What is ISO/IEC 27001, The Information Security Standard

The Ultimate Guide to ISO 27001

ISO/IEC 27001 is an Information security management standard that provides organisations with a structured framework to safeguard their information assets and ISMS, covering risk assessment, risk management and continuous improvement. In this article we'll explore what it is, why you need it, and how to achieve certification.

Achieve Robust Information Security with ISO 27001:2022

Our platform empowers your organisation to align with ISO 27001, ensuring comprehensive security management. This international standard is essential for protecting sensitive data and enhancing resilience against cyber threats. With over 70,000 certificates issued globally, ISO 27001’s widespread adoption underscores its importance in safeguarding information assets.

Why ISO 27001 Matters

Achieving ISO 27001:2022 certification emphasises a comprehensive, risk-based approach to improving information security management, ensuring your organisation effectively manages and mitigates potential threats, aligning with modern security needs. It provides a systematic methodology for managing sensitive information, ensuring it remains secure. Certification can reduce data breach costs by 30% and is recognised in over 150 countries, enhancing international business opportunities and competitive advantage.

How ISO 27001 Certification Benefits Your Business

Achieve Cost Efficiency: Save time and money by preventing costly security breaches. Implement proactive risk management measures to significantly reduce the likelihood of incidents.
Accelerate Sales Growth: Streamline your sales process by reducing extensive security documentation requests (RFIs). Showcase your compliance with international information security standards to shorten negotiation times and close deals faster.
Boost Client Trust: Demonstrate your commitment to information security to enhance client confidence and build lasting trust. Increase customer loyalty and retain clients in sectors like finance, healthcare, and IT services.

Comprehensive Guide on How to Implement ISO 27001:2022 Certification

The standard’s structure includes a comprehensive Information Security Management System (ISMS) framework and a detailed ISO 27001 implementation guide that integrates risk management processes and Annex A controls. These components create a holistic security strategy, addressing various aspects of security (ISO 27001:2022 Clause 4.2). This approach not only enhances security but also fosters a culture of awareness and compliance within the organisation.

Streamlining Certification with ISMS.online

ISMS.online plays a crucial role in facilitating alignment by offering tools that streamline the certification process. Our platform provides automated risk assessments and real-time monitoring, simplifying the implementation of ISO 27001:2022 requirements. This not only reduces manual effort but also enhances efficiency and accuracy in maintaining alignment.

Join 25000 + Users Achieving ISO 27001 with ISMS.online. Book Your Free Demo Today!

Understanding ISO 27001:2022

ISO 27001 is a pivotal standard for improving an Information Security Management System (ISMS), offering a structured framework to protect sensitive data. This framework integrates comprehensive risk evaluation processes and Annex A controls, forming a robust security strategy. Organisations can effectively identify, analyse, and address vulnerabilities, enhancing their overall security posture.

Key Elements of ISO 27001:2022

ISMS Framework: This foundational component establishes systematic policies and procedures for managing information security (ISO 27001:2022 Clause 4.2). It aligns organisational goals with security protocols, fostering a culture of compliance and awareness.
Risk Evaluation: Central to ISO 27001, this process involves conducting thorough assessments to identify potential threats. It is essential for implementing appropriate security measures and ensuring continuous monitoring and improvement.
ISO 27001 Controls: ISO 27001:2022 outlines a comprehensive set of ISO 27001 controls within Annex A, designed to address various aspects of information security. These controls include measures for access control, cryptography, physical security, and incident management, among others. Implementing these controls ensures your Information Security Management System (ISMS) effectively mitigates risks and safeguards sensitive information.

iso 27001 requirements and structure

Aligning with International Standards

ISO 27001:2022 is developed in collaboration with the International Electrotechnical Commission (IEC), ensuring that the standard aligns with global best practices in information security. This partnership enhances the credibility and applicability of ISO 27001 across diverse industries and regions.

How ISO 27001 Integrates with Other Standards

ISO 27001:2022 seamlessly integrates with other standards like ISO 9001 for quality management, ISO 27002 for code of practice for information security controls and regulations like GDPR, enhancing compliance and operational efficiency. This integration allows organisations to streamline regulatory efforts and align security practices with broader business objectives. Initial preparation involves a gap analysis to identify areas needing improvement, followed by a risk evaluation to assess potential threats. Implementing Annex A controls ensures comprehensive security measures are in place. The final audit process, including Stage 1 and Stage 2 audits, verifies compliance and readiness for certification.

Why Is ISO 27001:2022 Important for Organisations?

ISO 27001 plays a vital role in strengthening your organisation’s data protection strategies. It provides a comprehensive framework for managing sensitive information, aligning with contemporary cybersecurity requirements through a risk-based approach. This alignment not only fortifies defences but also ensures adherence to regulations like GDPR, mitigating potential legal risks (ISO 27001:2022 Clause 6.1).

ISO 27001:2022 Integration with Other Standards

ISO 27001 is part of the broader ISO family of management system standards. This allows it to be seamlessly integrated with other standards, such as:

ISO 9001 (Quality Management): Align your quality and information security practices to ensure consistent operational standards across both functions.
ISO 22301 (Business Continuity): Strengthen your business resilience by integrating security and continuity management into a unified system.
ISO 27701 (Privacy Information Management): Protect personal data and ensure GDPR compliance by incorporating ISO 27701 alongside ISO 27001.

This integrated approach helps your organisation maintain robust operational standards, streamlining the certification process and enhancing compliance.

How Does ISO 27001:2022 Enhance Risk Management?

Structured Risk Management: The standard emphasises the systematic identification, assessment, and mitigation of risks, fostering a proactive security posture.
Incident Reduction: Organisations experience fewer breaches due to the robust controls outlined in Annex A.
Operational Efficiency: Streamlined processes enhance efficiency, reducing the likelihood of costly incidents.

Structured Risk Management with ISO 27001:2022

ISO 27001 requires organisations to adopt a comprehensive, systematic approach to risk management. This includes:

Risk Identification and Assessment: Identify potential threats to sensitive data and evaluate the severity and likelihood of those risks (ISO 27001:2022 Clause 6.1).
Risk Treatment: Select appropriate treatment options, such as mitigating, transferring, avoiding, or accepting risks. With the addition of new options like exploiting and enhancing, organisations can take calculated risks to harness opportunities.

Each of these steps must be reviewed regularly to ensure that the risk landscape is continuously monitored and mitigated as necessary.

What Are the Benefits for Trust and Reputation?

Certification signifies a commitment to data protection, enhancing your business reputation and customer trust. Certified organisations often see a 20% increase in customer satisfaction, as clients appreciate the assurance of secure data handling.

How ISO 27001 Certification Impacts Client Trust and Sales

Increased Client Confidence: When prospective clients see that your organisation is ISO 27001 certified, it automatically elevates their trust in your ability to protect sensitive information. This trust is essential for sectors where data security is a deciding factor, such as healthcare, finance, and government contracting.
Faster Sales Cycles: ISO 27001 certification reduces the time spent answering security questionnaires during the procurement process. Prospective clients will see your certification as a guarantee of high security standards, speeding up decision-making.
Competitive Advantage: ISO 27001 certification positions your company as a leader in information security, giving you an edge over competitors who may not hold this certification.

How Does ISO 27001:2022 Offer Competitive Advantages?

ISO 27001 opens international business opportunities, recognised in over 150 countries. It cultivates a culture of security awareness, positively influencing organisational culture and encouraging continuous improvement and resilience, essential for thriving in today’s digital environment.

How Can ISO 27001 Support Regulatory Adherence?

Aligning with ISO 27001 helps navigate complex regulatory landscapes, ensuring adherence to various legal requirements. This alignment reduces potential legal liabilities and enhances overall governance.

Incorporating ISO 27001:2022 into your organisation not only strengthens your data protection framework but also builds a foundation for sustainable growth and trust in the global market.

Enhancing Risk Management with ISO 27001:2022

ISO 27001:2022 offers a robust framework for managing information security risks, vital for safeguarding your organisation’s sensitive data. This standard emphasises a systematic approach to risk evaluation, ensuring potential threats are identified, assessed, and mitigated effectively.

How Does ISO 27001 Structure Risk Management?

ISO 27001:2022 integrates risk evaluation into the Information Security Management System (ISMS), involving:

Risk Assessment: Conducting thorough evaluations to identify and analyse potential threats and vulnerabilities (ISO 27001:2022 Clause 6.1).
Risk Treatment: Implementing strategies to mitigate identified risks, using controls outlined in Annex A to reduce vulnerabilities and threats.
Continuous Monitoring: Regularly reviewing and updating practices to adapt to evolving threats and maintain security effectiveness.

What Techniques and Strategies Are Key?

Effective risk management under ISO 27001:2022 involves:

Risk Assessment and Analysis: Utilising methodologies like SWOT analysis and threat modelling to evaluate risks comprehensively.
Risk Treatment and Mitigation: Applying controls from Annex A to address specific risks, ensuring a proactive approach to security.
Continuous Improvement: Fostering a security-focused culture that encourages ongoing evaluation and enhancement of risk management practices.

How Can the Framework Be Tailored to Your Organisation?

ISO 27001:2022’s framework can be customised to fit your organisation’s specific needs, ensuring that security measures align with business objectives and regulatory requirements. By fostering a culture of proactive risk management, organisations with ISO 27001 certification experience fewer security breaches and enhanced resilience against cyber threats. This approach not only protects your data but also builds trust with stakeholders, enhancing your organisation’s reputation and competitive edge.

Key Changes in ISO 27001:2022

ISO 27001:2022 introduces pivotal updates, enhancing its role in modern cybersecurity. The most significant changes reside in Annex A, which now includes advanced measures for digital security and proactive threat management. These revisions address the evolving nature of security challenges, particularly the increasing reliance on digital platforms.

Key Differences Between ISO 27001:2022 and Earlier Versions

The differences between the 2013 and 2022 versions of ISO 27001 are crucial to understanding the updated standard. While there are no massive overhauls, the refinements in Annex A controls and other areas ensure the standard remains relevant to modern cybersecurity challenges. Key changes include:

Restructuring of Annex A Controls: Annex A controls have been condensed from 114 to 93, with some being merged, revised, or newly added. These changes reflect the current cybersecurity environment, making controls more streamlined and focused.
New Focus Areas: The 11 new controls introduced in ISO 27001:2022 include areas such as threat intelligence, physical security monitoring, secure coding, and cloud service security, addressing the rise of digital threats and the increased reliance on cloud-based solutions.

Understanding Annex A Controls

Enhanced Security Protocols: Annex A now features 93 controls, with new additions focusing on digital security and proactive threat management. These controls are designed to mitigate emerging risks and ensure robust protection of information assets.
Digital Security Focus: As digital platforms become integral to operations, ISO 27001:2022 emphasises securing digital environments, ensuring data integrity, and safeguarding against unauthorised access.
Proactive Threat Management: New controls enable organisations to anticipate and respond to potential security incidents more effectively, strengthening their overall security posture.

Detailed Breakdown of Annex A Controls in ISO 27001:2022

ISO 27001:2022 introduces a revised set of Annex A controls, reducing the total from 114 to 93 and restructuring them into four main groups. Here’s a breakdown of the control categories:

Control Group	Number of Controls	Examples
Organisational	37	Threat intelligence, ICT readiness, information security policies
People	8	Responsibilities for security, screening
Physical	14	Physical security monitoring, equipment protection
Technological	34	Web filtering, secure coding, data leakage prevention

New Controls
ISO 27001:2022 introduces 11 new controls focused on emerging technologies and challenges, including:

Cloud services: Security measures for cloud infrastructure.
Threat intelligence: Proactive identification of security threats.
ICT readiness: Business continuity preparations for ICT systems.

By implementing these controls, organisations ensure they are equipped to handle modern information security challenges.

