Skip to content
ISMS.online

The Ultimate Guide to ISO 27001

ISO/IEC 27001 is an Information security management standard that provides organisations with a structured framework to safeguard their information assets and ISMS, covering risk assessment, risk management and continuous improvement. In this article we'll explore what it is, why you need it, and how to achieve certification.

Author
Sam Peters
Updated January 26, 2026
4/5 Stars

Achieve Robust Information Security with ISO 27001:2022

Our platform empowers your organisation to align with ISO 27001, ensuring comprehensive security management. This international standard is essential for protecting sensitive data and enhancing resilience against cyber threats. With over 70,000 certificates issued globally, ISO 27001’s widespread adoption underscores its importance in safeguarding information assets.

Why ISO 27001 Matters

Achieving ISO 27001:2022 certification emphasises a comprehensive, risk-based approach to improving information security management, ensuring your organisation effectively manages and mitigates potential threats, aligning with modern security needs. It provides a systematic methodology for managing sensitive information, ensuring it remains secure. Certification can reduce data breach costs by 30% and is recognised in over 150 countries, enhancing international business opportunities and competitive advantage.

How ISO 27001 Certification Benefits Your Business

  1. Achieve Cost Efficiency: Save time and money by preventing costly security breaches. Implement proactive risk management measures to significantly reduce the likelihood of incidents.
  2. Accelerate Sales Growth: Streamline your sales process by reducing extensive security documentation requests (RFIs). Showcase your compliance with international information security standards to shorten negotiation times and close deals faster.
  3. Boost Client Trust: Demonstrate your commitment to information security to enhance client confidence and build lasting trust. Increase customer loyalty and retain clients in sectors like finance, healthcare, and IT services.

 

Comprehensive Guide on How to Implement ISO 27001:2022 Certification

The standard’s structure includes a comprehensive Information Security Management System (ISMS) framework and a detailed ISO 27001 implementation guide that integrates risk management processes and Annex A controls. These components create a holistic security strategy, addressing various aspects of security (ISO 27001:2022 Clause 4.2). This approach not only enhances security but also fosters a culture of awareness and compliance within the organisation.

Streamlining Certification with ISMS.online

ISMS.online plays a crucial role in facilitating alignment by offering tools that streamline the certification process. Our platform provides automated risk assessments and real-time monitoring, simplifying the implementation of ISO 27001:2022 requirements. This not only reduces manual effort but also enhances efficiency and accuracy in maintaining alignment.

Join 25000 + Users Achieving ISO 27001 with ISMS.online. Book Your Free Demo Today!

Understanding ISO 27001:2022

ISO 27001 is a pivotal standard for improving an Information Security Management System (ISMS), offering a structured framework to protect sensitive data. This framework integrates comprehensive risk evaluation processes and Annex A controls, forming a robust security strategy. Organisations can effectively identify, analyse, and address vulnerabilities, enhancing their overall security posture.

Key Elements of ISO 27001:2022

  • ISMS Framework: This foundational component establishes systematic policies and procedures for managing information security (ISO 27001:2022 Clause 4.2). It aligns organisational goals with security protocols, fostering a culture of compliance and awareness.
  • Risk Evaluation: Central to ISO 27001, this process involves conducting thorough assessments to identify potential threats. It is essential for implementing appropriate security measures and ensuring continuous monitoring and improvement.
  • ISO 27001 Controls: ISO 27001:2022 outlines a comprehensive set of ISO 27001 controls within Annex A, designed to address various aspects of information security. These controls include measures for access control, cryptography, physical security, and incident management, among others. Implementing these controls ensures your Information Security Management System (ISMS) effectively mitigates risks and safeguards sensitive information.

iso 27001 requirements and structure

Aligning with International Standards

ISO 27001:2022 is developed in collaboration with the International Electrotechnical Commission (IEC), ensuring that the standard aligns with global best practices in information security. This partnership enhances the credibility and applicability of ISO 27001 across diverse industries and regions.

How ISO 27001 Integrates with Other Standards

ISO 27001:2022 seamlessly integrates with other standards like ISO 9001 for quality management, ISO 27002 for code of practice for information security controls and regulations like GDPR, enhancing compliance and operational efficiency. This integration allows organisations to streamline regulatory efforts and align security practices with broader business objectives. Initial preparation involves a gap analysis to identify areas needing improvement, followed by a risk evaluation to assess potential threats. Implementing Annex A controls ensures comprehensive security measures are in place. The final audit process, including Stage 1 and Stage 2 audits, verifies compliance and readiness for certification.

Why Is ISO 27001:2022 Important for Organisations?

ISO 27001 plays a vital role in strengthening your organisation’s data protection strategies. It provides a comprehensive framework for managing sensitive information, aligning with contemporary cybersecurity requirements through a risk-based approach. This alignment not only fortifies defences but also ensures adherence to regulations like GDPR, mitigating potential legal risks (ISO 27001:2022 Clause 6.1).

ISO 27001:2022 Integration with Other Standards

ISO 27001 is part of the broader ISO family of management system standards. This allows it to be seamlessly integrated with other standards, such as:

This integrated approach helps your organisation maintain robust operational standards, streamlining the certification process and enhancing compliance.

How Does ISO 27001:2022 Enhance Risk Management?

  • Structured Risk Management: The standard emphasises the systematic identification, assessment, and mitigation of risks, fostering a proactive security posture.
  • Incident Reduction: Organisations experience fewer breaches due to the robust controls outlined in Annex A.
  • Operational Efficiency: Streamlined processes enhance efficiency, reducing the likelihood of costly incidents.

Structured Risk Management with ISO 27001:2022

ISO 27001 requires organisations to adopt a comprehensive, systematic approach to risk management. This includes:

  • Risk Identification and Assessment: Identify potential threats to sensitive data and evaluate the severity and likelihood of those risks (ISO 27001:2022 Clause 6.1).
  • Risk Treatment: Select appropriate treatment options, such as mitigating, transferring, avoiding, or accepting risks. With the addition of new options like exploiting and enhancing, organisations can take calculated risks to harness opportunities.

Each of these steps must be reviewed regularly to ensure that the risk landscape is continuously monitored and mitigated as necessary.

 

What Are the Benefits for Trust and Reputation?

Certification signifies a commitment to data protection, enhancing your business reputation and customer trust. Certified organisations often see a 20% increase in customer satisfaction, as clients appreciate the assurance of secure data handling.

How ISO 27001 Certification Impacts Client Trust and Sales

  1. Increased Client Confidence: When prospective clients see that your organisation is ISO 27001 certified, it automatically elevates their trust in your ability to protect sensitive information. This trust is essential for sectors where data security is a deciding factor, such as healthcare, finance, and government contracting.
  2. Faster Sales Cycles: ISO 27001 certification reduces the time spent answering security questionnaires during the procurement process. Prospective clients will see your certification as a guarantee of high security standards, speeding up decision-making.
  3. Competitive Advantage: ISO 27001 certification positions your company as a leader in information security, giving you an edge over competitors who may not hold this certification.

How Does ISO 27001:2022 Offer Competitive Advantages?

ISO 27001 opens international business opportunities, recognised in over 150 countries. It cultivates a culture of security awareness, positively influencing organisational culture and encouraging continuous improvement and resilience, essential for thriving in today’s digital environment.

How Can ISO 27001 Support Regulatory Adherence?

Aligning with ISO 27001 helps navigate complex regulatory landscapes, ensuring adherence to various legal requirements. This alignment reduces potential legal liabilities and enhances overall governance.

Incorporating ISO 27001:2022 into your organisation not only strengthens your data protection framework but also builds a foundation for sustainable growth and trust in the global market.

Enhancing Risk Management with ISO 27001:2022

ISO 27001:2022 offers a robust framework for managing information security risks, vital for safeguarding your organisation’s sensitive data. This standard emphasises a systematic approach to risk evaluation, ensuring potential threats are identified, assessed, and mitigated effectively.

How Does ISO 27001 Structure Risk Management?

ISO 27001:2022 integrates risk evaluation into the Information Security Management System (ISMS), involving:

  • Risk Assessment: Conducting thorough evaluations to identify and analyse potential threats and vulnerabilities (ISO 27001:2022 Clause 6.1).
  • Risk Treatment: Implementing strategies to mitigate identified risks, using controls outlined in Annex A to reduce vulnerabilities and threats.
  • Continuous Monitoring: Regularly reviewing and updating practices to adapt to evolving threats and maintain security effectiveness.

What Techniques and Strategies Are Key?

