They couldn't justify it. The auditor marked it as "over-engineered" and questioned their risk assessment methodology.
My Control Selection Process
Start with your risk assessment - Which risks actually exist?
Map controls to risks - Which controls address those specific risks?
Check mandatory requirements - Legal, regulatory, contractual obligations?
Consider your environment - Cloud vs on-premise? 10 people or 10,000?
Document exclusions clearly - Explain why controls don't apply
Critical point: You must justify every control you exclude in your Statement of Applicability. But you must also be able to justify every control you include.
Mistake #6: The "Set It and Forget It" Syndrome
Congratulations! You achieved ISO 27001 certification! Pop the champagne! Update LinkedIn! Frame the certificate!
Now... forget about it for three years until the recertification audit?
That's what happened to a client in 2020. They achieved certification in 2017, celebrated, then essentially mothballed their ISMS.
Fast forward to 2020:
Their risk register hadn't been updated in 30 months
Management reviews? "We forgot about those."
Internal audits? "The person responsible left the company."
Control effectiveness? "We assume they still work?"
The recertification audit was brutal. The auditor found that their ISMS existed only on paper. In practice, security had degraded significantly.
Certificate revoked. Three years of investment wasted.
The Maintenance Reality Check
Required Activity | ISO 27001 Requirement | Minimum Frequency | What Happens If You Skip It |
|---|---|---|---|
Management Review | Clause 9.3 | Annually (quarterly recommended) | Major non-conformity, certification risk |
Internal Audits | Clause 9.2 | Annually (full ISMS coverage) | Major non-conformity, missing issues |
Risk Assessment Update | Clause 6.1.2 | When changes occur (annual minimum) | Outdated risk treatment, ineffective controls |
Control Effectiveness Review | Clause 9.1 | Ongoing monitoring | Controls fail silently, incidents occur |
Document Updates | Clause 7.5 | When processes change | Documentation doesn't match reality |
Building Maintenance Into DNA
I helped a 200-person company embed ISO 27001 into their regular business rhythm:
Monthly:
Security metrics review (30 minutes in leadership meeting)
Incident review and lessons learned
New risk identification
Quarterly:
Internal audit of one major ISMS area
Control effectiveness spot checks
Management review with board
Annually:
Full risk assessment refresh
Complete internal audit cycle
Third-party assessment
Continuous:
Real-time security monitoring
Ongoing employee training
Regular vulnerability assessments
Result? Their recertification audit took three days instead of the usual five, with zero non-conformities. The auditor commented it was one of the most well-maintained ISMS programs he'd seen.
"ISO 27001 certification isn't a trophy you earn and display. It's a living system that needs feeding, care, and attention—like a garden, not a statue."
Mistake #7: The Training Theater
"We need security awareness training for ISO 27001."
"Great! I'll buy an online course and assign it to everyone."
Six months later...
"Why didn't anyone complete the training?"
I see this constantly. Organizations check the "training" box by purchasing generic online courses that employees never complete or quickly forget.
The Training Failure Pattern
Training Approach | Completion Rate | Retention After 3 Months | Behavior Change | Audit Success |
|---|---|---|---|---|
Generic online course (assigned once) | 45% | 12% | Minimal | Often fails |
Annual classroom session | 85% | 25% | Moderate | Sometimes passes |
Role-specific training | 90% | 55% | Good | Usually passes |
Continuous micro-learning + phishing simulation | 95% | 78% | Excellent | Always passes |
What Actually Works
A financial services client was failing their internal audits on training effectiveness. Employees had completed the training, but they couldn't answer basic security questions during interviews.
We rebuilt their program:
Foundation Training (Onboarding):
30-minute interactive session on day one
Focused on "these five things will get you fired"
Role-specific examples from real incidents
Signed acknowledgment of responsibilities
Ongoing Reinforcement:
Monthly 5-minute security tips in team meetings
Quarterly phishing simulations with immediate feedback
Real-time alerts when new threats emerge
Role-specific deep dives (developers, sales, finance)
Measurement:
Tracked phishing simulation click rates (decreased from 23% to 3%)
Spot-checked knowledge in internal audits
Monitored security incidents by root cause
Next audit? The auditor interviewed random employees who could clearly articulate security responsibilities and procedures. Glowing compliance finding.
Training That Doesn't Suck
Here's my formula:
Make it relevant - Use examples from your industry, your company, your actual incidents
Make it short - Nobody has time for 3-hour training modules
Make it recurring - One-and-done doesn't work for behavior change
Make it measurable - Track not just completion, but understanding and behavior
Make it real - Simulations, tests, and practical exercises beat lectures
Mistake #8: The Vendor Blind Spot
A cloud-based company achieved ISO 27001 certification. Six months later, their major SaaS vendor was breached, exposing customer data.