iso 27002 new controls

Full Table of ISO 27001 Controls

Below is a full list of ISO 27001:2022 controls

ISO 27001:2022 Organisational Controls

Annex A Control Type	ISO/IEC 27001:2022 Annex A Identifier	ISO/IEC 27001:2013 Annex A Identifier	Annex A Name
Organisational Controls	Annex A 5.1	Annex A 5.1.1 Annex A 5.1.2	Policies for Information Security
Organisational Controls	Annex A 5.2	Annex A 6.1.1	Information Security Roles and Responsibilities
Organisational Controls	Annex A 5.3	Annex A 6.1.2	Segregation of Duties
Organisational Controls	Annex A 5.4	Annex A 7.2.1	Management Responsibilities
Organisational Controls	Annex A 5.5	Annex A 6.1.3	Contact With Authorities
Organisational Controls	Annex A 5.6	Annex A 6.1.4	Contact With Special Interest Groups
Organisational Controls	Annex A 5.7	NEW	Threat Intelligence
Organisational Controls	Annex A 5.8	Annex A 6.1.5 Annex A 14.1.1	Information Security in Project Management
Organisational Controls	Annex A 5.9	Annex A 8.1.1 Annex A 8.1.2	Inventory of Information and Other Associated Assets
Organisational Controls	Annex A 5.10	Annex A 8.1.3 Annex A 8.2.3	Acceptable Use of Information and Other Associated Assets
Organisational Controls	Annex A 5.11	Annex A 8.1.4	Return of Assets
Organisational Controls	Annex A 5.12	Annex A 8.2.1	Classification of Information
Organisational Controls	Annex A 5.13	Annex A 8.2.2	Labelling of Information
Organisational Controls	Annex A 5.14	Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3	Information Transfer
Organisational Controls	Annex A 5.15	Annex A 9.1.1 Annex A 9.1.2	Access Control
Organisational Controls	Annex A 5.16	Annex A 9.2.1	Identity Management
Organisational Controls	Annex A 5.17	Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3	Authentication Information
Organisational Controls	Annex A 5.18	Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6	Access Rights
Organisational Controls	Annex A 5.19	Annex A 15.1.1	Information Security in Supplier Relationships
Organisational Controls	Annex A 5.20	Annex A 15.1.2	Addressing Information Security Within Supplier Agreements
Organisational Controls	Annex A 5.21	Annex A 15.1.3	Managing Information Security in the ICT Supply Chain
Organisational Controls	Annex A 5.22	Annex A 15.2.1 Annex A 15.2.2	Monitoring, Review and Change Management of Supplier Services
Organisational Controls	Annex A 5.23	NEW	Information Security for Use of Cloud Services
Organisational Controls	Annex A 5.24	Annex A 16.1.1	Information Security Incident Management Planning and Preparation
Organisational Controls	Annex A 5.25	Annex A 16.1.4	Assessment and Decision on Information Security Events
Organisational Controls	Annex A 5.26	Annex A 16.1.5	Response to Information Security Incidents
Organisational Controls	Annex A 5.27	Annex A 16.1.6	Learning From Information Security Incidents
Organisational Controls	Annex A 5.28	Annex A 16.1.7	Collection of Evidence
Organisational Controls	Annex A 5.29	Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3	Information Security During Disruption
Organisational Controls	Annex A 5.30	NEW	ICT Readiness for Business Continuity
Organisational Controls	Annex A 5.31	Annex A 18.1.1 Annex A 18.1.5	Legal, Statutory, Regulatory and Contractual Requirements
Organisational Controls	Annex A 5.32	Annex A 18.1.2	Intellectual Property Rights
Organisational Controls	Annex A 5.33	Annex A 18.1.3	Protection of Records
Organisational Controls	Annex A 5.34	Annex A 18.1.4	Privacy and Protection of PII
Organisational Controls	Annex A 5.35	Annex A 18.2.1	Independent Review of Information Security
Organisational Controls	Annex A 5.36	Annex A 18.2.2 Annex A 18.2.3	Compliance With Policies, Rules and Standards for Information Security
Organisational Controls	Annex A 5.37	Annex A 12.1.1	Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control Type	ISO/IEC 27001:2022 Annex A Identifier	ISO/IEC 27001:2013 Annex A Identifier	Annex A Name
People Controls	Annex A 6.1	Annex A 7.1.1	Screening
People Controls	Annex A 6.2	Annex A 7.1.2	Terms and Conditions of Employment
People Controls	Annex A 6.3	Annex A 7.2.2	Information Security Awareness, Education and Training
People Controls	Annex A 6.4	Annex A 7.2.3	Disciplinary Process
People Controls	Annex A 6.5	Annex A 7.3.1	Responsibilities After Termination or Change of Employment
People Controls	Annex A 6.6	Annex A 13.2.4	Confidentiality or Non-Disclosure Agreements
People Controls	Annex A 6.7	Annex A 6.2.2	Remote Working
People Controls	Annex A 6.8	Annex A 16.1.2 Annex A 16.1.3	Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control Type	ISO/IEC 27001:2022 Annex A Identifier	ISO/IEC 27001:2013 Annex A Identifier	Annex A Name
Physical Controls	Annex A 7.1	Annex A 11.1.1	Physical Security Perimeters
Physical Controls	Annex A 7.2	Annex A 11.1.2 Annex A 11.1.6	Physical Entry
Physical Controls	Annex A 7.3	Annex A 11.1.3	Securing Offices, Rooms and Facilities
Physical Controls	Annex A 7.4	NEW	Physical Security Monitoring
Physical Controls	Annex A 7.5	Annex A 11.1.4	Protecting Against Physical and Environmental Threats
Physical Controls	Annex A 7.6	Annex A 11.1.5	Working In Secure Areas
Physical Controls	Annex A 7.7	Annex A 11.2.9	Clear Desk and Clear Screen
Physical Controls	Annex A 7.8	Annex A 11.2.1	Equipment Siting and Protection
Physical Controls	Annex A 7.9	Annex A 11.2.6	Security of Assets Off-Premises
Physical Controls	Annex A 7.10	Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5	Storage Media
Physical Controls	Annex A 7.11	Annex A 11.2.2	Supporting Utilities
Physical Controls	Annex A 7.12	Annex A 11.2.3	Cabling Security
Physical Controls	Annex A 7.13	Annex A 11.2.4	Equipment Maintenance
Physical Controls	Annex A 7.14	Annex A 11.2.7	Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control Type	ISO/IEC 27001:2022 Annex A Identifier	ISO/IEC 27001:2013 Annex A Identifier	Annex A Name
Technological Controls	Annex A 8.1	Annex A 6.2.1 Annex A 11.2.8	User Endpoint Devices
Technological Controls	Annex A 8.2	Annex A 9.2.3	Privileged Access Rights
Technological Controls	Annex A 8.3	Annex A 9.4.1	Information Access Restriction
Technological Controls	Annex A 8.4	Annex A 9.4.5	Access to Source Code
Technological Controls	Annex A 8.5	Annex A 9.4.2	Secure Authentication
Technological Controls	Annex A 8.6	Annex A 12.1.3	Capacity Management
Technological Controls	Annex A 8.7	Annex A 12.2.1	Protection Against Malware
Technological Controls	Annex A 8.8	Annex A 12.6.1 Annex A 18.2.3	Management of Technical Vulnerabilities
Technological Controls	Annex A 8.9	NEW	Configuration Management
Technological Controls	Annex A 8.10	NEW	Information Deletion
Technological Controls	Annex A 8.11	NEW	Data Masking
Technological Controls	Annex A 8.12	NEW	Data Leakage Prevention
Technological Controls	Annex A 8.13	Annex A 12.3.1	Information Backup
Technological Controls	Annex A 8.14	Annex A 17.2.1	Redundancy of Information Processing Facilities
Technological Controls	Annex A 8.15	Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3	Logging
Technological Controls	Annex A 8.16	NEW	Monitoring Activities
Technological Controls	Annex A 8.17	Annex A 12.4.4	Clock Synchronization
Technological Controls	Annex A 8.18	Annex A 9.4.4	Use of Privileged Utility ProgramsAccess Rights
Technological Controls	Annex A 8.19	Annex A 12.5.1 Annex A 12.6.2	Installation of Software on Operational Systems
Technological Controls	Annex A 8.20	Annex A 13.1.1	Networks Security
Technological Controls	Annex A 8.21	Annex A 13.1.2	Security of Network Services
Technological Controls	Annex A 8.22	Annex A 13.1.3	Segregation of Networks
Technological Controls	Annex A 8.23	NEW	Web filtering
Technological Controls	Annex A 8.24	Annex A 10.1.1 Annex A 10.1.2	Use of Cryptography
Technological Controls	Annex A 8.25	Annex A 14.2.1	Secure Development Life Cycle
Technological Controls	Annex A 8.26	Annex A 14.1.2 Annex A 14.1.3	Application Security Requirements
Technological Controls	Annex A 8.27	Annex A 14.2.5	Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents
Technological Controls	Annex A 8.28	NEW	Secure Coding
Technological Controls	Annex A 8.29	Annex A 14.2.8 Annex A 14.2.9	Security Testing in Development and Acceptance
Technological Controls	Annex A 8.30	Annex A 14.2.7	Outsourced Development
Technological Controls	Annex A 8.31	Annex A 12.1.4 Annex A 14.2.6	Separation of Development, Test and Production Environments
Technological Controls	Annex A 8.32	Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4	Change Management
Technological Controls	Annex A 8.33	Annex A 14.3.1	Test Information
Technological Controls	Annex A 8.34	Annex A 12.7.1	Protection of Information Systems During Audit Testing

Navigating Implementation Challenges

Organisations may face challenges such as resource constraints and insufficient management support when implementing these updates. Effective resource allocation and stakeholder engagement are crucial for maintaining momentum and achieving successful compliance. Regular training sessions can help clarify the standard’s requirements, reducing compliance challenges.

Adapting to Evolving Security Threats

These updates demonstrate ISO 27001:2022’s adaptability to the changing security environment, ensuring organisations remain resilient against new threats. By aligning with these enhanced requirements, your organisation can bolster its security framework, improve compliance processes, and maintain a competitive edge in the global market.

How Can Organisations Successfully Attain ISO 27001 Certification?

Achieving ISO 27001:2022 requires a methodical approach, ensuring your organisation aligns with the standard’s comprehensive requirements. Here’s a detailed guide to navigate this process effectively:

Kickstart Your Certification with a Thorough Gap Analysis

Identify improvement areas with a comprehensive gap analysis. Assess current practices against ISO 27001 standard to pinpoint discrepancies. Develop a detailed project plan outlining objectives, timelines, and responsibilities. Engage stakeholders early to secure buy-in and allocate resources efficiently.

Implement an Effective ISMS

Establish and implement an Information Security Management System (ISMS) tailored to your organisational goals. Implement the 93 Annex A controls, emphasising risk assessment and treatment (ISO 27001:2022 Clause 6.1). Our platform, ISMS.online, automates compliance tasks, reducing manual effort and enhancing precision.

Perform Regular Internal Audits

Conduct regular internal audits to evaluate the effectiveness of your ISMS. Management reviews are essential for performance evaluation and necessary adjustments (ISO 27001:2022 Clause 9.3). ISMS.online facilitates real-time collaboration, boosting team efficiency and audit readiness.

Engage with Certification Bodies

Select an accredited certification body and schedule the audit process, including Stage 1 and Stage 2 audits. Ensure all documentation is complete and accessible. ISMS.online offers templates and resources to simplify documentation and track progress.

Overcome Common Challenges with a Free Consultation

Overcome resource constraints and resistance to change by fostering a culture of security awareness and continuous improvement. Our platform supports maintaining alignment over time, aiding your organisation in achieving and sustaining certification.

Schedule a free consultation to address resource constraints and navigate resistance to change. Learn how ISMS.online can support your implementation efforts and ensure successful certification.

ISO 27001:2022 and Supplier Relationships Requirements

ISO 27001:2022 has introduced new requirements to ensure organisations maintain robust supplier and third-party management programs. This includes:

Identifying and Assessing Suppliers: Organisations must identify and analyse third-party suppliers that impact information security. A thorough risk assessment for each supplier is mandatory to ensure compliance with your ISMS.
Supplier Security Controls: Ensure that your suppliers implement adequate security controls and that these are regularly reviewed. This extends to ensuring that customer service levels and personal data protection are not adversely affected.
Auditing Suppliers: Organisations should audit their suppliers’ processes and systems regularly. This aligns with the new ISO 27001:2022 requirements, ensuring that supplier compliance is maintained and that risks from third-party partnerships are mitigated.

Enhanced Employee Cybersecurity Awareness

ISO 27001:2022 continues to emphasise the importance of employee awareness. Implementing policies for ongoing education and training is critical. This approach ensures that your employees are not only aware of security risks but are also capable of actively participating in mitigating those risks.

Human Error Prevention: Businesses should invest in training programs that aim to prevent human error, one of the leading causes of security breaches.
Clear Policy Development: Establish clear guidelines for employee conduct regarding data security. This includes awareness programs on phishing, password management, and mobile device security.
Security Culture: Foster a security-aware culture where employees feel empowered to raise concerns about cybersecurity threats. An environment of openness helps organisations tackle risks before they materialise into incidents.

ISO 27001:2022 Requirements for Human Resource Security

One of the essential refinements in ISO 27001:2022 is its expanded focus on human resource security. This involves:

Personnel Screening: Clear guidelines for personnel screening before hiring are crucial to ensuring that employees with access to sensitive information meet required security standards.
Training and Awareness: Ongoing education is required to ensure that staff are fully aware of the organisation’s security policies and procedures.
Disciplinary Actions: Define clear consequences for policy violations, ensuring that all employees understand the importance of complying with security requirements.

These controls ensure that organisations manage both internal and external personnel security risks effectively.

Employee Awareness Programs and Security Culture

Fostering a culture of security awareness is crucial for maintaining strong defences against evolving cyber threats. ISO 27001:2022 promotes ongoing training and awareness programs to ensure that all employees, from leadership to staff, are involved in upholding information security standards.

Phishing Simulations and Security Drills: Conducting regular security drills and phishing simulations helps ensure employees are prepared to handle cyber incidents.
Interactive Workshops: Engage employees in practical training sessions that reinforce key security protocols, improving overall organisational awareness.

Continual Improvement and Cybersecurity Culture

Finally, ISO 27001:2022 advocates for a culture of continual improvement, where organisations consistently evaluate and update their security policies. This proactive stance is integral to maintaining compliance and ensuring the organisation stays ahead of emerging threats.

Security Governance: Regular updates to security policies and audits of cybersecurity practices ensure ongoing compliance with ISO 27001:2022.
Proactive Risk Management: Encouraging a culture that prioritises risk assessment and mitigation allows organisations to stay responsive to new cyber threats.

Optimal Timing for ISO 27001 Adoption

Adopting ISO 27001:2022 is a strategic decision that depends on your organisation’s readiness and objectives. The ideal timing often aligns with periods of growth or digital transformation, where enhancing security frameworks can significantly improve business outcomes. Early adoption provides a competitive edge, as certification is recognised in over 150 countries, expanding international business opportunities.

Conducting a Readiness Assessment

To ensure a seamless adoption, conduct a thorough readiness assessment to evaluate current security practices against the updated standard. This involves:

Gap Analysis: Identify areas needing improvement and align them with ISO 27001:2022 requirements.
Resource Allocation: Ensure adequate resources, including personnel, technology, and budget, are available to support the adoption.
Stakeholder Engagement: Secure buy-in from key stakeholders to facilitate a smooth adoption process.

Aligning Certification with Strategic Goals

Aligning certification with strategic goals enhances business outcomes. Consider:

Timeline and Deadlines: Be aware of industry-specific deadlines for compliance to avoid penalties.
Continuous Improvement: Foster a culture of ongoing evaluation and enhancement of security practices.