Effective risk management under ISO 27001:2022 involves:

  • Risk Assessment and Analysis: Utilising methodologies like SWOT analysis and threat modelling to evaluate risks comprehensively.
  • Risk Treatment and Mitigation: Applying controls from Annex A to address specific risks, ensuring a proactive approach to security.
  • Continuous Improvement: Fostering a security-focused culture that encourages ongoing evaluation and enhancement of risk management practices.

 

How Can the Framework Be Tailored to Your Organisation?

ISO 27001:2022’s framework can be customised to fit your organisation’s specific needs, ensuring that security measures align with business objectives and regulatory requirements. By fostering a culture of proactive risk management, organisations with ISO 27001 certification experience fewer security breaches and enhanced resilience against cyber threats. This approach not only protects your data but also builds trust with stakeholders, enhancing your organisation’s reputation and competitive edge.

Key Changes in ISO 27001:2022

ISO 27001:2022 introduces pivotal updates, enhancing its role in modern cybersecurity. The most significant changes reside in Annex A, which now includes advanced measures for digital security and proactive threat management. These revisions address the evolving nature of security challenges, particularly the increasing reliance on digital platforms.

Key Differences Between ISO 27001:2022 and Earlier Versions

The differences between the 2013 and 2022 versions of ISO 27001 are crucial to understanding the updated standard. While there are no massive overhauls, the refinements in Annex A controls and other areas ensure the standard remains relevant to modern cybersecurity challenges. Key changes include:

  • Restructuring of Annex A Controls: Annex A controls have been condensed from 114 to 93, with some being merged, revised, or newly added. These changes reflect the current cybersecurity environment, making controls more streamlined and focused.
  • New Focus Areas: The 11 new controls introduced in ISO 27001:2022 include areas such as threat intelligence, physical security monitoring, secure coding, and cloud service security, addressing the rise of digital threats and the increased reliance on cloud-based solutions.

Understanding Annex A Controls

  • Enhanced Security Protocols: Annex A now features 93 controls, with new additions focusing on digital security and proactive threat management. These controls are designed to mitigate emerging risks and ensure robust protection of information assets.
  • Digital Security Focus: As digital platforms become integral to operations, ISO 27001:2022 emphasises securing digital environments, ensuring data integrity, and safeguarding against unauthorised access.
  • Proactive Threat Management: New controls enable organisations to anticipate and respond to potential security incidents more effectively, strengthening their overall security posture.

Detailed Breakdown of Annex A Controls in ISO 27001:2022

ISO 27001:2022 introduces a revised set of Annex A controls, reducing the total from 114 to 93 and restructuring them into four main groups. Here’s a breakdown of the control categories:

Control Group Number of Controls Examples
Organisational 37 Threat intelligence, ICT readiness, information security policies
People 8 Responsibilities for security, screening
Physical 14 Physical security monitoring, equipment protection
Technological 34 Web filtering, secure coding, data leakage prevention

New Controls
ISO 27001:2022 introduces 11 new controls focused on emerging technologies and challenges, including:

  • Cloud services: Security measures for cloud infrastructure.
  • Threat intelligence: Proactive identification of security threats.
  • ICT readiness: Business continuity preparations for ICT systems.

By implementing these controls, organisations ensure they are equipped to handle modern information security challenges.

iso 27002 new controls

Full Table of ISO 27001 Controls

Below is a full list of ISO 27001:2022 controls

ISO 27001:2022 Organisational Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Organisational Controls Annex A 5.1 Annex A 5.1.1
Annex A 5.1.2 		Policies for Information Security
Organisational Controls Annex A 5.2 Annex A 6.1.1 Information Security Roles and Responsibilities
Organisational Controls Annex A 5.3 Annex A 6.1.2 Segregation of Duties
Organisational Controls Annex A 5.4 Annex A 7.2.1 Management Responsibilities
Organisational Controls Annex A 5.5 Annex A 6.1.3 Contact With Authorities
Organisational Controls Annex A 5.6 Annex A 6.1.4 Contact With Special Interest Groups
Organisational Controls Annex A 5.7 NEW Threat Intelligence
Organisational Controls Annex A 5.8 Annex A 6.1.5
Annex A 14.1.1 		Information Security in Project Management
Organisational Controls Annex A 5.9 Annex A 8.1.1
Annex A 8.1.2 		Inventory of Information and Other Associated Assets
Organisational Controls Annex A 5.10 Annex A 8.1.3
Annex A 8.2.3 		Acceptable Use of Information and Other Associated Assets
Organisational Controls Annex A 5.11 Annex A 8.1.4 Return of Assets
Organisational Controls Annex A 5.12 Annex A 8.2.1 Classification of Information
Organisational Controls Annex A 5.13 Annex A 8.2.2 Labelling of Information
Organisational Controls Annex A 5.14 Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3 		Information Transfer
Organisational Controls Annex A 5.15 Annex A 9.1.1
Annex A 9.1.2 		Access Control
Organisational Controls Annex A 5.16 Annex A 9.2.1 Identity Management
Organisational Controls Annex A 5.17 Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3 		Authentication Information
Organisational Controls Annex A 5.18 Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6 		Access Rights
Organisational Controls Annex A 5.19 Annex A 15.1.1 Information Security in Supplier Relationships
Organisational Controls Annex A 5.20 Annex A 15.1.2 Addressing Information Security Within Supplier Agreements
Organisational Controls Annex A 5.21 Annex A 15.1.3 Managing Information Security in the ICT Supply Chain
Organisational Controls Annex A 5.22 Annex A 15.2.1
Annex A 15.2.2 		Monitoring, Review and Change Management of Supplier Services
Organisational Controls Annex A 5.23 NEW Information Security for Use of Cloud Services
Organisational Controls Annex A 5.24 Annex A 16.1.1 Information Security Incident Management Planning and Preparation
Organisational Controls Annex A 5.25 Annex A 16.1.4 Assessment and Decision on Information Security Events
Organisational Controls Annex A 5.26 Annex A 16.1.5 Response to Information Security Incidents
Organisational Controls Annex A 5.27 Annex A 16.1.6 Learning From Information Security Incidents
Organisational Controls Annex A 5.28 Annex A 16.1.7 Collection of Evidence
Organisational Controls Annex A 5.29 Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3 		Information Security During Disruption
Organisational Controls Annex A 5.30 NEW ICT Readiness for Business Continuity
Organisational Controls Annex A 5.31 Annex A 18.1.1
Annex A 18.1.5 		Legal, Statutory, Regulatory and Contractual Requirements
Organisational Controls Annex A 5.32 Annex A 18.1.2 Intellectual Property Rights
Organisational Controls Annex A 5.33 Annex A 18.1.3 Protection of Records
Organisational Controls Annex A 5.34 Annex A 18.1.4 Privacy and Protection of PII
Organisational Controls Annex A 5.35 Annex A 18.2.1 Independent Review of Information Security
Organisational Controls Annex A 5.36 Annex A 18.2.2
Annex A 18.2.3 		Compliance With Policies, Rules and Standards for Information Security
Organisational Controls Annex A 5.37 Annex A 12.1.1 Documented Operating Procedures
ISO 27001:2022 People Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
People Controls Annex A 6.1 Annex A 7.1.1 Screening
People Controls Annex A 6.2 Annex A 7.1.2 Terms and Conditions of Employment
People Controls Annex A 6.3 Annex A 7.2.2 Information Security Awareness, Education and Training
People Controls Annex A 6.4 Annex A 7.2.3 Disciplinary Process
People Controls Annex A 6.5 Annex A 7.3.1 Responsibilities After Termination or Change of Employment
People Controls Annex A 6.6 Annex A 13.2.4 Confidentiality or Non-Disclosure Agreements
People Controls Annex A 6.7 Annex A 6.2.2 Remote Working
People Controls Annex A 6.8 Annex A 16.1.2
Annex A 16.1.3 		Information Security Event Reporting
ISO 27001:2022 Physical Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Physical Controls Annex A 7.1 Annex A 11.1.1 Physical Security Perimeters
Physical Controls Annex A 7.2 Annex A 11.1.2
Annex A 11.1.6 		Physical Entry
Physical Controls Annex A 7.3 Annex A 11.1.3 Securing Offices, Rooms and Facilities
Physical Controls Annex A 7.4 NEW Physical Security Monitoring
Physical Controls Annex A 7.5 Annex A 11.1.4 Protecting Against Physical and Environmental Threats
Physical Controls Annex A 7.6 Annex A 11.1.5 Working In Secure Areas
Physical Controls Annex A 7.7 Annex A 11.2.9 Clear Desk and Clear Screen
Physical Controls Annex A 7.8 Annex A 11.2.1 Equipment Siting and Protection
Physical Controls Annex A 7.9 Annex A 11.2.6 Security of Assets Off-Premises
Physical Controls Annex A 7.10 Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5 		Storage Media
Physical Controls Annex A 7.11 Annex A 11.2.2 Supporting Utilities
Physical Controls Annex A 7.12 Annex A 11.2.3 Cabling Security
Physical Controls Annex A 7.13 Annex A 11.2.4 Equipment Maintenance
Physical Controls Annex A 7.14 Annex A 11.2.7 Secure Disposal or Re-Use of Equipment
ISO 27001:2022 Technological Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Technological Controls Annex A 8.1 Annex A 6.2.1
Annex A 11.2.8 		User Endpoint Devices
Technological Controls Annex A 8.2 Annex A 9.2.3 Privileged Access Rights
Technological Controls Annex A 8.3 Annex A 9.4.1 Information Access Restriction
Technological Controls Annex A 8.4 Annex A 9.4.5 Access to Source Code
Technological Controls Annex A 8.5 Annex A 9.4.2 Secure Authentication
Technological Controls Annex A 8.6 Annex A 12.1.3 Capacity Management
Technological Controls Annex A 8.7 Annex A 12.2.1 Protection Against Malware
Technological Controls Annex A 8.8 Annex A 12.6.1
Annex A 18.2.3 		Management of Technical Vulnerabilities
Technological Controls Annex A 8.9 NEW Configuration Management
Technological Controls Annex A 8.10 NEW Information Deletion
Technological Controls Annex A 8.11 NEW Data Masking
Technological Controls Annex A 8.12 NEW Data Leakage Prevention
Technological Controls Annex A 8.13 Annex A 12.3.1 Information Backup
Technological Controls Annex A 8.14 Annex A 17.2.1 Redundancy of Information Processing Facilities
Technological Controls Annex A 8.15 Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3 		Logging
Technological Controls Annex A 8.16 NEW Monitoring Activities
Technological Controls Annex A 8.17 Annex A 12.4.4 Clock Synchronization
Technological Controls Annex A 8.18 Annex A 9.4.4 Use of Privileged Utility ProgramsAccess Rights
Technological Controls Annex A 8.19 Annex A 12.5.1
Annex A 12.6.2 		Installation of Software on Operational Systems
Technological Controls Annex A 8.20 Annex A 13.1.1 Networks Security
Technological Controls Annex A 8.21 Annex A 13.1.2 Security of Network Services
Technological Controls Annex A 8.22 Annex A 13.1.3 Segregation of Networks
Technological Controls Annex A 8.23 NEW Web filtering
Technological Controls Annex A 8.24 Annex A 10.1.1
Annex A 10.1.2 		Use of Cryptography
Technological Controls Annex A 8.25 Annex A 14.2.1 Secure Development Life Cycle
Technological Controls Annex A 8.26 Annex A 14.1.2
Annex A 14.1.3 		Application Security Requirements
Technological Controls Annex A 8.27 Annex A 14.2.5 Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents
Technological Controls Annex A 8.28 NEW Secure Coding
Technological Controls Annex A 8.29 Annex A 14.2.8
Annex A 14.2.9 		Security Testing in Development and Acceptance
Technological Controls Annex A 8.30 Annex A 14.2.7 Outsourced Development
Technological Controls Annex A 8.31 Annex A 12.1.4
Annex A 14.2.6 		Separation of Development, Test and Production Environments
Technological Controls Annex A 8.32 Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4 		Change Management
Technological Controls Annex A 8.33 Annex A 14.3.1 Test Information
Technological Controls Annex A 8.34 Annex A 12.7.1 Protection of Information Systems During Audit Testing

