The first two concern mandatory requirements for ISO/IEC 27001 certification:
4.2 Establishing and managing the ISMS: few organizations had formally stated the scope of their ISMS or documented their risk assessment method and risk acceptance criteria in accordance with the standard.The information security controls succinctly listed in Annex A of ISO/IEC 27001 and explained in more detail in ISO/IEC 27002 are not strictly mandatory for certification but are widely implemented and generally accepted as good security practices.
6.0 Internal ISMS audits: only one organization had an internal ISMS audit program, and none had undertaken a management review of the ISMS.
A.6.1 Internal organization: few organizations (especially SMEs) had an information security committee or forum, and had nominated a manager for the ISMS.Many thanks to Bil for permission to share this list. Bil’s original article in ISSA Journal, available online to ISSA members, is well worth reading for additional details and guidance on this.
A.6.2 External parties: identification and treatment of risks relating to suppliers (including IT outsourcers) and customers was sporadic or missing.
A.7.1 Responsibility for assets: few organizations maintained inventories of intangible information assets.
A.9.1 Secure areas: while physical security gaps varied, they should have been identified through the ISMS risk assessment.
A.10.7 Media handling: most lacked formal security policies and/or procedures for handling and disposing of media such as USB flash memory sticks.
A.10.8 Exchange of information: many organizations have neither an information exchange policy nor agreements with customers and suppliers on transferring confidential information securely (e.g. emailing confidential information).
A.10.10 Monitoring: few system clocks were time-synchronised, other than on MS Windows systems. This is obviously important on security systems such as CCTV.
A.11.1 Business requirement for access control: few organizations had systematically documented user and system admin roles for their business applications.
A.11.2 User access management: few organizations regularly and systematically reviewed access rights across all IT systems.
A.11.3 User responsibilities: very weak or default passwords were common on subsidiary and older systems, including network devices, databases and physical access control systems. Compliance with clear desk and clear screen policies was very weak in practice.
A.11.7 Mobile computing and teleworking: few organizations had formal policies and procedures for mobile computing and teleworking.
A.12.3 Cryptographic controls: there was seldom a consistent approach to managing encryption methods and keys.
A12.5.5 Outsourced software development: contracts did not stipulate intellectual property rights, escrow, quality and security requirements nor a right to audit the supplier.
A12.6 Technical vulnerability management: configuration management and security patching processes often neglected utility software such as Acrobat Reader.
A.13.1 Reporting information security events and weaknesses: many organizations lacked formal procedures for reporting security events, and mechanisms to quantify and monitor incidents. [Cumulative security incident costs are an important strategic metric that helps management justify continued investment in the ISMS, while the detailed cost breakdown focuses attention on aspects requiring improvement.]
A.14.1 Information security aspects of business continuity management: business continuity plans were often either absent or outdated, while continuity exercises were irregular and unrealistic (e.g. limited scope).
A.15.1 Compliance: no organizations had identified all the information security-relevant laws and regulations, and established mechanisms to stay up-to-date on changes.
Without neglecting the other requirements, it's worth double-checking that your ISMS implementation project plans do in fact allocate sufficient resources and time to tackle all the issues identified here.
PS I have added this to the ISO27k FAQ