Utilising ISMS.online for Effective Management

Our platform, ISMS.online, plays a vital role in managing the adoption effectively. It offers tools for automating compliance tasks, reducing manual effort, and providing real-time collaboration features. This ensures your organisation can maintain compliance and track progress efficiently throughout the adoption process.

By strategically planning and utilising the right tools, your organisation can navigate the adoption of ISO 27001:2022 smoothly, ensuring robust security and compliance.

Where Does ISO 27001:2022 Align with Other Regulatory Standards?

ISO 27001 plays a significant role in aligning with key regulatory frameworks, such as GDPR and NIS 2, to enhance data protection and streamline regulatory adherence. This alignment not only strengthens data privacy but also improves organisational resilience across multiple frameworks.

How Does ISO 27001:2022 Enhance GDPR Compliance?

ISO 27001:2022 complements GDPR by focusing on data protection and privacy through its comprehensive risk management processes (ISO 27001:2022 Clause 6.1). The standard’s emphasis on safeguarding personal data aligns with GDPR’s stringent requirements, ensuring robust data protection strategies.

What Role Does ISO 27001:2022 Play in Supporting NIS 2 Directives?

The standard supports NIS 2 directives by enhancing cybersecurity resilience. ISO 27001:2022’s focus on threat intelligence and incident response aligns with NIS 2’s objectives, fortifying organisations against cyber threats and ensuring continuity of critical services.

How Does ISO 27001:2022 Integrate with Other ISO Standards?

ISO 27001 integrates effectively with other ISO standards, such as ISO 9001 and ISO 14001, creating synergies that enhance overall regulatory alignment and operational efficiency. This integration facilitates a unified approach to managing quality, environmental, and security standards within an organisation.

How Can Organisations Achieve Comprehensive Regulatory Alignment with ISO 27001:2022?

Organisations can achieve comprehensive regulatory alignment by synchronising their security practices with broader requirements. Our platform, ISMS.online, offers extensive certification support, providing tools and resources to simplify the process. Industry associations and webinars further enhance understanding and implementation, ensuring organisations remain compliant and competitive.

Can ISO 27001:2022 Effectively Mitigate New Security Challenges?

Emerging threats, including cyber-attacks and data breaches, necessitate robust strategies. ISO 27001:2022 offers a comprehensive framework for managing risks, emphasising a risk-based approach to identify, assess, and mitigate potential threats.

How Does ISO 27001:2022 Enhance Cyber Threat Mitigation?

ISO 27001:2022 strengthens mitigation through structured risk management processes. By implementing Annex A controls, organisations can proactively address vulnerabilities, reducing cyber incidents. This proactive stance builds trust with clients and partners, differentiating businesses in the market.

What Measures Ensure Cloud Security with ISO 27001:2022?

Cloud security challenges are prevalent as organisations migrate to digital platforms. ISO 27001:2022 includes specific controls for cloud environments, ensuring data integrity and safeguarding against unauthorised access. These measures foster customer loyalty and enhance market share.

How Does ISO 27001:2022 Prevent Data Breaches?

Data breaches pose significant risks, impacting reputation and financial stability. ISO 27001:2022 establishes comprehensive protocols, ensuring continuous monitoring and improvement. Certified organisations often experience fewer breaches, maintaining effective security measures.

How Can Organisations Adapt to Evolving Threat Landscapes?

Organisations can adapt ISO 27001:2022 to evolving threats by regularly updating security practices. This adaptability ensures alignment with emerging threats, maintaining robust defences. By demonstrating a commitment to security, certified organisations gain a competitive edge and are preferred by clients and partners.

Cultivating a Security Culture with ISO 27001 Compliance

ISO 27001 serves as a cornerstone in developing a robust security culture by emphasising awareness and comprehensive training. This approach not only fortifies your organisation’s security posture but also aligns with current cybersecurity standards.

How to Enhance Security Awareness and Training

Security awareness is integral to ISO 27001:2022, ensuring your employees understand their roles in protecting information assets. Tailored training programmes empower staff to recognise and respond to threats effectively, minimising incident risks.

What Are Effective Training Strategies?

Organisations can enhance training by:

Interactive Workshops: Conduct engaging sessions that reinforce security protocols.
E-Learning Modules: Provide flexible online courses for continuous learning.
Simulated Exercises: Implement phishing simulations and incident response drills to test readiness.

How Does Leadership Influence Security Culture?

Leadership plays a pivotal role in embedding a security-focused culture. By prioritising security initiatives and leading by example, management instils responsibility and vigilance throughout the organisation, making security integral to the organisational ethos.

What Are the Long-Term Benefits of Security Awareness?

ISO 27001:2022 offers sustained improvements and risk reduction, enhancing credibility and providing a competitive edge. Organisations report increased operational efficiency and reduced costs, supporting growth and opening new opportunities.

How Does ISMS.online Support Your Security Culture?

Our platform, ISMS.online, aids organisations by offering tools for tracking training progress and facilitating real-time collaboration. This ensures that security awareness is maintained and continuously improved, aligning with ISO 27001:2022’s objectives.

Navigating Challenges in ISO 27001:2022 Implementation

Implementing ISO 27001:2022 involves overcoming significant challenges, such as managing limited resources and addressing resistance to change. These hurdles must be addressed to achieve certification and enhance your organisation’s information security posture.

Identifying Common Implementation Hurdles

Organisations often face difficulties in allocating adequate resources, both financial and human, to meet ISO 27001:2022’s comprehensive requirements. Resistance to adopting new security practices can also impede progress, as employees may be hesitant to alter established workflows.

Efficient Resource Management Strategies

To optimise resource management, prioritise tasks based on risk assessment outcomes, focusing on high-impact areas (ISO 27001:2022 Clause 6.1). Our platform, ISMS.online, automates compliance tasks, reducing manual effort and ensuring critical areas receive the necessary attention.

Overcoming Resistance to Change

Effective communication and training are key to mitigating resistance. Engage employees in the implementation process by highlighting the benefits of ISO 27001:2022, such as enhanced data protection and GDPR alignment. Regular training sessions can foster a culture of security awareness and compliance.

Enhancing Implementation with ISMS.online

ISMS.online plays a pivotal role in overcoming these challenges by providing tools that enhance collaboration and streamline documentation. Our platform supports integrated compliance strategies, aligning ISO 27001 with standards like ISO 9001, thereby improving overall efficiency and regulatory adherence. By simplifying the implementation process, ISMS.online helps your organisation achieve and maintain ISO 27001:2022 certification effectively.

What are the key differences between ISO 27001:2022 and earlier versions?

ISO 27001:2022 introduces pivotal updates to meet evolving security demands, enhancing its relevance in today’s digital environment. A significant change is the expansion of Annex A controls, now totaling 93, which include new measures for cloud security and threat intelligence. These additions underscore the growing importance of digital ecosystems and proactive threat management.

Impact on Compliance and Certification
The updates in ISO 27001:2022 require adjustments in compliance processes. Your organisation must integrate these new controls into its Information Security Management Systems (ISMS), ensuring alignment with the latest requirements (ISO 27001:2022 Clause 6.1). This integration streamlines certification by providing a comprehensive framework for managing information risks.

New Controls and Their Significance
The introduction of controls focused on cloud security and threat intelligence is noteworthy. These controls help your organisation protect data in complex digital environments, addressing vulnerabilities unique to cloud systems. By implementing these measures, you can enhance your security posture and reduce the risk of data breaches.

Adapting to New Requirements
To adapt to these changes, your organisation should conduct a thorough gap analysis to identify areas needing improvement. This involves assessing current practices against the updated standard, ensuring alignment with new controls. By using platforms like ISMS.online, you can automate compliance tasks, reducing manual effort and enhancing efficiency.

These updates highlight ISO 27001:2022’s commitment to addressing contemporary security challenges, ensuring your organisation remains resilient against emerging threats.

Why should Compliance Officers prioritise ISO 27001:2022?

ISO 27001:2022 is pivotal for compliance officers seeking to enhance their organisation’s information security framework. Its structured methodology for regulatory adherence and risk management is indispensable in today’s interconnected environment.

Navigating Regulatory Frameworks
ISO 27001:2022 aligns with global standards like GDPR, providing a comprehensive framework that ensures data protection and privacy. By adhering to its guidelines, you can confidently navigate complex regulatory landscapes, reducing legal risks and enhancing governance (ISO 27001:2022 Clause 6.1).

Proactive Risk Management
The standard’s risk-based approach enables organisations to systematically identify, assess, and mitigate risks. This proactive stance minimises vulnerabilities and fosters a culture of continuous improvement, essential for maintaining a robust security posture. Compliance officers can utilise ISO 27001:2022 to implement effective risk treatment strategies, ensuring resilience against emerging threats.

Enhancing Organisational Security
ISO 27001:2022 significantly enhances your organisation’s security posture by embedding security practices into core business processes. This integration boosts operational efficiency and builds trust with stakeholders, positioning your organisation as a leader in information security.

Effective Implementation Strategies
Compliance officers can implement ISO 27001:2022 effectively by utilising platforms like ISMS.online, which streamline efforts through automated risk assessments and real-time monitoring. Engaging stakeholders and fostering a security-aware culture are crucial steps in embedding the standard’s principles across your organisation.

By prioritising ISO 27001:2022, you not only safeguard your organisation’s data but also drive strategic advantages in a competitive market.

How does ISO 27001:2022 enhance security frameworks?

ISO 27001:2022 establishes a comprehensive framework for managing information security, focusing on a risk-based approach. This approach allows your organisation to systematically identify, assess, and address potential threats, ensuring robust protection of sensitive data and adherence to international standards.

Key Strategies for Threat Mitigation

Conducting Risk Assessments: Thorough evaluations identify vulnerabilities and potential threats (ISO 27001:2022 Clause 6.1), forming the basis for targeted security measures.
Implementing Security Controls: Annex A controls are utilised to address specific risks, ensuring a holistic approach to threat prevention.
Continuous Monitoring: Regular reviews of security practices allow adaptation to evolving threats, maintaining the effectiveness of your security posture.

Data Protection and Privacy Alignment
ISO 27001:2022 integrates security practices into organisational processes, aligning with regulations like GDPR. This ensures that personal data is handled securely, reducing legal risks and enhancing stakeholder trust.

Building a Proactive Security Culture
By fostering security awareness, ISO 27001:2022 promotes continuous improvement and vigilance. This proactive stance minimises vulnerabilities and strengthens your organisation’s overall security posture. Our platform, ISMS.online, supports these efforts with tools for real-time monitoring and automated risk assessments, positioning your organisation as a leader in information security.

Incorporating ISO 27001:2022 into your security strategy not only fortifies defences but also enhances your organisation’s reputation and competitive advantage.

What advantages does ISO 27001:2022 offer to CEOs?

ISO 27001:2022 is a strategic asset for CEOs, enhancing organisational resilience and operational efficiency through a risk-based methodology. This standard aligns security protocols with business objectives, ensuring robust information security management.

How does ISO 27001:2022 enhance strategic business integration?

Risk Management Framework:
ISO 27001:2022 provides a comprehensive framework for identifying and mitigating risks, safeguarding your assets, and ensuring business continuity.

Regulatory Compliance Standards:
By aligning with global standards like GDPR, it minimises legal risks and strengthens governance, essential for maintaining market trust.

What are the competitive advantages of ISO 27001:2022?

Reputation Enhancement:
Certification demonstrates a commitment to security, boosting customer trust and satisfaction. Organisations often report increased client confidence, leading to higher retention rates.

Global Market Access:
With acceptance in over 150 countries, ISO 27001:2022 facilitates entry into international markets, offering a competitive edge.

How can ISO 27001:2022 drive business growth?

Operational Efficiency:
Streamlined processes reduce security incidents, lowering costs and improving efficiency.

Innovation and Digital Transformation:
By fostering a culture of security awareness, it supports digital transformation and innovation, driving business growth.

Integrating ISO 27001:2022 into your strategic planning aligns security measures with organisational goals, ensuring they support broader business objectives. Our platform, ISMS.online, simplifies compliance, offering tools for real-time monitoring and risk management, ensuring your organisation remains secure and competitive.

How to facilitate digital transformation with ISO 27001:2022

ISO 27001:2022 provides a comprehensive framework for organisations transitioning to digital platforms, ensuring data protection and adherence to international standards. This standard is pivotal in managing digital risks and enhancing security measures.

How to Manage Digital Risks Effectively
ISO 27001:2022 offers a risk-based approach to identify and mitigate vulnerabilities. By conducting thorough risk assessments and implementing Annex A controls, your organisation can proactively address potential threats and maintain robust security measures. This approach aligns with evolving cybersecurity requirements, ensuring your digital assets are safeguarded.

How to Foster Secure Digital Innovation
Integrating ISO 27001:2022 into your development lifecycle ensures security is prioritised from design to deployment. This reduces breach risks and enhances data protection, allowing your organisation to pursue innovation confidently while maintaining compliance.

How to Build a Culture of Digital Security
Promoting a culture of security involves emphasising awareness and training. Implement comprehensive programmes that equip your team with the skills needed to recognise and respond to digital threats effectively. This proactive stance fosters a security-conscious environment, essential for successful digital transformation.

By adopting ISO 27001:2022, your organisation can navigate digital complexities, ensuring security and compliance are integral to your strategies. This alignment not only protects sensitive information but also enhances operational efficiency and competitive advantage.

What are the key considerations for implementing ISO 27001:2022?

Implementing ISO 27001:2022 involves meticulous planning and resource management to ensure successful integration. Key considerations include strategic resource allocation, engaging key personnel, and fostering a culture of continuous improvement.