"But we're certified!" they protested.
The auditor pointed to Control 5.19 (Information security in supplier relationships): "Did you assess this vendor's security? Do you have contractual security requirements? Do you monitor their compliance?"
Blank stares.
They'd secured their own systems beautifully but ignored that 60% of their data was handled by third-party vendors.
The Vendor Security Reality
Vendor Risk Level | Examples | Required Security Measures | Common Mistake |
|---|---|---|---|
Critical | Cloud infrastructure, payment processors, core SaaS | SOC 2/ISO 27001 required, annual reviews, contract security terms, incident notification | Trusting brand name without verification |
High | CRM, HR systems, major data processors | Security questionnaire, insurance proof, basic certifications | Annual review only without ongoing monitoring |
Medium | Marketing tools, analytics, collaboration tools | Basic security assessment, terms review | No assessment at all |
Low | Single-purpose tools, limited data access | Acceptable use verification | Treating as zero risk |
The Vendor Management Framework That Works
I helped a healthcare technology company build this approach:
Before Onboarding:
Security questionnaire (tiered by risk level)
Certificate verification (SOC 2, ISO 27001, HITRUST)
Contract security addendum (data protection, incident notification, audit rights)
Insurance verification ($2M minimum for critical vendors)
During Relationship:
Annual security review
Certificate renewal monitoring
Incident notification monitoring
Quarterly business review includes security
Exit Planning:
Data return/deletion procedures
Access revocation checklist
Knowledge transfer
Post-termination verification
This caught a major issue early: a vendor's SOC 2 certification had lapsed. They discovered it during quarterly monitoring and immediately enforced contractual remediation rights. Potential disaster averted.
Mistake #9: The Measurement Misconception
"How do we know our ISMS is working?"
"Well... we haven't had any major incidents?"
That's not measurement. That's hope.
The Metrics That Actually Matter
What People Measure | Why It's Wrong | What You Should Measure Instead | Why It's Right |
|---|---|---|---|
Number of policies created | More ≠ better | Policy compliance rate | Are policies followed? |
Training completion % | Completion ≠ understanding | Phishing simulation failure rate | Are behaviors changing? |
Controls implemented | Implementation ≠ effectiveness | Control failures detected | Are controls working? |
Audit findings closed | Closing ≠ solving | Time to detect/respond to incidents | Are you getting better? |
Certifications achieved | Certificate ≠ security | Risk treatment completion rate | Are you reducing risk? |
Building a Real Measurement Program
A SaaS company I worked with had 47 security metrics. Forty-seven! Nobody looked at them. They were meaningless noise.
We reduced it to 12 metrics that actually mattered:
Effectiveness Metrics (Are we secure?):
Mean time to detect incidents
Mean time to respond and contain
% of critical vulnerabilities remediated within SLA
Failed access attempts to sensitive systems
Compliance Metrics (Are we following our ISMS?):
Internal audit findings (open vs closed)
Risk treatment plan completion %
Policy exception approvals and reviews
Training completion by role
Trend Metrics (Are we improving?):
Month-over-month incident reduction
Phishing simulation click rate trend
Vendor security posture scores
Employee security awareness scores
Every month, leadership reviewed these 12 metrics in 15 minutes. They could immediately spot problems and trends.
When their surveillance audit came, the auditor praised their measurement program: "This is exactly what Clause 9.1 requires—monitoring that actually demonstrates effectiveness."
"If you can't measure it, you can't manage it. But if you measure everything, you manage nothing."
Mistake #10: The DIY Disaster
"We'll save money by implementing ISO 27001 ourselves."
Famous last words.
Look, I understand the appeal. Consultants are expensive. You have smart people. How hard can it be?
Let me tell you about a company that went DIY. Eighteen months of effort. Three failed audit attempts. Eventually, they hired a consultant (me) to fix the mess.
Total cost: $520,000 and 24 months.
If they'd hired expert help from the start? Approximately $180,000 and 12 months.
When DIY Works (Rarely)
Your Situation | DIY Success Probability | Recommended Approach |
|---|---|---|
First-time ISO 27001, no security background | 5% | Hire experienced consultant |
First-time ISO 27001, strong security team | 35% | Hire consultant for guidance, do the work yourself |
Experienced with other frameworks (SOC 2, etc.) | 60% | Consider DIY with gap analysis consultant review |
Previously implemented ISO 27001 elsewhere | 80% | DIY feasible with auditor check-ins |
Re-certification of existing program | 95% | DIY appropriate |
The Hybrid Approach That Works
Smart organizations don't go fully DIY or fully outsourced. They hybrid:
Months 1-2: Consultant-Led
Gap analysis
Scope definition
Risk assessment framework
Training on ISO 27001 requirements
Months 3-8: Organization-Led
Policy and procedure development
Control implementation
Internal team does the work
Monthly consultant check-ins
Months 9-10: Consultant-Led
Pre-assessment audit
Gap remediation
Stage 1 preparation
Final readiness review
This approach balances cost with expertise. A client used this model and achieved certification in 11 months for $145,000—far less than the $400,000 fully outsourced quote they received.