Navigating Implementation Challenges

Organisations may face challenges such as resource constraints and insufficient management support when implementing these updates. Effective resource allocation and stakeholder engagement are crucial for maintaining momentum and achieving successful compliance. Regular training sessions can help clarify the standard’s requirements, reducing compliance challenges.

Adapting to Evolving Security Threats

These updates demonstrate ISO 27001:2022’s adaptability to the changing security environment, ensuring organisations remain resilient against new threats. By aligning with these enhanced requirements, your organisation can bolster its security framework, improve compliance processes, and maintain a competitive edge in the global market.

How Can Organisations Successfully Attain ISO 27001 Certification?

Achieving ISO 27001:2022 requires a methodical approach, ensuring your organisation aligns with the standard’s comprehensive requirements. Here’s a detailed guide to navigate this process effectively:

Kickstart Your Certification with a Thorough Gap Analysis

Identify improvement areas with a comprehensive gap analysis. Assess current practices against ISO 27001 standard to pinpoint discrepancies. Develop a detailed project plan outlining objectives, timelines, and responsibilities. Engage stakeholders early to secure buy-in and allocate resources efficiently.

Implement an Effective ISMS

Establish and implement an Information Security Management System (ISMS) tailored to your organisational goals. Implement the 93 Annex A controls, emphasising risk assessment and treatment (ISO 27001:2022 Clause 6.1). Our platform, ISMS.online, automates compliance tasks, reducing manual effort and enhancing precision.

Perform Regular Internal Audits

Conduct regular internal audits to evaluate the effectiveness of your ISMS. Management reviews are essential for performance evaluation and necessary adjustments (ISO 27001:2022 Clause 9.3). ISMS.online facilitates real-time collaboration, boosting team efficiency and audit readiness.

Engage with Certification Bodies

Select an accredited certification body and schedule the audit process, including Stage 1 and Stage 2 audits. Ensure all documentation is complete and accessible. ISMS.online offers templates and resources to simplify documentation and track progress.

Overcome Common Challenges with a Free Consultation

Overcome resource constraints and resistance to change by fostering a culture of security awareness and continuous improvement. Our platform supports maintaining alignment over time, aiding your organisation in achieving and sustaining certification.

Schedule a free consultation to address resource constraints and navigate resistance to change. Learn how ISMS.online can support your implementation efforts and ensure successful certification.

ISO 27001:2022 and Supplier Relationships Requirements

ISO 27001:2022 has introduced new requirements to ensure organisations maintain robust supplier and third-party management programs. This includes:

  • Identifying and Assessing Suppliers: Organisations must identify and analyse third-party suppliers that impact information security. A thorough risk assessment for each supplier is mandatory to ensure compliance with your ISMS.
  • Supplier Security Controls: Ensure that your suppliers implement adequate security controls and that these are regularly reviewed. This extends to ensuring that customer service levels and personal data protection are not adversely affected.
  • Auditing Suppliers: Organisations should audit their suppliers’ processes and systems regularly. This aligns with the new ISO 27001:2022 requirements, ensuring that supplier compliance is maintained and that risks from third-party partnerships are mitigated.

 

Enhanced Employee Cybersecurity Awareness

ISO 27001:2022 continues to emphasise the importance of employee awareness. Implementing policies for ongoing education and training is critical. This approach ensures that your employees are not only aware of security risks but are also capable of actively participating in mitigating those risks.

  • Human Error Prevention: Businesses should invest in training programs that aim to prevent human error, one of the leading causes of security breaches.
  • Clear Policy Development: Establish clear guidelines for employee conduct regarding data security. This includes awareness programs on phishing, password management, and mobile device security.
  • Security Culture: Foster a security-aware culture where employees feel empowered to raise concerns about cybersecurity threats. An environment of openness helps organisations tackle risks before they materialise into incidents.

ISO 27001:2022 Requirements for Human Resource Security

One of the essential refinements in ISO 27001:2022 is its expanded focus on human resource security. This involves:

  • Personnel Screening: Clear guidelines for personnel screening before hiring are crucial to ensuring that employees with access to sensitive information meet required security standards.
  • Training and Awareness: Ongoing education is required to ensure that staff are fully aware of the organisation’s security policies and procedures.
  • Disciplinary Actions: Define clear consequences for policy violations, ensuring that all employees understand the importance of complying with security requirements.

These controls ensure that organisations manage both internal and external personnel security risks effectively.

Employee Awareness Programs and Security Culture

Fostering a culture of security awareness is crucial for maintaining strong defences against evolving cyber threats. ISO 27001:2022 promotes ongoing training and awareness programs to ensure that all employees, from leadership to staff, are involved in upholding information security standards.

  • Phishing Simulations and Security Drills: Conducting regular security drills and phishing simulations helps ensure employees are prepared to handle cyber incidents.
  • Interactive Workshops: Engage employees in practical training sessions that reinforce key security protocols, improving overall organisational awareness.