Strategic Resource Allocation
Prioritising tasks based on comprehensive risk assessments is essential. Your organisation should focus on high-impact areas, ensuring they receive adequate attention as outlined in ISO 27001:2022 Clause 6.1. Utilising platforms like ISMS.online can automate tasks, reducing manual effort and optimising resource use.

Engaging Key Personnel
Securing buy-in from key personnel early in the process is vital. This involves fostering collaboration and aligning with organisational goals. Clear communication of the benefits and objectives of ISO 27001:2022 helps mitigate resistance and encourages active participation.

Fostering a Culture of Continuous Improvement
Regularly reviewing and updating your Information Security Management Systems (ISMS) to adapt to evolving threats is crucial. This involves conducting periodic audits and management reviews to identify areas for enhancement, as specified in ISO 27001:2022 Clause 9.3.

Steps for Successful Implementation
To ensure successful implementation, your organisation should:

Conduct a gap analysis to identify areas needing improvement.
Develop a comprehensive project plan with clear objectives and timelines.
Utilise tools and resources, such as ISMS.online, to streamline processes and enhance efficiency.
Foster a culture of security awareness through regular training and communication.

By addressing these considerations, your organisation can effectively implement ISO 27001:2022, enhancing its security posture and ensuring alignment with international standards.

Start your ISO 27001:2022 journey with ISMS.online. Schedule a personalised demo now to see how our comprehensive solutions can simplify your compliance and streamline your implementation processes. Enhance your security framework and boost operational efficiency with our cutting-edge tools.

How Can ISMS.online Streamline Your Compliance Journey?

Automate and Simplify Tasks: Our platform reduces manual effort and enhances precision through automation. The intuitive interface guides you step-by-step, ensuring all necessary criteria are met efficiently.
What Support Does ISMS.online Offer?: With features like automated risk assessments and real-time monitoring, ISMS.online helps maintain a robust security posture. Our solution aligns with ISO 27001:2022’s risk-based approach, proactively addressing vulnerabilities (ISO 27001:2022 Clause 6.1).
Why Schedule a Personalised Demo?: Discover how our solutions can transform your strategy. A personalised demo illustrates how ISMS.online can meet your organisation’s specific needs, offering insights into our capabilities and benefits.

How Does ISMS.online Enhance Collaboration and Efficiency?

Our platform fosters seamless teamwork, enabling your organisation to achieve ISO 27001:2022 certification. By utilising ISMS.online, your team can enhance its security framework, improve operational efficiency, and gain a competitive edge. Book a demo today to experience the transformative power of ISMS.online and ensure your organisation remains secure and compliant.

British Companies Are Losing the Fight Against Ransomware: What Gives?

Just before the Easter bank holiday weekend, Marks & Spencer was plunged into one of the worst ransomware breaches the country has seen in recent years. Other big-name retailers like the Co-op soon followed. The total financial impact for these two incidents alone is estimated at up to £440m. Yet the truth is that the majority of ransomware doesn't target high-profile organisations like these. Instead, threat actors go after larger numbers of smaller companies, many of which don't have the resources or know-how to defend themselves adequately. As new research shows, this is costing them dear. With new cybersecurity legislation on the way, building resilience should be an urgent priority. Paying Through the Nose The UK has long been a top target for ransomware actors, thanks to its relative wealth and highly digitalised economy. But there's a world of difference between being breached by ransomware and having data stolen and/or encrypted. Better cyber hygiene and improved detection and response can both work to significantly mitigate the impact. Unfortunately, this appears not to be happening, according to a Sophos study. The security vendor polled over 200 IT and cybersecurity leaders in the UK as part of a broader study covering the responses of 3400 ransomware victims. The State of Ransomware in the UK 2025 reveals that a staggering 70% of UK victims had their data encrypted, much higher than the global average of 50%, and the 46% figure reported by UK victims in 2024. By both measures, this is concerning. It appears to show that fewer ransomware victims have the insight they need into their IT environment to understand that they've been hit. The difference between the Co-op and M&S was that the former invested in incident response capabilities, which flagged suspected intrusion, and enabled it to pull the plug on its systems before they could be encrypted. The impact of the resulting breach was subsequently less severe. Perhaps as a result, UK victims felt they had no choice but to pay their extortionist, 103% of the ransom demand on average, which is way higher than the global average of 85%. That matters even more because the median UK ransom demand was $5.4m (£3.9m) last year – that's more than double the $2.5m (£1.9m) reported in the previous survey. Some 89% of ransom demands were for $1m+, up from 71% in 2024. "My experience suggests the rate of encryption is very closely coupled with how quickly an attack is detected, and often whether external incident response help was engaged early enough in the attack," Sophos global field CISO, Chester Wisniewski, tells ISMS.online. "Organisations with 24/7 monitoring and EDR/XDR tools typically have more success at stopping attacks in progress. Too often, victims only detect the attack when they get the ransom note, which is far too late." Where Are They Going Wrong? Exploited vulnerabilities (36%), malicious emails (20%) and compromised credentials (19%) were the top causes of initial access among ransomware victims polled by Sophos. To tackle these and other threats, the security vendor recommends a four-point plan: Prevention: Reduce the most common technical and operational causes of an attack by building resilience. Protection: Defend the most common entry points for ransomware actors, such as endpoints including servers. Dedicated anti-ransomware tools will help to block and roll back malicious encryption. Detection and response: Stop and contain an attack as quickly as possible before it has time to cause any major damage. Organisations unable to do this in-house can use managed detection and response (MDR). Forward planning: Put an incident response plan in place to streamline recovery from an attack. Regular off-site and offline backups will also accelerate recovery. “Cybercriminals run highly efficient enterprises; they're looking for minimal output, maximum cash, so double bolting your digital doors acts as a sizable deterrent," argues Lauren Wilson, field CTO at Splunk. "But it's not enough to just prevent – you have to be able to detect, respond and recover in order to truly mitigate the wider impact of ransomware.” Time to Align UK IT and security leaders may need to revisit their ransomware resilience plans in light of incoming legislation. The new Cyber Security and Resilience Bill is set to ban ransom payments for government and critical infrastructure (CNI) providers. It will bring new organisations (like MSPs) into scope. And it will also likely mandate faster and more comprehensive incident reporting, third-party risk management and stronger supply chain security. It might impose larger fines and will certainly hand more power to industry regulators. It also seeks to align closer with NIS 2, ISO 27001, ISO 27002 and other security standards and frameworks. This is a great opportunity for those already working on ISO 27001 to get ahead of these incoming requirements and bolster their cyber resilience in a cost- and time-effective manner. Wilson tells ISMS.online that such standards are "engineered to raise cyber maturity in a way that benefits everyone". She adds: "One thing that standards such as NIST or ISO 27001 have in common is helping organisations focus on getting the basics right. Access control, regular patching, using multifactor authentication, and training for all employees. Whilst easier said than done, focusing on these ‘basics' can go a long way to defeating a high percentage of cyber-attacks." Sophos' Wisniewski agrees with the value of best practice standards. “The vast majority of attacks are preventable by having basic controls deployed consistently across the estate," he argues. "Our latest Active Adversary report shows that most ransomware cases begin with either stolen credentials or unpatched vulnerabilities, both of which are covered by compliance frameworks." However, compliance can’t be addressed in isolation, Wilson concludes. “It must be viewed as part of a holistic cybersecurity strategy that encompasses people, process and technology," she concludes. "Organisations need to be investing in resilience. That means understanding risk, building defences and ensuring that if operations are taken offline, downtime is minimised."

ISO 27001

DORA: Six Months on and Plenty of Work Still to Do

Security and compliance teams had a busy start to 2025. Sandwiched between the deadline for member states to implement NIS 2 into local law and the start of the new PCI DSS 4.0 regime came DORA: the Digital and Operational Resilience Act. From January 17, it was expected to sweep over 22,000 financial services firms and their ICT suppliers operating in the EU into its scope. There's just one issue. According to new research, 96% of European financial services firms still don't believe their digital resilience is sufficient to meet DORA's exacting requirements. And many IT and security teams are feeling overwhelmed by the extra workload. This is where ISO 27001 compliance could be useful. A New Era of Financial Resilience Cyber incidents over the past two decades have caused $12bn in direct losses to global financial firms, according to the IMF. This isn't just a financial risk; it could present a systemic risk to the entirety of what serves as critical national infrastructure. DORA is the European Commission's answer: a new regulation designed to ensure that financial firms – and crucially their suppliers – have the resilience to continue operating even through periods of severe disruption. It does this by at once harmonising regulations and raising the bar for in-scope security and compliance teams. There are five key pillars: ICT Risk Management: Robust policies to identify, assess, and mitigate ICT risks. Incident Reporting: Timely and standardised reporting of significant ICT-related incidents to relevant authorities. Digital Resilience Testing: Regular testing to evaluate an organisation's preparedness for disruptions. Third-Party Risk Management: Ensuring financial institutions monitor and manage risks associated with their supply chain. Information Sharing: Encouraging threat intelligence sharing within the industry to improve collective resilience. Some Way to Go Unfortunately, things aren't going quite to plan, if the results of a new Veeam survey are to be believed. The firm polled over 400 IT/compliance decision makers in the UK, France, Germany, and the Netherlands. The resulting report finds that 94% now rank DORA a higher priority than they did a month before the deadline, and the same share are clear on what steps they need to take. Yet the vast majority are still not up to DORA standards of resilience. Veeam claims that many firms don't have the budget (20%) for DORA compliance, and in some cases are dealing with higher supplier costs (37%) passed on by their ICT partners. Two-fifths (41%) also report increased stress and pressure on their IT and security teams. Just half have integrated DORA's requirements into their broader resilience programs. Veeam regional VP of UK & Ireland, Drew Gardner, believes many of these compliance gaps and delays may be down to third-party liabilities. “With so many functions covered by these third parties, many organisations will have assumed their products adhered to DORA, but that's simply not the case," he tells ISMS.online. "With so many agreements lacking shared responsibility models, an organisation could have assumed compliance fell under the umbrella of their provider, while the provider believed the opposite.” Where They're Failing Data from the report backs Gardner's view. A third (34%) of those polled claim the hardest part of compliance is third-party risk oversight. A fifth have yet to even attempt it. "The sheer number of third-party providers that the average financial services organisation works with is likely well into the dozens, and most will operate under the black box model – giving little insight into their security measures," says Gardner. “For those still to establish this third-party oversight, it'll be no small task to unravel this, and organisations can't afford to delay.” Other areas that many organisations haven't yet begun to tackle include: Recovery and continuity testing (24%) Incident reporting (24%) Selecting a DORA implementation lead (24%) Digital operational resilience testing (23%) Backup integrity and secure data recovery (21%) Getting Back on Track With so much still to do, as well as manage other priorities, DORA compliance can seem like a daunting task. However, Gardner argues that implementing best practice standards and frameworks could "significantly ease" the compliance burden. “With ISO 27001 in particular, organisations can reduce duplication of effort and streamline compliance across multiple regulations, saving both time and resources," he explains. “Its structured approach to risk management means that organisations can identify and mitigate potential security risks in a systematic manner, rather than fighting fires on multiple fronts simultaneously. This enhances overall security posture and provides a clear and documented process for demonstrating compliance to auditors and regulators." James Hughes, enterprise CTO at Rubrik, urges organisations to bake DORA compliance into day-to-day processes rather than treat it as a one-off project. “Six months in, DORA is doing more than just adding to the compliance burden; it's forcing real operational change. But there's a danger it becomes another box-ticking exercise if CISOs don't change their mindset," he tells ISMS.online. "It's not about passing audits, it's about being able to withstand and recover from real attacks, with minimal business downtime." Over a fifth (22%) of organisations polled by Veeam argue that DORA's design could have been improved to boost compliance rates. They've called for simplification, clarification, and more detailed guidance on how to manage third-party risk. That may or may not be forthcoming from the regulators. In the meantime, it's not too late to start plugging the gaps highlighted by the study, Hughes argues. “Start by mapping your critical ICT assets, rehearsing incident response and assessing supplier risk," he concludes. "But ultimately, it's time to ramp things up – attackers won't wait for your paperwork to catch up."