The Path Forward: Your ISO 27001 Success Blueprint
After fifteen years and dozens of implementations, here's what successful organizations do differently:
Phase 1: Foundation (Months 1-3)
Week 1-2: Reality Check
Assess current state honestly
Define realistic scope
Secure leadership commitment
Allocate real resources
Week 3-6: Framework
Risk assessment (focused, not bloated)
Control selection (justified, not copied)
Documentation structure (usable, not impressive)
Week 7-12: Build
Policies (5-10 pages each, maximum)
Procedures (what people actually do)
Training (relevant and role-specific)
Tools (implement, don't just purchase)
Phase 2: Implementation (Months 4-9)
Months 4-6: Deploy
Roll out controls systematically
Train employees practically
Test and adjust
Document evidence
Months 7-8: Validate
Internal audits (identify gaps early)
Management review (leadership buy-in)
Remediation (fix what's broken)
Month 9: Prepare
Pre-assessment review
Evidence package preparation
Team preparation for audit interviews
Phase 3: Certification (Months 10-12)
Month 10: Stage 1
Documentation review
Gap identification
Quick fixes
Month 11: Stage 2
Full system audit
On-site assessment
Evidence review
Month 12: Maintain
Address any findings
Establish ongoing rhythm
Plan continuous improvement
The Success Factors That Matter Most
Success Factor | Impact on Certification | How to Achieve It |
|---|---|---|
Leadership commitment | Critical - determines resources and culture | CEO/board engagement, regular reviews, budget allocation |
Realistic scope | High - determines audit complexity | Business-aligned, clearly defined, defensible boundaries |
Practical documentation | High - determines implementation success | Document reality, not ideals; usable, not impressive |
Ongoing maintenance | Medium for initial cert, critical for keeping it | Built into business rhythm, not separate compliance project |
Risk-based approach | High - demonstrates understanding | Focus on real risks, prioritized treatment, measurable outcomes |
Employee engagement | Medium-High - determines effectiveness | Training that matters, clear responsibilities, easy processes |
Red Flags That Predict Failure
Watch for these warning signs in your implementation:
Red Flag | What It Means | Immediate Action Required |
|---|---|---|
"We'll figure out maintenance after certification" | ISMS will collapse post-cert | Build maintenance plan now |
"That control doesn't apply to us" (without risk assessment) | Inadequate justification | Document exclusion with risk-based reasoning |
"We're doing this for the certificate" | Wrong motivation | Refocus on actual risk reduction |
"Let's implement everything in the last 3 months" | Rushed, ineffective implementation | Reset timeline to realistic schedule |
"Nobody has time for this" | Insufficient resources | Secure proper budget and time allocation |
"We'll use last year's risk assessment" | Static, outdated ISMS | Conduct fresh assessment |
The Final Truth About ISO 27001
Here's what I tell every client at our first meeting:
ISO 27001 is not about the certificate on your wall. It's about building a security program that actually works—one that reduces real risks, prevents real incidents, and creates real business value.
The mistakes I've shared today? They all stem from the same root cause: treating ISO 27001 as a compliance exercise rather than a business improvement program.
The organizations that succeed are the ones that ask: "How can we use this framework to actually become more secure, more resilient, and more trustworthy?"
The organizations that fail are the ones that ask: "What's the minimum we need to do to get the certificate?"
Your choice determines your outcome.
I've seen companies transform their security posture through ISO 27001 implementation. I've watched small startups use certification to win enterprise contracts they never could have landed otherwise. I've observed how the discipline of a well-run ISMS prevents incidents, reduces risks, and creates competitive advantage.
But I've also seen the failures. The wasted money. The failed audits. The false sense of security that crumbles when tested.
The difference? Avoiding these ten mistakes and committing to building something real.
Your Next Steps
This Week:
Review your current implementation against these ten mistakes
Identify which ones threaten your success
Create action plans to address them
This Month:
Validate your scope is business-aligned and defensible
Verify your documentation reflects reality
Confirm your risk assessment focuses on real threats
This Quarter:
Test that your controls actually work in practice
Ensure ongoing maintenance is planned and resourced
Prepare for success, not just certification
Remember: The goal isn't to avoid mistakes entirely—that's impossible. The goal is to catch and correct them early, before they derail your entire implementation.
Because in ISO 27001, the difference between success and failure often comes down to avoiding preventable mistakes.
Learn from my fifteen years of scars so you don't have to earn your own.