Continual Improvement and Cybersecurity Culture

Finally, ISO 27001:2022 advocates for a culture of continual improvement, where organisations consistently evaluate and update their security policies. This proactive stance is integral to maintaining compliance and ensuring the organisation stays ahead of emerging threats.

  • Security Governance: Regular updates to security policies and audits of cybersecurity practices ensure ongoing compliance with ISO 27001:2022.
  • Proactive Risk Management: Encouraging a culture that prioritises risk assessment and mitigation allows organisations to stay responsive to new cyber threats.

Optimal Timing for ISO 27001 Adoption

Adopting ISO 27001:2022 is a strategic decision that depends on your organisation’s readiness and objectives. The ideal timing often aligns with periods of growth or digital transformation, where enhancing security frameworks can significantly improve business outcomes. Early adoption provides a competitive edge, as certification is recognised in over 150 countries, expanding international business opportunities.

Conducting a Readiness Assessment

To ensure a seamless adoption, conduct a thorough readiness assessment to evaluate current security practices against the updated standard. This involves:

  • Gap Analysis: Identify areas needing improvement and align them with ISO 27001:2022 requirements.
  • Resource Allocation: Ensure adequate resources, including personnel, technology, and budget, are available to support the adoption.
  • Stakeholder Engagement: Secure buy-in from key stakeholders to facilitate a smooth adoption process.

Aligning Certification with Strategic Goals

Aligning certification with strategic goals enhances business outcomes. Consider:

  • Timeline and Deadlines: Be aware of industry-specific deadlines for compliance to avoid penalties.
  • Continuous Improvement: Foster a culture of ongoing evaluation and enhancement of security practices.

 

Utilising ISMS.online for Effective Management

Our platform, ISMS.online, plays a vital role in managing the adoption effectively. It offers tools for automating compliance tasks, reducing manual effort, and providing real-time collaboration features. This ensures your organisation can maintain compliance and track progress efficiently throughout the adoption process.

By strategically planning and utilising the right tools, your organisation can navigate the adoption of ISO 27001:2022 smoothly, ensuring robust security and compliance.

Where Does ISO 27001:2022 Align with Other Regulatory Standards?

ISO 27001 plays a significant role in aligning with key regulatory frameworks, such as GDPR and NIS 2, to enhance data protection and streamline regulatory adherence. This alignment not only strengthens data privacy but also improves organisational resilience across multiple frameworks.

How Does ISO 27001:2022 Enhance GDPR Compliance?

ISO 27001:2022 complements GDPR by focusing on data protection and privacy through its comprehensive risk management processes (ISO 27001:2022 Clause 6.1). The standard’s emphasis on safeguarding personal data aligns with GDPR’s stringent requirements, ensuring robust data protection strategies.

What Role Does ISO 27001:2022 Play in Supporting NIS 2 Directives?

The standard supports NIS 2 directives by enhancing cybersecurity resilience. ISO 27001:2022’s focus on threat intelligence and incident response aligns with NIS 2’s objectives, fortifying organisations against cyber threats and ensuring continuity of critical services.

How Does ISO 27001:2022 Integrate with Other ISO Standards?

ISO 27001 integrates effectively with other ISO standards, such as ISO 9001 and ISO 14001, creating synergies that enhance overall regulatory alignment and operational efficiency. This integration facilitates a unified approach to managing quality, environmental, and security standards within an organisation.

How Can Organisations Achieve Comprehensive Regulatory Alignment with ISO 27001:2022?

Organisations can achieve comprehensive regulatory alignment by synchronising their security practices with broader requirements. Our platform, ISMS.online, offers extensive certification support, providing tools and resources to simplify the process. Industry associations and webinars further enhance understanding and implementation, ensuring organisations remain compliant and competitive.

Can ISO 27001:2022 Effectively Mitigate New Security Challenges?

Emerging threats, including cyber-attacks and data breaches, necessitate robust strategies. ISO 27001:2022 offers a comprehensive framework for managing risks, emphasising a risk-based approach to identify, assess, and mitigate potential threats.

How Does ISO 27001:2022 Enhance Cyber Threat Mitigation?

ISO 27001:2022 strengthens mitigation through structured risk management processes. By implementing Annex A controls, organisations can proactively address vulnerabilities, reducing cyber incidents. This proactive stance builds trust with clients and partners, differentiating businesses in the market.

What Measures Ensure Cloud Security with ISO 27001:2022?

Cloud security challenges are prevalent as organisations migrate to digital platforms. ISO 27001:2022 includes specific controls for cloud environments, ensuring data integrity and safeguarding against unauthorised access. These measures foster customer loyalty and enhance market share.

How Does ISO 27001:2022 Prevent Data Breaches?

Data breaches pose significant risks, impacting reputation and financial stability. ISO 27001:2022 establishes comprehensive protocols, ensuring continuous monitoring and improvement. Certified organisations often experience fewer breaches, maintaining effective security measures.

How Can Organisations Adapt to Evolving Threat Landscapes?

Organisations can adapt ISO 27001:2022 to evolving threats by regularly updating security practices. This adaptability ensures alignment with emerging threats, maintaining robust defences. By demonstrating a commitment to security, certified organisations gain a competitive edge and are preferred by clients and partners.

Cultivating a Security Culture with ISO 27001 Compliance

ISO 27001 serves as a cornerstone in developing a robust security culture by emphasising awareness and comprehensive training. This approach not only fortifies your organisation’s security posture but also aligns with current cybersecurity standards.

How to Enhance Security Awareness and Training

Security awareness is integral to ISO 27001:2022, ensuring your employees understand their roles in protecting information assets. Tailored training programmes empower staff to recognise and respond to threats effectively, minimising incident risks.

What Are Effective Training Strategies?

Organisations can enhance training by:

  • Interactive Workshops: Conduct engaging sessions that reinforce security protocols.
  • E-Learning Modules: Provide flexible online courses for continuous learning.
  • Simulated Exercises: Implement phishing simulations and incident response drills to test readiness.

 

How Does Leadership Influence Security Culture?

Leadership plays a pivotal role in embedding a security-focused culture. By prioritising security initiatives and leading by example, management instils responsibility and vigilance throughout the organisation, making security integral to the organisational ethos.

What Are the Long-Term Benefits of Security Awareness?

ISO 27001:2022 offers sustained improvements and risk reduction, enhancing credibility and providing a competitive edge. Organisations report increased operational efficiency and reduced costs, supporting growth and opening new opportunities.

How Does ISMS.online Support Your Security Culture?

Our platform, ISMS.online, aids organisations by offering tools for tracking training progress and facilitating real-time collaboration. This ensures that security awareness is maintained and continuously improved, aligning with ISO 27001:2022’s objectives.

Navigating Challenges in ISO 27001:2022 Implementation

Implementing ISO 27001:2022 involves overcoming significant challenges, such as managing limited resources and addressing resistance to change. These hurdles must be addressed to achieve certification and enhance your organisation’s information security posture.

Identifying Common Implementation Hurdles

Organisations often face difficulties in allocating adequate resources, both financial and human, to meet ISO 27001:2022’s comprehensive requirements. Resistance to adopting new security practices can also impede progress, as employees may be hesitant to alter established workflows.

Efficient Resource Management Strategies

To optimise resource management, prioritise tasks based on risk assessment outcomes, focusing on high-impact areas (ISO 27001:2022 Clause 6.1). Our platform, ISMS.online, automates compliance tasks, reducing manual effort and ensuring critical areas receive the necessary attention.

Overcoming Resistance to Change

Effective communication and training are key to mitigating resistance. Engage employees in the implementation process by highlighting the benefits of ISO 27001:2022, such as enhanced data protection and GDPR alignment. Regular training sessions can foster a culture of security awareness and compliance.

Enhancing Implementation with ISMS.online

ISMS.online plays a pivotal role in overcoming these challenges by providing tools that enhance collaboration and streamline documentation. Our platform supports integrated compliance strategies, aligning ISO 27001 with standards like ISO 9001, thereby improving overall efficiency and regulatory adherence. By simplifying the implementation process, ISMS.online helps your organisation achieve and maintain ISO 27001:2022 certification effectively.

ISO 27001 Frequently Asked Questions

What are the key differences between ISO 27001:2022 and earlier versions?

ISO 27001:2022 introduces pivotal updates to meet evolving security demands, enhancing its relevance in today’s digital environment. A significant change is the expansion of Annex A controls, now totaling 93, which include new measures for cloud security and threat intelligence. These additions underscore the growing importance of digital ecosystems and proactive threat management.