ISO 27001

Supply Chains Are Complex, Opaque and Insecure: Regulators Are Demanding Better

What do Marks & Spencer and Jaguar Land Rover (JLR) have in common? They both suffered significant ransomware breaches this year after threat actors targeted suppliers. In the case of M&S, it's thought to have been a Tata contractor's laptop. For JLR, it was an infostealer that targeted an LG Electronics employee with access to the carmaker's network. Both highlight the growing threat posed to organisations by often opaque and brittle supply chain dependencies. The challenge will arguably only intensify as a new global trade war forces firms to rapidly rearchitect supply chains, with little time for vetting new partners. As new research reveals, there's plenty to put right. A Problem in Two Parts According to the World Economic Forum (WEF), over half (54%) of global organisations identify supply chain challenges as their biggest barrier to achieving cyber resilience. "The increasing complexity of supply chains, coupled with a lack of visibility and oversight into the security levels of suppliers, has emerged as the leading cybersecurity risk for organisations," its report notes. The supply chain security challenge comes in two parts: Software that introduces malware or vulnerabilities to trusted environments. Open source components are particularly culpable here, as they're often not properly documented, leading to security incidents like Log4Shell. But they're not the only risk. Proprietary software like MOVEit and GoAnywhere has also been targeted with zero-day exploits in the past, for large-scale data theft and extortion campaigns, impacting millions of downstream customers. A compromised supply chain partner – such as an MSP, a SaaS provider or a professional services firm – could create significant security risks. Adversaries may be able to access an organisation's data directly, if stored by the partner, or gain logins to the organisation's network/cloud accounts via the supplier. They could also target suppliers with ransomware, which can have a devastating impact on the entire supply chain, as per the Synnovis NHS attack. Unfortunately, two recently published reports highlight the enduring challenges of mitigating supply chain risk. A LevelBlue study finds that, of organisations that say they have "very low visibility" into the software supply chain, 80% suffered a security breach in the past 12 months. That's compared to just 6% that claim to have "very high visibility." Separately, Risk Ledger reports that nearly half (46%) of UK organisations have experienced at least two cybersecurity incidents in their supply chain over the past year. Its report also reveals that 90% of respondents view supply chain cyber incidents as a top concern for 2025, and only two-fifths (37%) describe their third-party risk management as "very effective". Regulators Want Action According to LevelBlue, CEOs tend to be more concerned about supply chain risk than their C-suite peers, with 40% citing it the biggest security risk in the organisation versus far fewer CIOs (29%) and CTOs (27%). That will presumably mean extra pressure from above on CISOs and their teams. But the truth is they're already under extreme pressure to comply with a new slew of regulations which target supplier risk. These include: DORA: Among other things, DORA mandates that financial entities manage third-party IT supplier risk as an embedded part of overall IT risk management, overseen by the board. They must also maintain a detailed, updated register of information on all contracts with these suppliers and carry out thorough due diligence on new suppliers. NIS 2: Requires all in-scope organisations to have supply chain risk management policies in place and to assess "vulnerabilities specific to each direct supplier and service provider". Senior directors and executives are directly accountable for overseeing this. Cyber Security and Resilience Bill: The UK's update to NIS will demand that regulated organisations assess and strengthen supplier relationships, implement robust third-party risk management, and write security expectations into contracts, among other things. Taking Action LevelBlue chief evangelist, Theresa Lanowitz, argues that, when it comes to the software supply chain, visibility must take priority – "especially as supply chains grow in size and complexity, and organisations adopt more AI-powered solutions". She tells ISMS.online: "CISOs should focus on four key actions: leverage C-suite awareness to secure resources, align internally to identify top vulnerabilities, invest in proactive security measures, and regularly assess supplier cybersecurity practices. This balanced, proactive approach will strengthen visibility, preparedness, and accountability across the supply chain." Risk Ledger's chief cybersecurity strategist, Justin Kuruvilla, tells ISMS.online that organisations must adopt an "assume breach" mindset and architect their security infrastructure to contain and limit any malicious activity. "Gaining visibility into third-, fourth-, and even nth-party relationships is therefore essential. This broader view helps security leaders build a more accurate understanding of their exposure and prioritise mitigation efforts where they matter most," he adds. Kuruvilla argues that software supply chains demand particular scrutiny, given the potential impact of vulnerabilities in widely used code. “Organisations should expect suppliers to adopt secure development practices aligned with industry-recognised frameworks," he adds. "The degree of due diligence may vary depending on the supplier's criticality and the organisation's risk appetite. But it should include elements of secure software development such as CI/CD practices, vulnerability management, and the provision of a Software Bill of Materials (SBoM).” How ISO 27001 Can Help LevelBlue's Lanowitz argues that best practice standards like ISO 27001 can provide a useful foundation on which to build better supply chain security. "As organisations struggle with fragmented risk visibility and inconsistent practices, ISO 27001 can help unify and simplify compliance efforts across regions and sectors. Leveraging the standard, CISOs can follow a structured approach to risk management and continuous improvement," she adds. "With many regulations sharing the same core best practices – including risk assessments, access control, supplier vetting, and incident response planning – implementing ISO 27001 can also reduce compliance redundancy.” Risk Ledger's Kuruvilla agrees, although he cautions against "tick box" compliance. Instead, organisations that prioritise a robust, risk-based approach to managing cyber risks typically achieve compliance as a natural outcome, he concludes.

ISO 27001

Everything You Need to Know About Phishing

Phishing remains among the most common cyberattacks used by threat actors. Most businesses have seen it in action: emails requesting an ‘urgent task’ be completed or an ‘overdue payment’ made, sometimes even imitating a CEO or senior exec. In fact, the UK Government’s 2025 Cyber Security Breaches Survey found that, of businesses or charities that had experienced a break or attack in the last 12 months, 85% of businesses and 86% of charities had experienced phishing attacks. In this blog, we dive into the murky world of phishing: what it is, how to identify potential phishing attempts, and how organisations can protect themselves against it. Common Phishing Attacks Targeting Businesses Email Phishing In email phishing attacks, threat actors send their targets scam emails, often pretending to be well-known companies or suppliers. The aim? To trick victims into visiting a fraudulent website, opening an attachment containing a virus or malware, sharing sensitive information like bank details or corporate account passwords. Examples to look out for include: Unexpected invoices Emails from unknown senders with attachments Unusual activity alerts with links to external websites. Spear Phishing Spear phishing is a more targeted approach to email phishing, using easily available information about a business, such as employee names, to impersonate internal communications and trusted sources. It’s vital to verify the identity of the sender through a different method of communication, such as Teams or via a phone call with a verified phone number. Examples to look out for include: Unexpected ‘urgent’ emails purporting to be from your HR or IT departments Unusual requests, supposedly from someone within your company. Business Email Compromise Business email compromise (BEC) attacks are another targeted and sinister approach to phishing, sometimes using spoof email addresses or even compromising actual employee email accounts to carry out an attack. They’ll often target trusted individuals or budget holders, attempting to trick them into making fraudulent financial transactions or revealing sensitive information. Criminals may even compromise a supplier or vendor, sending invoices that appear to be legitimate. BEC is so prevalent that the FBI claimed that BEC attacks cost US and global organisations nearly $55.5 billion between October 2013 and December 2023. Examples of BEC attempts include: CEO fraud: ‘Urgent’ emails, supposedly from a senior executive’s email address, but actually controlled by the threat actor Invoice scams: Fake or altered invoices that redirect payments to an attacker’s account Third-party fraud: Unexpected invoices or requests to change bank details from your existing suppliers, indicating potential compromise. Clone Phishing Attackers using clone phishing will take a real email and copy it near-identically, re-sending to the intended victim with a new, malicious attachment or link. Threat actors often use fake emails with a similar spelling to the email they’re impersonating, however, they may use sophisticated email spoofing to make it appear as though the email was sent by the legitimate sender. Examples to look out for include: Duplicate emails, particularly those with new or altered links. How to Identify Phishing Emails While tackling phishing can seem like an overwhelming task, there are multiple ways to identify phishing emails. Mismatched email domains: Is the email domain the same as that of the business the sender claims to represent? E.g. an official email from ISMS.online would be: firstname.lastname@ISMS.online, support@isms.online, etc. Urgent calls to action: Emails pushing for urgent or immediate action could be potential phishing attempts; a false sense of urgency is intended to panic the recipient. Consider contacting the sender via official means e.g. by looking up the phone number on a company’s official website. Spelling and grammar: Spelling and grammar mistakes could indicate a phishing attempt, as many businesses have spell-checking tools in their email software. Links: By hovering your mouse over a link, you can view the URL the link will direct you to. In phishing emails, this is often different from the text displayed in the email. Requests to send personal or financial information: Login credentials, payment information and other sensitive data should not be shared over email. Similarly, if an email contains a link to an external website for inputting that information, be sure to verify that the website is legitimate. Protecting Your Organisation Against Phishing Attacks with ISO 27001 Establishing cybersecurity best practices, such as those outlined in the information security standard ISO 27001, enables your business to reduce risk, bolster security and limit the impact of phishing attacks. Employee Training and Awareness Your employees are your first line of defence when it comes to cybersecurity. Implementing a cybersecurity training and awareness programme can empower your team to identify and report potential phishing attempts, as well as other cyberattacks. Your training and awareness programme should also outline processes that must be followed, such as the process employees should follow to report suspected phishing attempts. Training your staff to recognise signs of a phishing attack and ensuring your business has stringent reporting and response processes forms part of a robust security posture. Access Control Limit employees’ rights and privileges on a ‘least privilege’ basis. For example, limit a typical user’s access to only the resources needed for them to do their job. This helps to reduce the impact of a phishing attempt on your organisation should an account be compromised. Additionally, requiring controls such as multi-factor authentication on staff accounts can provide a key defence against unauthorised access and compromised credentials. Incident Response ISO 27001-compliant businesses must establish processes for incident response. This includes evidence collection, information security forensics analysis, escalation with customers and relevant supervisory authorities, incident response activity logging, internal incident communication, incident resolution, and post-incident analysis. Effective response to incidents helps to ensure faster resolution and mitigate the impact of successful attacks. Secure Configuration The standard requires businesses to build security into their operations from the outset, rather than as an afterthought. This approach reduces potential entry points for threat actors, for example via insecure email gateway solutions. Third-Party Supplier Management Our State of Information Security Report 2024 revealed that nearly four in five (79%) of respondents had been impacted because of a cyber or information security incident caused by a third-party vendor or supply chain partner. Taking a risk-based approach to supplier relationships can help limit the impact of such incidents. For example, your business may choose to strongly prefer working with suppliers with ISO 27001 certification, limit supplier access to information based on information classification levels, and track supplier risk if onboarding a supplier has potential to affect the confidentiality, integrity and availability of your organisation’s information or processes. Final Thought Phishing is a pervasive form of cyberattack; luckily for organisations, many of the signs are easy to spot. Ongoing employee education, implementing security best practices, and taking a robust approach to information security can reduce the likelihood - and impact - of successful phishing attacks and data breaches. As cyber threats continue to evolve, proactive businesses that implement a multi-layered approach to information security and empower employees to act as their first and most important line of defence will undoubtedly reap the benefits.

ISO 27001

When a Cyber Attack Empties the Shelves: What to Do About Supply Chain Attacks

Consumers often see most cyber attacks as something that happens to other people, until it affects them directly. The theft of email addresses and other personal information has become a regular and mundane event, but when a criminal presses a button halfway around the world and food disappears from the shelves, things suddenly get real. That's what happened in June, when an attack on wholesale grocery distributor United Natural Foods (UNFI) brought its online operations to a halt. The attack hindered the company's ability to serve its 30,000 locations, leaving grocery stores warning customers about food shortages and causing significant disruptions at Amazon-owned Whole Foods, including the closure of sandwich stations. Attacks like these highlight the damage that a cyber incident can have to operations beyond a single company. These disruptions can affect others who rely on it as part of their own supply chains, and it raises the question: what can organizations do to protect themselves? Supply Chain Cyber Risk Reaches Crisis Proportions This isn't the first attack we've seen that has disrupted supply chains. Insurance company Cowbell published a report late last year showing a 431% surge in supply chain attacks since 2021. Such attacks are becoming more common as business operations become increasingly connected and supply chains grow more complex, according to the report, because this makes them more difficult to secure. One of the biggest challenges organizations face is the single point of failure issue; a single company upon which many others rely for products and services is a high-value target. Successfully compromising it amplifies the effects of a single attack. Disruption from supply chain attacks can be purely digital. The compromise of SolarWinds software in 2020 rendered hundreds of systems at the company's customers vulnerable to information theft. The exploitation of a vulnerability in the on-premises version of the MOVEit file sharing system in 2023 enabled attackers to pilfer files from hundreds of its customers. Both had the same underlying characteristic: toxins in a digital product (one intentionally introduced, one accidentally coded in) affected thousands of customers downstream. Other cyberattacks, like the UNFI hack, lead to physical problems. They highlight the fragility in modern just-in-time supply chains, making it not just a threat to customer data but a societal risk. Notable incidents in the past that have affected physical supply chains include the 2021 attack on the Colonial Pipeline. While that targeted the company's administrative network, it closed its gasoline delivery operation out of caution, creating shortages that affected millions. In the same year, a ransomware attack on remote management software vendor Kaseya affected customers who provided managed IT services. That trickled down to customers, including Swedish grocery chain Coop, which had to shut down 800 stores. These attacks were still digital, but the end results were kinetic; instead of having their data exposed, people were unable to drive or eat. This Needs a Board-Level Response Supply chain risks introduce new governance imperatives for boards, especially as regulators begin to push the issue. For example, the EU's Digital Operational Resilience Act (DORA) imposes several requirements for financial services companies. It forces stringent due diligence requirements when working with technology and service providers, alongside minimum security requirements in contracts. Agreements with suppliers must also carry continuous assessment obligations that force periodic cybersecurity assessments of vendors. The Network and Information Security Directive 2 (NIS2) directive also mandates stricter security requirements for supply chains. Supply chain professionals will increasingly look to cybersecurity risk as a major factor when engaging third-party partners, according to Gartner. It expects 60% of them to do so this year. These concerns make supplier risk management a crucial component of any supply chain resilience strategy. Effective due diligence means checking that suppliers have security measures in place. Companies that haven't mandated due diligence would do well to review all their suppliers, ideally checking for accreditation with relevant cybersecurity frameworks or standards. Those might be industry-specific. Even after all that, attacks may still occur. Keeping suppliers that pass muster on a preferred supplier list will help minimize the risk that your supply chain will be disrupted through compromise; however, it won't completely eradicate that risk. That's why planning for potential disruption is important. Don't Just Prevent, Adapt Depending on the type of compromise, a playbook for dealing with supply chain attacks could focus purely on logistics and operations, or it might encompass digital recovery. If a grocery supplier goes down because their system is compromised, then their digital problem becomes their customers' physical problem. Then, the focus for downstream suppliers is on continuing the flow of goods to their shelves. Conversely, if your network management provider accidentally downloads malware onto one of your servers, then its digital problem becomes your digital problem. That requires a different response. ISO standards cover preparation for these scenarios. For example, ISO 22301 addresses business continuity in the face of supply chain risks. ISO 27001 contains controls to help manage information risk that could affect you via supply chain compromise. ISO 28000 deals with enhancing supply chain security. Managing this complex, multi-faceted supply chain risk means putting as many preventative checks in place as possible to protect yourself by choosing diligent suppliers. But it also means adapting to emerging problems rather than relying on their prevention.