Impact on Compliance and Certification
The updates in ISO 27001:2022 require adjustments in compliance processes. Your organisation must integrate these new controls into its Information Security Management Systems (ISMS), ensuring alignment with the latest requirements (ISO 27001:2022 Clause 6.1). This integration streamlines certification by providing a comprehensive framework for managing information risks.

New Controls and Their Significance
The introduction of controls focused on cloud security and threat intelligence is noteworthy. These controls help your organisation protect data in complex digital environments, addressing vulnerabilities unique to cloud systems. By implementing these measures, you can enhance your security posture and reduce the risk of data breaches.

Adapting to New Requirements
To adapt to these changes, your organisation should conduct a thorough gap analysis to identify areas needing improvement. This involves assessing current practices against the updated standard, ensuring alignment with new controls. By using platforms like ISMS.online, you can automate compliance tasks, reducing manual effort and enhancing efficiency.

These updates highlight ISO 27001:2022’s commitment to addressing contemporary security challenges, ensuring your organisation remains resilient against emerging threats.

Why should Compliance Officers prioritise ISO 27001:2022?

ISO 27001:2022 is pivotal for compliance officers seeking to enhance their organisation’s information security framework. Its structured methodology for regulatory adherence and risk management is indispensable in today’s interconnected environment.

Navigating Regulatory Frameworks
ISO 27001:2022 aligns with global standards like GDPR, providing a comprehensive framework that ensures data protection and privacy. By adhering to its guidelines, you can confidently navigate complex regulatory landscapes, reducing legal risks and enhancing governance (ISO 27001:2022 Clause 6.1).

Proactive Risk Management
The standard’s risk-based approach enables organisations to systematically identify, assess, and mitigate risks. This proactive stance minimises vulnerabilities and fosters a culture of continuous improvement, essential for maintaining a robust security posture. Compliance officers can utilise ISO 27001:2022 to implement effective risk treatment strategies, ensuring resilience against emerging threats.

Enhancing Organisational Security
ISO 27001:2022 significantly enhances your organisation’s security posture by embedding security practices into core business processes. This integration boosts operational efficiency and builds trust with stakeholders, positioning your organisation as a leader in information security.

Effective Implementation Strategies
Compliance officers can implement ISO 27001:2022 effectively by utilising platforms like ISMS.online, which streamline efforts through automated risk assessments and real-time monitoring. Engaging stakeholders and fostering a security-aware culture are crucial steps in embedding the standard’s principles across your organisation.

By prioritising ISO 27001:2022, you not only safeguard your organisation’s data but also drive strategic advantages in a competitive market.

How does ISO 27001:2022 enhance security frameworks?

ISO 27001:2022 establishes a comprehensive framework for managing information security, focusing on a risk-based approach. This approach allows your organisation to systematically identify, assess, and address potential threats, ensuring robust protection of sensitive data and adherence to international standards.

Key Strategies for Threat Mitigation

  • Conducting Risk Assessments: Thorough evaluations identify vulnerabilities and potential threats (ISO 27001:2022 Clause 6.1), forming the basis for targeted security measures.
  • Implementing Security Controls: Annex A controls are utilised to address specific risks, ensuring a holistic approach to threat prevention.
  • Continuous Monitoring: Regular reviews of security practices allow adaptation to evolving threats, maintaining the effectiveness of your security posture.

Data Protection and Privacy Alignment
ISO 27001:2022 integrates security practices into organisational processes, aligning with regulations like GDPR. This ensures that personal data is handled securely, reducing legal risks and enhancing stakeholder trust.

Building a Proactive Security Culture
By fostering security awareness, ISO 27001:2022 promotes continuous improvement and vigilance. This proactive stance minimises vulnerabilities and strengthens your organisation’s overall security posture. Our platform, ISMS.online, supports these efforts with tools for real-time monitoring and automated risk assessments, positioning your organisation as a leader in information security.

Incorporating ISO 27001:2022 into your security strategy not only fortifies defences but also enhances your organisation’s reputation and competitive advantage.

What advantages does ISO 27001:2022 offer to CEOs?

ISO 27001:2022 is a strategic asset for CEOs, enhancing organisational resilience and operational efficiency through a risk-based methodology. This standard aligns security protocols with business objectives, ensuring robust information security management.

How does ISO 27001:2022 enhance strategic business integration?

Risk Management Framework:
ISO 27001:2022 provides a comprehensive framework for identifying and mitigating risks, safeguarding your assets, and ensuring business continuity.

Regulatory Compliance Standards:
By aligning with global standards like GDPR, it minimises legal risks and strengthens governance, essential for maintaining market trust.

What are the competitive advantages of ISO 27001:2022?

Reputation Enhancement:
Certification demonstrates a commitment to security, boosting customer trust and satisfaction. Organisations often report increased client confidence, leading to higher retention rates.

Global Market Access:
With acceptance in over 150 countries, ISO 27001:2022 facilitates entry into international markets, offering a competitive edge.

How can ISO 27001:2022 drive business growth?

Operational Efficiency:
Streamlined processes reduce security incidents, lowering costs and improving efficiency.

Innovation and Digital Transformation:
By fostering a culture of security awareness, it supports digital transformation and innovation, driving business growth.

Integrating ISO 27001:2022 into your strategic planning aligns security measures with organisational goals, ensuring they support broader business objectives. Our platform, ISMS.online, simplifies compliance, offering tools for real-time monitoring and risk management, ensuring your organisation remains secure and competitive.

How to facilitate digital transformation with ISO 27001:2022

ISO 27001:2022 provides a comprehensive framework for organisations transitioning to digital platforms, ensuring data protection and adherence to international standards. This standard is pivotal in managing digital risks and enhancing security measures.

How to Manage Digital Risks Effectively
ISO 27001:2022 offers a risk-based approach to identify and mitigate vulnerabilities. By conducting thorough risk assessments and implementing Annex A controls, your organisation can proactively address potential threats and maintain robust security measures. This approach aligns with evolving cybersecurity requirements, ensuring your digital assets are safeguarded.

How to Foster Secure Digital Innovation
Integrating ISO 27001:2022 into your development lifecycle ensures security is prioritised from design to deployment. This reduces breach risks and enhances data protection, allowing your organisation to pursue innovation confidently while maintaining compliance.

How to Build a Culture of Digital Security
Promoting a culture of security involves emphasising awareness and training. Implement comprehensive programmes that equip your team with the skills needed to recognise and respond to digital threats effectively. This proactive stance fosters a security-conscious environment, essential for successful digital transformation.

By adopting ISO 27001:2022, your organisation can navigate digital complexities, ensuring security and compliance are integral to your strategies. This alignment not only protects sensitive information but also enhances operational efficiency and competitive advantage.

What are the key considerations for implementing ISO 27001:2022?

Implementing ISO 27001:2022 involves meticulous planning and resource management to ensure successful integration. Key considerations include strategic resource allocation, engaging key personnel, and fostering a culture of continuous improvement.

Strategic Resource Allocation
Prioritising tasks based on comprehensive risk assessments is essential. Your organisation should focus on high-impact areas, ensuring they receive adequate attention as outlined in ISO 27001:2022 Clause 6.1. Utilising platforms like ISMS.online can automate tasks, reducing manual effort and optimising resource use.

Engaging Key Personnel
Securing buy-in from key personnel early in the process is vital. This involves fostering collaboration and aligning with organisational goals. Clear communication of the benefits and objectives of ISO 27001:2022 helps mitigate resistance and encourages active participation.

Fostering a Culture of Continuous Improvement
Regularly reviewing and updating your Information Security Management Systems (ISMS) to adapt to evolving threats is crucial. This involves conducting periodic audits and management reviews to identify areas for enhancement, as specified in ISO 27001:2022 Clause 9.3.

Steps for Successful Implementation
To ensure successful implementation, your organisation should:

  • Conduct a gap analysis to identify areas needing improvement.
  • Develop a comprehensive project plan with clear objectives and timelines.
  • Utilise tools and resources, such as ISMS.online, to streamline processes and enhance efficiency.
  • Foster a culture of security awareness through regular training and communication.

By addressing these considerations, your organisation can effectively implement ISO 27001:2022, enhancing its security posture and ensuring alignment with international standards.

Book a Demo with ISMS.online

Start your ISO 27001:2022 journey with ISMS.online. Schedule a personalised demo now to see how our comprehensive solutions can simplify your compliance and streamline your implementation processes. Enhance your security framework and boost operational efficiency with our cutting-edge tools.

How Can ISMS.online Streamline Your Compliance Journey?

  • Automate and Simplify Tasks: Our platform reduces manual effort and enhances precision through automation. The intuitive interface guides you step-by-step, ensuring all necessary criteria are met efficiently.
  • What Support Does ISMS.online Offer?: With features like automated risk assessments and real-time monitoring, ISMS.online helps maintain a robust security posture. Our solution aligns with ISO 27001:2022’s risk-based approach, proactively addressing vulnerabilities (ISO 27001:2022 Clause 6.1).
  • Why Schedule a Personalised Demo?: Discover how our solutions can transform your strategy. A personalised demo illustrates how ISMS.online can meet your organisation’s specific needs, offering insights into our capabilities and benefits.

How Does ISMS.online Enhance Collaboration and Efficiency?

Our platform fosters seamless teamwork, enabling your organisation to achieve ISO 27001:2022 certification. By utilising ISMS.online, your team can enhance its security framework, improve operational efficiency, and gain a competitive edge. Book a demo today to experience the transformative power of ISMS.online and ensure your organisation remains secure and compliant.

Sam Peters

Sam is Chief Product Officer at ISMS.online and leads the development on all product features and functionality. Sam is an expert in many areas of compliance and works with clients on any bespoke or large-scale projects.

Related Topics

ISO 27001

EU Digital Omnibus Bill: Joined-up Compliance on the Agenda

The EU has introduced a new Digital Omnibus Bill designed to streamline data protection, cybersecurity and AI regulation. How can organisations ensure their own compliance strategies are adaptable and joined-up to remain resilient as digital regulation evolves? By Kate O’Flaherty Navigating the multitude of digital laws across numerous jurisdictions is a minefield for most organisations. And the ongoing struggle to comply with them all individually makes little sense, when so many of the regulations’ requirements overlap. It is with this in mind that the EU has proposed a Digital Omnibus Bill designed to streamline and align data protection, cybersecurity and AI regulation. First announced in November 2025, the Bill is currently under consultation and targeted for implementation in early 2027. It is expected to deliver up to 5 billion euros in savings by 2029. As digital regulation covering data protection, cybersecurity and AI converges, it is reshaping expectations around governance, accountability and risk management. Organisations now need adaptable and joined-up compliance strategies to remain resilient as digital regulation evolves. Perfect Moment for a Bill The Bill has arrived at the perfect moment. Over time, the accumulation of new rules on digital security, data integrity and privacy has increased complexity and driven up compliance costs for organisations operating in the EU, says Ben Lipczynski, director of security services at Origina. Regulations such as the EU General Data Protection Regulation (GDPR), Network and Information Systems 2 (NIS2), the Cyber Resilience Act and the EU AI Act have been introduced with clear objectives. Yet their overlap has “created unnecessary administrative burden and reduced competitiveness”, says Lipczynski. With the proposed Digital Omnibus Bill, the EU has recognised that “fragmented and duplicative digital regulation” is undermining the effectiveness of the single market, he tells IO. The Digital Omnibus is not just another law. It should be seen as the EU admitting that the old model of treating multiple regulations as separate silos no longer works, says Tracey Hannan-Jones, consulting director, information security and GRC and group DPO at UBDS Digital. “It is the EU's first attempt to partially unify the digital rulebook, with optimisation across data, AI and cyber, by amending existing instruments — rather layering new ones on top.” In reality, this means it's “a horizontal clean-up”. It amends GDPR, NIS2, EU AI Act, the Data Governance Act, and others, through “one coordinated package”, Hannan-Jones explains. Law Overlaps Current digital laws overlap across multiple areas. For example, NIS2, the Cyber Resilience Act and the EU AI Act overlap in relation to incident reporting and resilience requirements. These overlaps are expected to be addressed through the proposed Single-Entry Point, which aims to simplify and consolidate reporting obligations across frameworks, says Origina’s Lipczynski. This will be a major shift away from often siloed regulatory frameworks, which can result in “increased complexity and competing requirements”, says Lipczynski. Currently, when reporting cyber incidents, organisations may be required to report to multiple independent agencies — each prioritising different datasets within the incident report. “This can create significant administrative burden at a critical time.” Similarly, tracking and responding to changes across numerous regulations — often communicated through independent and dispersed channels — adds further complexity. “This fragmentation makes it harder to align response plans and governance structures, increasing both compliance effort and operational risk,” says Lipczynski. Alignment could allow organisations to streamline and standardise their compliance frameworks and realise operational efficiencies — and therefore savings, says Lipczynski. “Resource can then be directed to efforts which may further develop the capabilities and competitiveness of the business.” However, organisations should note that while regulatory convergence creates opportunities, it may also create some challenges, says David Dumont, partner, Hunton Andrews Kurth. “A harmonised and clear set of digital rules may require organisations to adopt a more comprehensive and consistent approach to their data practices and related obligations, leaving less room to hide behind the complexities and inconsistencies of the current patchwork of regulations.” Joined-up Digital Risk Governance in Practice The Digital Omnibus Bill is a clear sign that companies need to shake up siloed approaches to data protection, cybersecurity and AI compliance. Firms should strive for “joined-up” digital risk governance, which means that “internal multidisciplinary stakeholders must work together and speak the same language”, says Hunton Andrews Kurth’s Dumont. To achieve this, privacy, legal and compliance teams should try to translate legal requirements into technical terms. “This will help IT and data governance teams to identify relevant existing measures within the organisation and fully leverage them for compliance with the framework of new digital laws,” he advises. In practice, joined-up digital risk governance means establishing a single governance layer through which all sensitive data communications — whether email, file sharing, managed file transfer, or web forms — are routed, monitored, and controlled under one consistent set of policies, says Dario Perfettibile, general manager, EMEA GTM and customer operations at Kiteworks. “It means that the same encryption standards, access controls, and audit logs that satisfy GDPR's data protection requirements also serve as evidence for NIS2 incident reporting and Cyber Resilience Act vulnerability management.” It also means that when an employee shares data with a third-party AI vendor, the exchange is automatically governed by the same controls that protect patient records or financial transactions. “You’ll need a complete chain of custody visible to auditors across every applicable framework,” adds Perfettibile. Future-Proof Compliance With the Digital Omnibus Bill coming in a year, it makes sense to start future-proofing your compliance strategy now. Aligning with governance frameworks and ISO standards such as ISO 27001 (information security), ISO 42001 (AI management), and ISO 27701 (privacy), is crucial for navigating the changes. To ensure joined-up compliance going forward, UBDS Digital’s Hannan-Jones advises firms to consolidate their governance bodies. As part of this, she suggests the creation of a single digital risk committee to own data protection strategy (GDPR), cybersecurity posture (NIS2/CRA), AI governance (AI Act) and product compliance (CRA/sectoral rules). At the same time, if you're operating across multiple jurisdictions, the strategic move is to look at all laws and frameworks and map the overlap, not just the obligations, says Hannan-Jones. She advises building a matrix that shows where regulation such as GDPR, NIS and the AI Act require risk assessments, governance roles, technical and organisational measures, incident reporting and documentation with record-keeping. “Then design shared processes where the overlaps are strongest.” Organisations can standardise their assessments and documentation by developing one core risk assessment methodology with modules for privacy, AI, and security. “Ensure that unified baselines are captured including access control, logging and monitoring, testing and encryption,” she adds. As digital regulations converge, this should tie back to a unified incident response programme that classifies breaches across privacy, security and AI. “And, where appropriate, automatically map them to the relevant legal reporting duties and timelines,” says Hannan-Jones. “This will enable you to create one evidence trail that can be reused for multiple regulators.”
Read More
ISO 27001

Why Do GDPR Fines Keep Rising?