ISO 27001

How G Games unlocked collaborative, centralised compliance management

G Games had an existing but decentralised information security management system (ISMS). This took the form of a series of policies located in Dropbox, with unique versions of each policy created to demonstrate the business’s alignment with varying regulatory requirements and facilitate auditing by different regulatory authorities.

While G Games’ processes were effective, version control posed a challenge – the team had difficulty finding the latest versions of policies, while compliance activities and processes took place in disparate areas. G Games’ CCO and Co-Founder, Helen Walton, and her team knew that the business needed a more centralised approach to compliance management.

A centralised platform would enable them to more easily and efficiently demonstrate compliance with requirements when running separate security audits with various regulators. Achieving ISO 27001 certification was also a top priority; the business needed a platform that would streamline the process.

“We needed a single source of truth that aligned all of these requirements, and which integrated easily into our existing processes.”

Helen Walton Chief Commercial Officer and Co-Founder, G Games

The G Games team chose the ISMS.online platform as a centralised repository for their ISO 27001 and broader information security compliance management. Helen and her team quickly transferred their existing policies and processes into the platform and built out a robust and more efficient ISMS. Leveraging the ISO 27001 tips and support included in the 11-step Assured Results Method also helped the team streamline the compliance process.

“I loved how ISMS presented the requirements, a typical response and a series of tips and explanations. It was really intuitive and helpful.”

Helen Walton Chief Commercial Officer and Co-Founder, G Games

Helen added: “At first, I’d been worried this was just a kind of glorified filing system. I was deeply sceptical about the value. But I soon realised how effective it was as a dynamic process linking the different relevant processes together and holding everything in one place.”

With ISMS.online’s built-in version control, the G Games team can now dynamically review, update, and share compliance documentation without searching for the most up-to-date version. The platform’s automated review reminders also ensure consistent oversight.

“The biggest difference for us was proper versioning and being confident everything was up to date and effectively reviewed.”

Helen Walton Chief Commercial Officer and Co-Founder, G Games

“It just simplified everything and gave me far greater confidence that we were in control of the process.”

Helen Walton Chief Commercial Officer and Co-Founder, G Games

G Games’ compliance management is consolidated within the ISMS.online platform, enabling easy version control, clear audit trails, simplified evidence management and streamlined compliance. The business successfully achieved ISO 27001 certification within just six months of onboarding with ISMS.online and transferring their disparate compliance activities into the platform.

“The ease of running the process and passing our annual surveillance all in one place means we reduce the effort of proving our compliance and can focus instead on ensuring we are actually doing it.”

Helen Walton Chief Commercial Officer and Co-Founder, G Games

Helen and the G Games team can now focus on implementing, managing, and improving their information security posture rather than spending time and resources on finding and managing documentation. The business’s robust, unified ISMS ensures policies, risks, assets, and evidence are easily accessible and manageable.

“The most useful feature was having the risk maps, asset registers, interested parties maps, etc., all in one place. It felt like being walked through the process and knowing nothing would be forgotten or missed.”

Helen Walton Chief Commercial Officer and Co-Founder, G Games

G Games has also leveraged the ISMS.online platform to improve collaboration across departments. Collectively, they’ve built a comprehensive and robust approach to information security compliance that is translated organisation-wide.

“The collaboration between operations, compliance, finance and development has been incredibly positive and has formed a basis for more of our operations and service delivery review work.”

Helen Walton Chief Commercial Officer and Co-Founder, G Games

“We knew that, as long as we followed what was in ISMS.online, our surveillance process would be easy.”

Helen Walton Chief Commercial Officer and Co-Founder, G Games

With ISO 27001 certification achieved and in hand, the G Games team are currently focusing on evolving compliance challenges in the iGaming industry.

In preparation to enter the US market, they’re also adapting and aligning their compliance management with US-specific regulatory requirements. In a competitive and highly regulated industry, G Games stays ahead of the curve with an unwavering focus on proactive compliance, efficiently managing and securing customer, business and partner data.

“We’ll be entering the US market next, and there are more and more compliance challenges coming for the iGaming industry – we’ll be adapting and building on our current platform to prepare for both.”

Helen Walton Chief Commercial Officer and Co-Founder, G Games

ISO 27001

The Most Damaging Data Breaches Are Preventable: Here’s How

We all know that many organisations could do better at data protection. The UK government's Cyber Security Breaches Survey 2025 highlights a whole list of shortcomings – from awareness training to incident response – that are indirectly exposing them to cyber risk. Even the existence of a rigorous data protection framework (GDPR/Data Protection Act 2018) for the past seven years has not served to stem the tide. The government claims over two-fifths (43%) of UK businesses have experienced an attack or breach in the past 12 months. However, there are ample opportunities for quick wins, something highlighted by a new report from Huntsman Security. It notes that 30% of incidents reported to the UK and Australian data protection regulators last year were responsible for 90% of breach victims. As such, the report's findings could offer a useful place for cash-strapped organisations to focus their immediate efforts. How the UK and Australia Differ Huntsman Security submitted a Freedom of Information (FOI) request to both the UK Information Commissioner's Office (ICO) and the Australian Information Commissioner (OAIC). The results offer a slightly different picture of the regulatory and corporate security landscape in each country. UK: Out of the 9,654 data security incidents reported by British firms to the ICO last year, 2,817 (29%) were linked to brute-force attacks, malware, phishing, ransomware, and system misconfigurations. Yet these incidents accounted for nearly 80% of breach victims: 13.9 million out of 17.6 million. Huntsman Security claimed that these also represented 90% of cyber-related data security incidents, meaning that a focus on security controls could be an effective way to mitigate them. Many were apparently highly targeted and, therefore, designed to result in the theft of high-value data such as health records, financial information and identity documents. Australia: A total of 1,188 incidents (32% of the total reported between 2022/24) involved brute-force attacks, malware, phishing, ransomware, hacking, and unauthorised access. These were responsible for 77% of all compromised records. The report also reveals that criminal attacks (as opposed to accidental breaches) accounted for 62% of all breaches but 98% of all victims. The report also highlights that, in Australia, it took organisations 48 days to identify these breaches and 86 days before reporting them to the OAIC. That's simply not allowed under the GDPR, where notification has to occur in most cases within 72 hours. Where the UK Is Failing These findings chime somewhat with the UK government breaches report. As reported previously by ISMS.online, it highlights a litany of issues contributing to a surge in preventable data breach incidents, including a general lack of: Staff training programmes, where take-up hadn't shifted from the previous year's report Third-party supplier risk reviews, which were conducted by only 32% of medium and 45% of large firms Incident response plans, which were used by only half (53%) of medium-sized businesses and three-quarters (75%) of large businesses Cybersecurity strategy: only 57% of mid-sized companies and 70% of larger firms even had one Boardroom representation for cyber: only half 951%) of medium- and two-thirds (66%) of large-sized firms had someone sitting at the top table responsible for cyber strategy – a figure virtually unchanged for three years Monthly cyber updates for business leaders, which only 39% of mid-sized and 55% of large firms do Aligning Best Practice with Standards There is one caveat to the Huntsman Security figures. It only counts incidents where a cause could be identified for each breach. Many more may not have one assigned due to poor forensics or incident response. However, it still highlights an important message. By focusing on the above incident types and threats, as well as best practice cybersecurity processes known to mitigate these risks, security teams can achieve some useful quick wins. Morten Mjels, CEO of consultancy Green Raven, argues that culture is key to ensuring best practices are followed. "The change does need to come from the top down, and you can change the culture by simply implementing multiple practices at once," he tells ISMS.online. "If you have no idea about your potential exposure, get a risk assessment done professionally. They will be able to find the holes in your walls and can help you fix them. Do not rely on your IT people to fix everything; they are not omniscient miracle workers." Huntsman head of product management, Piers Wilson, tells ISMS.online that standards and frameworks like ISO 27001 and ISO 27701 "can form an important part of mitigating cyber risks through ensuring organisations understand their risks, following best practice and defining appropriate controls." He adds: "The important part is choosing which framework you apply: whether ISO, NIST, or smaller, more focused standards and schemes like Cyber Essentials or Australia's Essential Eight." The goal throughout should be establishing a set of controls that are widely understood and acknowledged and then applied universally, he adds. "In most cases, the intent or the policy isn't the problem; it's the execution. Standards compliance can risk becoming a tick-box exercise, and the cadence of audit and reporting may not be frequent enough for modern, changing cyber threats," Wilson argues. "An annual audit or quarterly report won't give the real-time visibility and understanding of vulnerabilities that the modern threat landscape demands. In between these audits, the organisation's posture can drift and be largely uncertain." This is why ISO 27001 requires organisations to carry out regular internal audits and ongoing monitoring to drive continuous improvement. Wilson notes that effective communication is crucial to achieving compliance. "Every stakeholder in an organisation, from security analysts to risk management teams and executives, needs to understand at a glance whether good, agreed practices are being followed, what state controls are actually in, and who is responsible for fixing issues," he concludes. "Ensuring this continuous visibility and communication is vital for these standards to have their desired effect."

ISO 27001

What Increased Defence Spending Means For The Cybersecurity Sector

As geopolitical tensions continue to rise globally, 2025 has seen a dramatic increase in defence spending not witnessed since the Cold War. In recent weeks, NATO members agreed to spend 5% of their gross domestic product on military expenditure by 2035. Many, including Britain, already spend over 2% on their militaries. NATO’s new target is split into two parts: 3.5% on conventional military and the rest on other initiatives aimed at bolstering national security, like cybersecurity. While these uncertain times are scary, increased defence spending can be a good thing by injecting more money into the private sector and improving economic conditions as a result. Cybersecurity firms, in particular, are set to benefit from NATO’s new spending target. But what else needs to be done to improve our cyber defences against rising nation-state threats? Businesses Are Collateral Damage Amid heightened geopolitical tensions and rising nation-state cyber threats, IT security is now a “frontline issue” for NATO countries, their allies and critical infrastructure organisations. That’s according to James Lei, chief operating officer of application security testing firm Sparrow. He argues that businesses providing critical services and resources crucial to the running of modern societies - such as telecoms, finance and energy - are now direct targets of NATO’s enemies. Lei explains that by attacking such organisations, NATO’s adversaries aren’t just trying to steal sensitive data to sell to the highest bidder. They’re also on a mission to “disrupt economies” and “undermine public trust” as they look to inflict maximum damage on their targets. He adds: “That makes businesses both direct targets and collateral damage.” With these risks in mind, Lei urges national governments to allocate “a meaningful portion” of their increased defence budgets to helping small and medium businesses counter the growing risk of nation-state cyber-attacks. Lei says SMEs, especially those classed as critical national infrastructure providers, may not have the budgets to splash out on fancy cybersecurity systems or in-house cyber specialists, creating “weak points in the national cyber ecosystem”. He tells ISMS.online: “Funding could help SMBs access better security tools, training, and threat information, which benefits the entire country’s resilience.” These concerns are shared by Adam Brown, managing security consultant at application security firm Black Duck. He explains that, 30 years ago, cyber-attacks would have had minimal impact on the general population. But as digital infrastructure plays an integral role in modern life, he says cyber-attacks can be extremely damaging. And, as the digital services and infrastructure upon which we rely are predominantly created and sold by commercial businesses, they have become “prime targets” for nation-state cyber-attacks. With war raging in Ukraine and the Middle East, Chris Binnie — a cloud-native security consultant — expects cyberattacks launched by nation-states to continue rising. In particular, he’s concerned about the proliferation of supply chain attacks. He says nation states may see this as an “easier” way to hack into the systems of critical infrastructure providers because their IT suppliers may not possess the “same rigorous security practices”. Tackling These Risks With nation states increasingly leveraging supply chain weaknesses to compromise critical infrastructure, government and industry bodies are taking note. The European Union, in particular, takes a strong stance on supply chain cybersecurity efforts through laws such as the Digital Operational Resilience Act, Cyber Resilience Act and Network and Information Security 2 Directive. Brown explains that, under such laws, businesses supplying cyber services to critical national infrastructure organisations are compelled to close any cybersecurity weaknesses by following strict cybersecurity procedures. Industry standards such as ISO 27001, ISO 22301, ISO 42001 also provide businesses with a baseline they can follow to protect themselves from geopolitical cyber threats and, ultimately, keep their operations, data and supply chains safe from nation-state hackers. TSG Training’s Young explains that ISO 27001 covers information security, ISO 22301 addresses business continuity and, more recently, ISO 42001 has been introduced to counter AI-fueled cyber threats. He suggests that, by adhering to such standards, third-party IT providers looking to secure contracts from critical national infrastructure organisations can show that they take cybersecurity seriously and have robust measures in place to mitigate supply chain risks. An Opportunity For Businesses Although many businesses have become collateral damage as a result of nation-state cyberattacks, some may actually benefit from increased defence spending as countries look to mitigate this risk. National governments rely on businesses to maintain digital resilience, and as part of their defence budgets, they’ll no doubt pour more money into improving their cyber defences. That means plenty of opportunities for the private sector. John Young, principal consultant at IT training provider TSG Training, says private-sector businesses will have an instrumental role to play in helping NATO members strengthen their cybersecurity and, ultimately, their overall national security. He tells ISMS.online: “Sharing threat intelligence between companies, government bodies and international partners strengthens overall awareness and enables faster responses to new threats.” Like Young, Lei of Sparrow takes the view that NATO can’t respond to today’s myriad cyber threats without collaborating with the private sector. He points out that private companies own and operate many of the critical services used by governments. Because of this, he says governments look to the private sector for threat intelligence and incident response. Chris Henderson, chief information security officer at managed cybersecurity platform Huntress, is another staunch believer in public-private sector collaboration in the fight against nation-state cyber threats. He says that, through these partnerships, governments can leverage real-time threat intelligence provided by private-sector organisations to keep pace with the fast-evolving cyber threat landscape. For such partnerships to be a success, Henderson urges private sector organisations to ensure the intelligence they share with government bodies is formatted so that government-operated computer systems can analyse the data and draw actionable insights from it quickly. Governments, too, must play their part in ensuring these partnerships are effective. Specifically, Henderson says private sector organisations must be able to disseminate cyber threat intelligence without being slowed down by regulatory bureaucracy. This, he says, is essential in ensuring “timely action” to “novel and critical threats”. Conclusion Watching governments increase their defence spending is scary, as one wonders what they know and what could be around the corner. But it’s an absolute necessity to keep countries safe amid fast-changing times. That said, defence spending isn’t just about buying more tanks or missiles - our enemies can inflict just as much damage through cyber-attacks on critical infrastructure. So, it’s encouraging to see NATO members agree to allocate a significant proportion of their increased defence budgets to shoring up cyber defences. At the same time, this will open up opportunities for cybersecurity firms in the private sector. However, in addition to spending more money on cyber defences, close collaboration between the public and private sectors is essential in ensuring these projects are effective in the long term. And let’s not forget that many businesses are now collateral damage amid geopolitical turbulence, meaning they require support too.

ISO 27001

Cyber Incidents Are Testing the Resilience of Global Airlines

The next time you slowly amble down an aeroplane aisle, spare a thought for the incredible work that got you there, from aviation engineering through to operators that keep over 5,000 planes in the air at any one time; the aviation industry faces mind-boggling challenges. In the last couple of decades, they've had yet another thing to contend with: cybersecurity threats. Last month, we saw some examples of what happens when intruders get inside their systems. Three Cyber Attacks In One Month In early June, Westjet, one of Canada's most popular airlines, first realized that something was amiss in its systems. The company had been hit by a cyber incident, which had prevented users from logging into its website and mobile app. Westjet was quick to address the problem, as it detailed on its advisory page over the next few days. However, this wasn't an isolated incident. The airline was one of three that suffered attacks. Qantas and Hawaiian Airlines were also hit. Hawaiian Airlines detected its own breach on June 23 and disclosed it three days later via a terse message on its site. Its flight schedule was operational, and guest travel was not affected, it said. Then, it was Australia's turn. Its Qantas airline saw unusual activity on a third-party platform used by its contact centre. The attacker managed to pilfer customer names, addresses, phone numbers, birth dates, and frequent flyer numbers. On July 2, Qantas stated that it had service records for six million customers on the platform and expected the proportion of stolen data to be "significant". However, the thieves didn't get away with payment information, it added. These attacks look coordinated. Scattered Spider, the threat group also presumed responsible for attacks on the MGM Grand Casino and, more recently, Marks & Spencer, had turned its attention to the airline sector, warned the FBI. According to the Bureau, the criminal group compromises employee accounts by visiting help desks and impersonating employees or contractors, convincing operators to give them account access. It will then often convince those operators to add MFA access to the accounts, locking out the legitimate users. Sources indicated that the airline attacks appeared to be the work of this group. A Decade Of Digital Turbulence This isn't the first time an airline has faced a cyber attack. 2015 saw Polish airline LOT suffer a DDoS attack that prevented it from issuing flight plans, leaving 1,400 passengers stranded and 20 flights cancelled. Three years later, attackers nobbled British Airways by compromising a BA network account issued to an employee at cargo handling company Swissport. A lack of MFA enabled the attackers to compromise the account and exploit a vulnerability in Citrix to gain access to the wider BA network. From there, they accessed credentials on a Windows domain administrator account stored in plain text. The attacker, Magecart, planted JavaScript on the airline's website and stole the payment card details of 380,000 customers. BA escaped with a £20m fine, slashed from £183m. Incidents like these are frequent enough to have blotted the aviation industry's copybook. Security management software company Security Scorecard gives the sector a 'B' on cybersecurity. It isn't a failing grade, says the organization, but it makes companies in this sector almost three times more likely to suffer a breach than those in A-rated sectors. Regulators Take Notice That's no wonder, given the sprawling attack surface for most airlines. It isn't just administrative systems that are a target. Operational systems, ranging from equipment at the airport to in-flight equipment, are also under threat. Most aviation breaches are administrative, focusing on passenger and payment information rather than the aircraft themselves; however, things would become far more serious if someone were to target operational technology on planes in flight. To date, such hacks have mostly been proof-of-concept tests. However, regulators are still taking preventative measures. The FAA proposed new rules last year to protect aircraft systems. The US Transportation Security Administration (TSA) imposed new cybersecurity rules on airport and aircraft operators in 2023, including network segmentation requirements. The EU published the Implementing Regulation (EU) 2023/203 (Part-IS) in October 2022, which outlines rules for identifying and managing security risks in aviation organizations. That comes into force this year. Building Resilient Aviation Operations What can aviation companies do to protect themselves against growing cyber risk? Although the regulatory standards are sector-specific, regulators have, in some cases, made the effort to overlap with ISO 27001. While aviation industry organizations may need to undertake additional work to meet specific aviation safety requirements outlined in Part-IS, they are nevertheless "consistent and aligned with ISO-IEC 27001," according to the EU Aviation Safety Agency (EASA). The security measures that aviation companies need to put in place aren't rocket science. The TSA's focus is on network segmentation policies and access controls to stop intruders from breaching your network. Admonishments to patch software also show up. Recommendations like these are even more common than bathroom queues on a long-haul flight. Much like not smoking on a flight, adopting good cybersecurity practices on aviation networks is non-negotiable. Having passenger account data stolen is bad enough, but without effective protection, the outcomes of a more concerted attack by an operator driven by something other than profit could be far, far worse.

ISO 27001

Verizon’s DBIR 2025 Versus Your Board: What They’re Missing

CISOs are increasingly invited to board meetings. A Splunk survey from January found that 83% participate somewhat often or most of the time, while a similar share interacts directly with the CEO. Yet fewer than a third of respondents say the board includes one or more members with cyber expertise. That means CISOs may be talking without really being heard. The Verizon Data Breach Investigations Report (DBIR) is an excellent opportunity to set the records straight. It's packed with valuable threat landscape insight that could be used as a springboard to strategic conversations. CISOs not talking about these breach trends in leadership meetings may be leaving their organisation exposed. A Communication Breakdown? Research tells us that in many organisations, CISOs either aren't speaking the language of the board/business, or the board doesn't want to listen – or both. FTI Consulting research reveals that nearly a third (31%) of executives don't fully understand technical concepts used by the CISO and that over half (58%) of CISOs struggle to convey this language in a way senior leadership can understand. A further third of executives claim their CISOs are hesitant to raise potential security issues to their attention. Yet the problem swings both ways. A Trend Micro study from 2024 claims that four-fifths (79%) of global CISOs have felt boardroom pressure to downplay the severity of cyber risks – often because they're seen as being "nagging" or "overly negative". A third say they have been dismissed out of hand. This can be linked to a common accusation: that boards still consider cyber to be a matter for the IT department and not the business. Only half (54%) of CISOs Trend spoke to said they are confident their board completely understands the organisation's cyber risks – a figure that has barely shifted in three years. "The board listens when cyber risk sounds like business risk – that's how you move from the server room to the board room. CISOs must translate technical complexity into business relevance," advises Mick Baccio, global security advisor at Splunk SURGe. "To be heard, they must bridge that gap and frame cybersecurity as a business enabler: aligning security metrics to revenue protection, regulatory compliance, and customer trust. Equally important is building informal relationships with board members to become a trusted advisor, not just a compliance messenger." DBIR Breach Trends to Watch Assuming CISOs can get the ear of their board, what should they be worried about? Verizon's latest DBIR is based on an analysis of over 22,000 security incidents, including 12,195 confirmed data breaches. It highlights several trends of concern, including: An annual rise in "system intrusion" events from 36% to 53% of data breaches. These are more sophisticated attacks characterised by malware and hacking. The above finding is driven by a surge in ransomware attacks, which rose in number by 37% since last year and are now present in 44% of breaches, despite a decrease in the median ransom amount paid. SMBs are disproportionately affected. 40% of ransomware victims had corporate email addresses stolen by infostealers. Credential abuse (22%), exploitation of vulnerabilities (20%) and phishing (19%) were the main data breach attack vectors. Generative AI is a growing risk on two fronts: synthetically generated text in malicious emails (i.e., phishing) doubled over the past two years, while 14% of employees routinely access GenAI systems on their corporate devices. A majority (72%) used a non-corporate email as their account identifier, hinting at shadow AI use Human involvement in breaches remains high, at around 60%, most notably credential abuse and social engineering. There was a 34% increase in vulnerability exploitation as a breach attack vector, especially zero-day exploits targeting perimeter devices and VPNs. Only half (54%) of perimeter device vulnerabilities were fully remediated, and it took a median of 32 days to do so. The percentage of breaches involving third parties doubled to 30%. BYOD remains a threat: 46% of systems compromised by infostealers with corporate logins stolen were personal devices. CISOs should be having "risk realism" conversations with their boards on the back of these findings, says Baccio. "If your crisis plan stops at your own firewall, you don't have a crisis plan. Verizon's report is clear: the attack surface has expanded, and attackers are exploiting the human, technical, and supply chain layers simultaneously. Directors must move beyond box-ticking and ask: Where are we truly most vulnerable?'" he tells ISMS.online. "Third-party risk and edge device exposures must be treated as business continuity threats, not just IT issues. The board should demand regular scenario planning around credential abuse, ransomware extortion, and insider-driven data leaks." Trend Micro's director of cyber strategy, Jonathan Lee, argues that the report should be another "wake-up call" for boards about the need to align security strategy with operational resilience. "We only have to look at the recent high-profile incidents impacting UK retailers to see the lost revenue, lost profit and lost reputation that can follow an attack. In some cases, being breached can be an existential threat to an organisation. In a public service context, this can have a real-world physical impact too, such as the clinical harm that was caused following the NHS supply chain attack on Synnovis," he tells ISMS.online. "Simply acknowledging that these risks exist and adding them to a risk register is insufficient. Why wait for a breach to hit your organisation? Isn't it better to be proactive and prepared, rather than reactive and unprepared for if the worst happens?" Bridging the Gap with Compliance Programmes Best practice standards like ISO 27001 can help here by providing boards and security leaders with a common language and risk-based approach via which to improve cyber resilience. "Compliance frameworks won't stop every attacker, but they will stop chaos in your response. Frameworks like ISO 27001 and SOC 2 provide a common language and structure to align cybersecurity controls with business objectives," says Splunk's Baccio. "They offer repeatable, auditable evidence of risk management without being as prescriptive, or slow, as regulatory regimes like NIS2. The value is not just in the certification but in the discipline and clarity it brings to cybersecurity strategy and reporting." Trend Micro's Lee says these standards can even provide a handy onramp to compliance with regulations like NIS2 and the forthcoming UK Cyber Security & Resilience Bill. "As well as hardening defences from attackers, such an approach also demonstrates a commitment to maintaining high-security standards to your supply chain and digitally interconnected partners," he concludes. "By utilising these compliance programmes, CISOs can bridge the gap between cybersecurity and their organisations, ensuring that security measures are seen as a core part of their organisation's success and resilience."

ISO 27001

Retail Under Fire: Would You Spot a Breach If It Happened Right Now?