General Data Protection Regulation fines continue to increase as European regulators toughen their response to data incidents. According to the GDPR Enforcement Tracker, firms incurred over 330 fines in 2025. Law firm DLA Piper claims they totalled €1.2 billion. Social media firm TikTok was hit with 2025’s largest GDPR fine. Issued in Ireland, the €530 million fine concerned its sharing of European user data to China-based personnel. Last year also resulted in Luxembourg’s data supervisory authority upholding a 2021 €746m GDPR fine issued against Amazon after it harvested user data for advertising purposes without user consent. An appeal by Amazon was rejected, suggesting that European data protection watchdogs are serious about GDPR enforcement. The continued prevalence of GDPR fines can be attributed to a record increase in data breach notifications, which firms must issue within 72 hours of a data incident. DLA Piper found that, in 2025, these notifications reached 400 per day for the first time since GDPR’s 2018 implementation. Between January 2024 and January 2026, they topped 443 - up 22% from 363. DLA Piper attributes this to hacking driven by global geopolitical instability, increased press coverage of cybercrime, and the emergence of data breach laws and rules that mandate incident notifications. Clearly, data protection regulators aren’t prepared to ignore GDPR violations now that the law has been in place for eight years. However, with data the lifeblood of modern organisations and GDPR fines not just posing a financial risk but wider harm to businesses, what can they do to comply? Regulators Are Clamping Down A major reason behind the recent spate of GDPR fines is that regulators believe businesses have had more than enough time to understand the law and put it into practice, according to Lucas von Stockhausen, executive director of security engineering at application security firm Black Duck. He tells IO that data protection authorities have had enough of excuses used by non-compliant firms and are now focused on holding them accountable. Ignoring this could result in “substantial penalties” for companies, with regulators able to fine up to €20 million or 4% of global annual revenue for the worst infringements. Despite regulators continuing to clamp down on GDPR violations by issuing fines, many firms remain oblivious to this. Jake Moore, global cybersecurity advisor at antivirus software maker ESET, says data protection is a “tickbox exercise” for lots of organisations - when, in fact, it should be embedded throughout every area of a modern business. He says this results in "weak access controls” and failure to remember the location of sensitive data. Consequently, data can easily fall into the hands of unauthorised parties, and if businesses are unsure where they stored a particular piece of data, they’ll struggle to fulfil data deletion requests. These issues put firms at risk of GDPR fines. But GDPR non-compliance doesn't just put businesses at risk of costly fines - it can harm all aspects of a company's operations. Jo Brianti, a data protection specialist, says cleanup efforts can result in “operational disruption” when executives have to dedicate already-stretched schedules to cleanup efforts. Executives could even be liable for fines themselves if they knew about GDPR failures and didn’t intervene, she adds. She says neglecting GDPR can also damage firms’ reputations, expose them to costly lawsuits launched by affected customers, make it harder for businesses to operate in different markets by disrupting “platform obligations and cross-border data flows” and show up in due diligence reports, leading to a loss of sales and other business opportunities. AI Is Changing The Playing Field The growing adoption of artificial intelligence technology by businesses is also contributing to rising GDPR fines. As AI is trained on large datasets to function and improve over time, the risk of data leaks and subsequent regulatory action is significant. And because many firms use AI systems developed by third-party technology vendors, they don’t always have control over how the data they input into these applications is stored and protected. According to von Stockhausen of Black Duck, this means there’s a real risk of inadvertent data exposure and subsequent GDPR enforcement. He tells IO: “The efficiency gains can be tremendous, but from a GDPR standpoint, the central risk is clear: organisations must be able to guarantee that AI outputs do not reveal personal data.” When it comes to securing AI systems and the data upon which they rely, businesses aren’t just expected to follow GDPR guidelines. There’s also a growing legislative landscape dedicated to AI. It’s easy for firms to treat GDPR and AI compliance as separate entities, but this could be counterintuitive. ESET’s Moore explains that because data privacy and AI governance use identical datasets, businesses are better off “treating them as one joined-up discipline with clear ownership”. Doing so can result in simplified workloads and no duplicated work, making employees less likely to neglect data. Moore says it can result in fewer fines for businesses. Brianti is another firm believer in a joined-up approach to data and IT governance, explaining that regulators are now “converging GDPR with a wider digital package”. She uses the EU’s Digital Services, Digital Markets Act, and updates to existing data and AI-related laws as examples. According to Brianti, failing to comply with any one of these laws can cause “knock-on effects across multiple regulatory frameworks”. She tells IO: “This turns GDPR from a legal silo into a strategic risk affecting corporate governance, investor risk profiles, acquisition due diligence and reputation management.” Getting Compliance Right As regulators continue to enforce GDPR, von Stockhausen of Black Duck says their primary expectation is that businesses have implemented a “clear” data privacy strategy that explains the reasons behind personal data collection, whether the data is actually needed, and their data storage and protection methods. “Regulators are looking for companies that handle personal information deliberately, responsibly, and with a clear understanding of the risks,” he says. “Those that don’t are increasingly finding themselves under scrutiny.” But he says the most important way to stay compliant with GDPR is to be constantly vigilant about data privacy and security risks. To do this, he says businesses must enforce “demonstrable safeguards”, constantly monitor the threats posed by new technologies and adapt existing data privacy strategies accordingly. For businesses unsure where to start, Brianti recommends integrating best practices outlined in professional standards and frameworks into everyday processes to meet regulatory requirements such as GDPR. She says ISO 27001 is great for handling information security-related issues and ISO 27701 for privacy. Cyber Essentials and NIST 800-53 are two more of her top picks. Other recommendations from Brianti to ensure GDPR compliance include: logging the location of personal data and the way it's processed in an inventory; adopting privacy-by-design principles so products are always data secure; defining roles and responsibilities related to data privacy; educating staff on the importance of data privacy; documenting all decisions made about data privacy; determining data risks through impact assessments; keeping these assessments and everything related to data in a single environment; and ensuring all incident response activities are aligned. It’s easy to think of GDPR non-compliance as just paying a fine and moving on. But that’s just wishful thinking. GDPR enforcement can deal a huge blow to business operations and growth. That's why it should be treated as a strategic priority, rather than a tickbox exercise just to please bureaucrats. And when GDPR compliance is aligned with other IT-related governance activities, businesses can rest assured they’ll keep regulators happy and protect themselves from a fast-changing cyber threat landscape.
Read More
ISO 27001