Retailers and their suppliers are having a tough time in the UK right now. A string of major security breaches tied to ransomware actors has left shelves bare, damaged corporate reputations, and sent stock prices tumbling. These incidents have also served as a timely reminder that attackers continue to move faster than defenders. And that too many organisations still treat compliance as a retrospective exercise. To get back on the front foot, UK retailers and their peers across other sectors must start thinking about compliance and risk management as a dynamic, real-time endeavour. Retail Attacks Highlight Hacker Advantages Four breaches have shaken the retail and logistics sectors in recent weeks. Here's what we know so far and the impact on each corporate victim. Marks & Spencer: The high street stalwart revealed news of an "incident" on April 21. This soon spiralled, and it was forced to suspend contactless payments, Click & Collect and online orders. Stock levels also ran low in some stores after the incident hit logistics hubs. M&S now says some customer data was stolen. The firm is said to be losing £40m of sales per week, while its share price has sunk 12% (as of May 19). Reports suggest that sophisticated threat actors linked to the loose "Scattered Spider" collective encrypted some of the company's VMware ESXi hosts with the DragonForce ransomware variant. It's claimed that a compromised third-party (Tata Consulting Services) with logins to its systems may have been the initial entry point. The threat actors may have been able to cause more damage with this attack as they struck just before the long Easter bank holiday weekend. Co-op: The same threat actors behind the M&S raid are claiming responsibility for a ransomware attack on the UK's seventh-largest high-street retailer. They say that the firm pulled the plug once it detected unusual network activity, preventing them from deploying ransomware but not in time to stop them from exfiltrating significant volumes of members' data. Stock levels in some stores have also been affected. It's unclear what the financial impact on the company will be, but new IT security infrastructure, incident response and recovery processes will likely run into the millions of pounds. Harrods: The iconic Knightsbridge department store has been tight-lipped over an attack it revealed on May 1. It claims to have spotted and stopped an unauthorised access attempt. "Our seasoned IT security team immediately took proactive steps to keep systems safe, and as a result, we have restricted internet access at our sites today," a statement notes. The attack doesn't appear to have impacted its online or brick-and-mortar outlets. Peter Green Chilled: The latest name to add to this roll call of cyber-attack victims is a little-known logistics partner for Tesco, Sainsbury's, Aldi and other supermarkets. The ransomware attack occurred in the week beginning May 12, but the firm says "transport activities of the business have continued unaffected". If deliveries were impacted, it could be costly for suppliers, given that the firm offers cold storage supply chain logistics. How Can Retailers Avoid a Similar Fate? UK retailers are not alone. French fashion giant Dior has notified Asian customers of a data breach, while Google claims Scattered Spider actors are also targeting US retailers. That makes any lessons learned important for CISOs across the planet. So, what can we say about the incidents? Although, in most cases, we still don't know the ransomware actors' specific MO, we can say that cyber-hygiene best practices, while important, are not a silver bullet. Yes, things like prompt patching, multi-factor authentication (MFA) and asset management are essential in minimising the size of the attack surface. But there will always be a way for determined threat actors to achieve their goals. This makes continuous AI-powered network monitoring essential. These tools learn what "normal" traffic patterns look like, enabling them to more effectively raise the alarm when something within the network doesn't look right. It means security operations (SecOps) teams can react faster to shut down threats before they can spread and/or before data can be exfiltrated and encrypted. Automated risk assessment tools are another valuable addition, enabling firms to continuously monitor their IT environment to detect any unpatched vulnerabilities, misconfigurations, or other security holes that need to be addressed. They account for the fact that such environments are in constant flux – especially in the cloud – and therefore require continuous attention. This will make the organisation more resilient and close down possible attack paths. But again, it is something only AI and automation can do effectively, 24/7/365. "Cybersecurity protection is not a destination, but rather a continuous process. Threat actors are constantly evolving, and so should our security posture," BlackFog CEO Darren Williams tells ISMS.online. "As a result, it is important when looking at new tools, to focus on machine learning-based AI protection, in addition to the more static and signature-based approaches most tools use." A Dynamic Approach to Compliance More broadly, the breaches at UK retailers highlight again that for many organisations, compliance with best practice standards and regulations can often be too reactive. For example, traditional information security management systems (ISMS) are built around point-in-time assessments that fail to adapt to new business models, threats, and technologies like cloud and IoT, which can expand the attack surface. "The reality is that security teams need to be effective 100% of the time, and threat actors only need to succeed once," Xalient head of business consultancy, Dave McGrail, tells ISMS.online. "This imbalance highlights the need for a more dynamic, adaptive approach to cybersecurity compliance and ISMS management." This is exactly what ISO 27001:2022 encourages through a process of continuous improvement of the ISMS, dynamic risk modelling and adaptive risk management. "As threats shift, so must our defences. The 2022 update to ISO 27001 supports this shift by encouraging more regular reviews of risk, integrating up-to-date threat information, and promoting awareness across the entire organisation," 59 Degrees North founder Neil Lappage tells ISMS.online. "It's not about doing more for the sake of it. It's about doing things differently, embedding awareness into onboarding, rethinking what 'secure' looks like in day-to-day operations, and giving people the tools and confidence to question unusual requests. Technology helps, but it's people who make the biggest difference, especially when they're informed, supported, and brought into the bigger picture. Cybersecurity isn't just a system; it's a culture, and that's something we all build together."

ISO 27001

Why Regulators Are Favouring A Converged Approach To Cyber Resilience

As the digital ecosystem expands exponentially and cybercriminals seek to exploit security holes within it, regulators continue to apply pressure on businesses to develop comprehensive cyber risk strategies and are holding them accountable when things go wrong. Recognising that cyber threats are multi-faceted and global in nature, regulators are taking a more uniform approach to cyber risk compliance. A perfect example is the European Union’s Digital Operational Resilience Act, which compels bloc-wide adherence to a common set of cybersecurity rules. International cooperation on cyber resilience, particularly in areas such as artificial intelligence (AI), is also growing. For instance, in September 2024, Britain, the US, and Canada announced plans to collaborate on cybersecurity and AI research. Due to the rise of converged cyber regulations, businesses across all industries are now expected to develop, enforce, and regularly assess comprehensive IT risk controls and policies. Cyber experts warn that these can no longer be a single, tick-box exercise. A Converged Approach To Cyber Resilience A rapid increase in sophisticated cyber threats and a growing dependency on digital technologies by businesses are prompting global regulators to align on core areas, such as data protection, cyber resilience, and risk management, according to Anu Kapil, senior product manager at American IT security firm Qualys. She argues that by taking a unified approach to privacy, cybersecurity and AI regulations, regulators benefit from streamlined oversight and the enforcement of cross-border accountability. Meanwhile, businesses can use a standard set of frameworks for centralised compliance. Echoing similar thoughts, Sam Peters, Chief Product Officer of ISMS.online, notes that regulators worldwide are increasingly collaborating on cross-domain cyber regulations in response to the proliferation of complex digital threats, geopolitical challenges, and growing user expectations for accountability. In doing so, Peters says regulators hope to clamp down on current siloes that exist in areas such as cybersecurity, data privacy and AI. These siloes make it harder for organisations to spot and mitigate cyber threats. But by eliminating the aforementioned siloes, fostering more consistent IT regulations and leaning on existing risk standards like ISO 27001, he believes that regulators can help accelerate cross-sector innovation and decrease cyber risks. Not Enough Is Being Done Although industry standards like NIS2, DOR and ISO 27001 have become more aligned in recent times, Mark Weir, regional director for UK and Ireland at cybersecurity solutions provider Check Point Software, suggests there’s still some way to go before they become truly “consistent” and “comprehensive” on a global scale. In particular, he says a lack of formalised artificial intelligence guidelines and governance makes it harder for organisations to use this technology appropriately. For instance, artists are concerned that AI could infringe upon their copyrights unless the technology is appropriately regulated. But regulators aren’t just to blame. Even though industry bodies like the National Cyber Security Centre are warning of the growing risk of cyber threats and issuing guidance to counter them, Weir says lots of organisations are failing to put it into practice. He’s particularly concerned about the lack of cyber simulations and rehearsals in corporate cyber resilience plans. He tells ISMS.online: “Without proactive planning and regular testing, the likelihood of a successful recovery from a cyberattack diminishes significantly, often resulting in service outages, data loss, and erosion of customer trust.” What Converged Cyber Regulations Mean For Businesses What’s clear is that as new industry regulations emerge and existing policies converge, businesses have no choice but to take their regulatory obligations seriously. For Peters, this means implementing sufficient IT risk controls, governing them robustly and being accountable when things go wrong. With cyber and AI threats emerging rapidly, he says businesses can’t afford to treat compliance like a “one-off checklist”. Instead, they must develop a culture of continuous improvement to ensure their cyber resilience plans are truly effective. Peters says businesses that treat cyber resilience as a “strategic” and “ongoing” exercise throughout all departments will be the most successful. He explains: “Those who get it right gain a competitive advantage: faster market entry, stronger customer trust, and reduced exposure to regulatory fines or reputational damage.” Kapil agrees that, in light of converged cyber regulations, organisations will set themselves up for failure by not approaching compliance continuously. She encourages businesses to establish adaptable cybersecurity policies, regularly monitor them, and be prepared to respond to impromptu audit requests from regulators. She tells ISMS.online: “To do this effectively, companies can automate evidence collection, assess control gaps proactively, and stay aligned with evolving regulations across multiple domains.” Taking A Smarter And Integrated Cyber Resilience Approach When it comes to responding to increased regulatory demands for converged cyber compliance and strengthening their cyber defences, Peters urges businesses to replace manual and fragmented compliance approaches with one that is smarter and more integrated. In practice, Peters says this means centralising risk, compliance and governance into one environment that can be scaled easily, takes into account existing and emerging industry regulations, and provides insight into risk across different areas of the business. One way of doing this, according to Peters, is the implementation of an information security management system that adheres to the requirements of a recognised industry standard such as ISO 27001. He explains that such standards are not only intentionally established but are also designed to facilitate cross-border cyber compliance in a structured and adaptable manner. “By adopting ISO 27001 as a foundation, businesses gain a systematic way to identify, assess, and mitigate risks and crucially, its structure supports the inclusion of additional frameworks, whether for privacy, AI ethics, resilience, or sector-specific mandates,” says Peters. He adds that after adopting an ISMS platform, businesses can integrate the recommendations of other frameworks — such as ISO 22301 for business continuity and or ISO 42001 for AI — into their different compliance efforts. He adds: “This simplifies management and makes it easier to demonstrate compliance across multiple standards and regions.” Like Peters, Kapil warns businesses against handling different IT and cyber regulations separately as it results in “inefficient and risky” siloes. She favours a centralised approach in which companies develop cross-department policies aligned with frameworks like NIST, ISO and GDPR. Given that regulatory obligations are constantly evolving, she emphasises the importance of continuously monitoring policies —a task that can be streamlined using automation tools. She adds: “With an integrated policy audit approach, they can reduce manual work, improve accuracy, and align risk and compliance efforts under one platform.” The Future Of Cyber Regulations Looking ahead, Kapil expects industry regulations to become even more stringent in the face of a rapidly expanding and increasingly ferocious cyber threat landscape. She believes that there will be increased pressure on businesses to prove they are continuously and in real-time tackling these risks using an integrated cyber risk strategy. Starting this now will help them become “more agile, audit-ready, and better protected against regulatory and cyber risks”, she adds. Alan Jones, CEO and co-founder of secure communications provider YEO Messaging, agrees that the future of cyber risk compliance will be more integrated. He expects to see more businesses adopt this trend by authenticating users in real-time and implementing zero-trust architectures. As more organisations develop, implement, and use AI systems, Satish Swargam, principal consultant for DevSecOps and secure development at application security firm Black Duck, predicts that future cybersecurity regulations and compliance policies will be designed around this technology. Not only will industry regulations aim to mitigate the threats posed by AI models, but the models themselves could also streamline cybersecurity compliance. In fact, Swargam says AI has the power to “address security risks with the right context”. Businesses benefit greatly from emerging technologies like AI; however, they also face significant ethical and cybersecurity risks that are growing in scale and sophistication. Because of this, businesses must assess these risks accordingly in a bid to protect their employees, customers and, indeed, their reputations. And doing so will keep regulators happy.

ISO 27001:2022 Requirements

ISO 27001:2022 Annex A Controls

About ISO 27001

The Ultimate Guide to ISO 27001

Achieve Robust Information Security with ISO 27001:2022

Why ISO 27001 Matters

How ISO 27001 Certification Benefits Your Business

Comprehensive Guide on How to Implement ISO 27001:2022 Certification

Streamlining Certification with ISMS.online

Understanding ISO 27001:2022

Key Elements of ISO 27001:2022

Aligning with International Standards

How ISO 27001 Integrates with Other Standards

Why Is ISO 27001:2022 Important for Organisations?

ISO 27001:2022 Integration with Other Standards

How Does ISO 27001:2022 Enhance Risk Management?

Structured Risk Management with ISO 27001:2022

What Are the Benefits for Trust and Reputation?

How ISO 27001 Certification Impacts Client Trust and Sales

How Does ISO 27001:2022 Offer Competitive Advantages?

How Can ISO 27001 Support Regulatory Adherence?

Enhancing Risk Management with ISO 27001:2022

How Does ISO 27001 Structure Risk Management?

What Techniques and Strategies Are Key?

How Can the Framework Be Tailored to Your Organisation?

Key Changes in ISO 27001:2022

Key Differences Between ISO 27001:2022 and Earlier Versions

Understanding Annex A Controls

Detailed Breakdown of Annex A Controls in ISO 27001:2022

Full Table of ISO 27001 Controls

Navigating Implementation Challenges

Adapting to Evolving Security Threats

How Can Organisations Successfully Attain ISO 27001 Certification?

Kickstart Your Certification with a Thorough Gap Analysis

Implement an Effective ISMS

Perform Regular Internal Audits

Engage with Certification Bodies

Overcome Common Challenges with a Free Consultation

ISO 27001:2022 and Supplier Relationships Requirements

Enhanced Employee Cybersecurity Awareness

ISO 27001:2022 Requirements for Human Resource Security

Employee Awareness Programs and Security Culture

Continual Improvement and Cybersecurity Culture

Optimal Timing for ISO 27001 Adoption

Conducting a Readiness Assessment

Aligning Certification with Strategic Goals

Utilising ISMS.online for Effective Management

Where Does ISO 27001:2022 Align with Other Regulatory Standards?

How Does ISO 27001:2022 Enhance GDPR Compliance?

What Role Does ISO 27001:2022 Play in Supporting NIS 2 Directives?

How Does ISO 27001:2022 Integrate with Other ISO Standards?

How Can Organisations Achieve Comprehensive Regulatory Alignment with ISO 27001:2022?

Can ISO 27001:2022 Effectively Mitigate New Security Challenges?

How Does ISO 27001:2022 Enhance Cyber Threat Mitigation?

What Measures Ensure Cloud Security with ISO 27001:2022?

How Does ISO 27001:2022 Prevent Data Breaches?

How Can Organisations Adapt to Evolving Threat Landscapes?

Cultivating a Security Culture with ISO 27001 Compliance

How to Enhance Security Awareness and Training

What Are Effective Training Strategies?

How Does Leadership Influence Security Culture?

What Are the Long-Term Benefits of Security Awareness?

How Does ISMS.online Support Your Security Culture?

Navigating Challenges in ISO 27001:2022 Implementation

Identifying Common Implementation Hurdles

Efficient Resource Management Strategies

Overcoming Resistance to Change

Enhancing Implementation with ISMS.online

ISO 27001 Frequently Asked Questions

Book a Demo with ISMS.online

How Can ISMS.online Streamline Your Compliance Journey?

How Does ISMS.online Enhance Collaboration and Efficiency?

Jump to topic

Sam Peters

Related Topics

ISO 27001:2022 Requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the ISMS

4.4 Information security management system (ISMS)

5.1 Leadership and commitment

5.2 Information Security Policy

5.3 Organisational roles, responsibilities and authorities