DXS International Breach: Lessons Learned for Healthcare

As high-stakes incidents in the healthcare sector surge, organisations must learn to manage information security, data protection and AI risk as a connected governance challenge. How can this be done? By Kate O’Flaherty On 14 December 2025, DXS International — which provides healthcare information and clinical decision support for roughly 10% of all NHS referrals in England — suffered a data breach impacting its office servers. In a filing with the London Stock Exchange, DXS International claimed the breach was “immediately contained” in a joint effort by its internal IT security teams in close cooperation with NHS England. But soon afterwards, the DevMan ransomware group claimed to have stolen 300GB of data, including internal budgets and financial files. While the incident itself had minimal impact and the company's front-line clinical services remained operational, it’s a prime example of how third-party risk can cascade through the supply chain. As incidents such as this surge, healthcare organisations must learn to manage information security, data protection and AI risk as a connected governance challenge. How can this be done? A Major Problem Because DXS International’s services remained up and running, it’s easy to dismiss the breach as uneventful. However, while frontline clinical services stayed up, other issues could show up further down the line, says Skip Sorrels, field CTO-CISO at Claroty. “When you compromise the administrative backbone of healthcare delivery, you're creating long-tail risks such as identity theft, phishing campaigns, and erosion of patient trust.” Sorrels points out that “operational” doesn't mean “safe”: “Attackers are deliberately targeting the softer administrative systems because they know these suppliers often lack the same security rigor as the clinical infrastructure they support." Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, concurs with this assessment. “Stolen data can be misused, affecting patient privacy for years.” He describes how financial repercussions, including investigation costs, legal fees and possible fines could strain resources already under pressure in public health services. “Moreover, it highlights systemic issues in digital health infrastructure, prompting broader scrutiny of how interconnected technologies handle sensitive information.” Third Party Risks UK healthcare has strengthened cyber efforts continuously since the WannaCry ransomware attack hit the NHS in 2017. Regulators are placing increasing focus on supply chains and, recognising that vulnerabilities in managed service providers or critical suppliers can have wide-reaching impacts, says Katharina Sommer, group head of government affairs at NCC Group. Third-party and supply-chain risks represent “one of the most pressing security challenges in healthcare”, as the sector increasingly relies on external vendors for essential services, says Curran. “Software supply chain attacks are highly dangerous and increasingly prevalent because they exploit the interconnected nature of modern software development,” Curran tells IO. “These attacks target vulnerabilities in dependencies, build processes, or third-party components, often allowing attackers to compromise multiple companies through a single point of failure.” Beyond the immediate impact, issues can be caused by smaller organisations with “large systemic footprints, but limited security maturity”, says Tracey Hannan-Jones, consulting director information security and GRC and group DPO at UBDS Digital. Making things worse, the healthcare sector is facing a visibility challenge, according to Claroty’s Sorrels. “Most healthcare organisations struggle to truly understand the security posture of their third and fourth-party vendors. You can't outsource a service and think you've outsourced the risk.” Regulatory Expectations In addition to supply chain security, regulation is increasingly mandating that critical services such as healthcare must take extra steps to boost resilience. When breaches do happen, those operating in the sector are expected to safeguard data and stick to stringent reporting requirements. The DXS International breach provides insight into the regulatory expectations governing healthcare data in the UK and EU, particularly under the General Data Protection Regulation (GDPR) and aligned UK data protection laws. “These frameworks mandate that organisations processing personal data, including health information, must ensure robust safeguards and respond transparently to incidents,” says Ulster University’s Curran. In this case, DXS's “prompt notification” to the Information Commissioner's Office (ICO) and law enforcement aligns with GDPR Article 33, which requires breach reporting within 72 hours if there is a risk to individuals' rights and freedoms, Curran says. Similarly, UK requirements under the Data Protection Act 2018 emphasise accountability, compelling entities to document and mitigate risks associated with data handling, Curran says. “The ICO's ongoing assessment of the incident reflects how regulators scrutinise not just the breach itself, but the adequacy of response measures, including containment and investigation protocols,” he tells IO. Regulators increasingly demand evidence of proactive risk management because reactive approaches have proven insufficient against evolving threats — as evidenced by the rising number of cyber incidents in healthcare, according to Curran. Interconnected Risks It comes at a time when cyber, privacy and AI risks are becoming inseparable in healthcare environments due to connected systems, data sharing and automation. Meanwhile, AI-driven tools are reshaping risk profiles. The DXS International incident exemplifies this convergence, where a supplier's breach could “potentially expose integrated networks handling patient data, blending cybersecurity threats with privacy concerns”, says Curran. Data sharing across ecosystems – between providers, suppliers, and even cross-border entities – further erodes traditional boundaries, he points out. “Under frameworks such as the NHS's Health and Social Care Network, information flows dynamically. This interconnectedness can lead to a cyber incident cascading into privacy violations, such as the inadvertent disclosure of sensitive health records.” With this risk in mind, treating cyber, privacy, and AI risks in silos within healthcare environments “fosters significant blind spots”, says Curran. Instead, firms need to take a joined-up approach to risk governance. This requires using integrated frameworks that bring together information security, data protection and AI governance to support resilience, trust and long-term compliance. For example, organisations need to consider AI agents and humans as “a combined workforce that interacts with software and infrastructure”, says Javvad Malik, lead CISO advisor at KnowBe4. “For this we need clear accountability, supplier assurance, and oversight that brings data, humans, and AI together to support trust and resilience.” Frameworks such as the National Cyber Security Centre’s Cyber Assessment Framework, ISO 27001 and NIST Cybersecurity Framework provide “practical tools to integrate controls, policies and risk metrics”, says NCC Group’s Sommer. “This helps organisations build trust, demonstrate compliance and manage cyber risk in a coherent and defensible way.” Ulster University’s Curran advises establishing “cross-functional teams” comprising experts from cybersecurity, privacy and AI to collaborate on risk assessments, ensuring that threats are evaluated through “a multifaceted lens”. Resilient, Trustworthy and Future-Ready Healthcare organisations and the suppliers they rely on must work to build more resilient, trustworthy and future-ready risk management practices. To win, organisations need to move towards a unified approach to risk, says Ivan Milenkovic, vice president risk technology EMEA at Qualys. “Instead of reinventing the wheel, the best teams integrate established international standards for security, privacy and the emerging frontier of AI management into one engine.” Central to this is embedding risk management into organisational culture through unified policies that mandate “regular, integrated audits”, Ulster University’s Curran advises. Meanwhile, implement a shared responsibility model with your vendors, says Claroty’s Sorrels. “Don't treat supplier contracts as 'set and forget’. Demand continuous transparency, evidence of security testing and proof they're meeting baseline standards.”
Read More
ISO 27001

What the LastPass Breach Tells Us About Compliance in 2026

The GDPR was always meant to be vague. By not listing prescriptive technical controls – as, for example, PCI DSS does – the regulation does a better job of staying relevant over time. Yet its principle of “technology neutrality” can also be a source of frustration to compliance teams. For more pragmatic guidance, many turn to best practice standards like ISO 27001:2022, which promotes a structured, risk-led approach to cybersecurity. Yet as data breaches at LastPass and other organisations have shown, it’s not a panacea – especially if teams don’t approach compliance with a mindset of continuous review and improvement. What Happened to LastPass? The 2022 LastPass breach is thought to have exposed the details of around 30 million global customers, including 1.6 million in the UK. By any standard, it was a fairly sophisticated attack, which featured two distinct phases: A threat actor compromised a software engineer’s laptop, which gave them access to an SSE-C key. They could theoretically have used this to access backups of customer data, including encrypted password vaults. However, the key was encrypted, and full access to the database also required a second AWS access key. A threat actor was able to exploit a vulnerability in the Plex video streaming service which had been downloaded to the personal laptop of a senior development operations engineer. This enabled them to install a keylogger and subsequently decrypt the SSE-C key and get hold of the AWS access key. That opened the door to those encrypted password vaults. Because master passwords to these vaults were stored locally on customer devices and never shared with LastPass, they should have been safe. But poor implementation of the PBKDF2 algorithm meant countless passwords were brute forced in the years since the breach, leading to an estimated $35m in cryptocurrency theft. What the ICO Said The Information Commissioner’s Office (ICO) fined LastPass £1.2m for its “failure to implement and use appropriate technical and organisational measures, contrary to Article 5(1)(f) UK GDPR and Article 32(1).” Specifically, the firm allowed senior engineers to use personal laptops to access production keys, it allowed employees to link personal and business vaults with the same master password, and it failed to rotate AWS keys after the first incident. Yet the regulator acknowledged that compliance with ISO 27001:2022 should have meant the company followed ICO own guidance on securing home working devices and segregating personal and business devices/accounts. It clearly didn’t. “LastPass is not an outlier. Our recent research found that more than a quarter (26%) of privacy professionals believe their organisation is likely to experience a material privacy breach within the next year. This level of risk is fast becoming the norm,” ISACA chief global strategy officer, Chris Dimitriadis, tells IO (formerly ISMS.online). “Compliance with standards such as ISO 27001 is essential – but it is only the starting point. The LastPass breach underlines a hard truth: privacy and data protection cannot be reduced to box-ticking. Organisations must move beyond minimal compliance towards enterprise-wide capability and maturity assessments.” Moving with the Times LastPass isn’t the first and certainly won’t be the last company to suffer a serious breach despite technically being certified with best practice standards. Other notable cases include: 23andMe: The DNA testing firm was fined £2.3m by the ICO after a breach impacting millions of customers. It failed to mandate multi-factor authentication (MFA) for users, had insufficient monitoring for unusual activity, and enabled threat actors to abuse an internal feature (DNA Relatives) to access more accounts than they should have been able to Interserve Group: The outsourcer was fined £4.4m after a breach of employee data. Despite the intrusion being flagged by the firm’s endpoint protection tooling, it failed to investigate Cases like this don’t highlight the shortcomings of standards like ISO 27001. They prove that many organisations still aren’t approaching compliance programmes with the right mindset. “While ISO 27001, SOC 2 and other standards are an excellent and time-tested baseline to assess corporate information security, they are not – and have never been – designed as a guarantee that a company is unhackable or that 100% of policies or procedures are properly followed,” explains ImmuniWeb CEO, Ilia Kolochenko. “Moreover, even if all policies and procedures are duly followed, it does not mean or imply that the underlying processes are technically flawless.” Dennis Martin, crisis management and business resilience specialist at technology services firm Axians UK, adds that standards-based compliance is only helpful when leaders insist controls work in practice. “Security measures must be tested, validated, and challenged regularly. Assumptions and documented processes are no substitute for evidence. A ‘don’t trust, test’ mindset is essential if organisations want confidence in their security posture,” he tells IO (formerly ISMS.online). “Effective compliance is continuous. Threats evolve, business operations change, and controls degrade over time. Regular review and improvement are necessary to ensure that what is written down still reflects reality.” Continuous Improvement In fact, ISO 27001:2022 “explicitly recognises” that security must not stand still, Oleria VP of security, Didier Vandenbroeck, tells IO. “A core principle of the standard is continual improvement, with auditors expected to raise opportunities for improvement where controls may be technically compliant but no longer appropriate to the evolving threat landscape,” he explains. “When certification becomes a tick-box exercise, that principle is lost. Certificates are ultimately meaningless if organisations do not follow them in practice or fail to challenge whether existing controls still make sense given how people actually work and how attackers operate.” IO CPO, Sam Peters, agrees. “This is why frameworks and standards are most effective when treated as living management systems, effectively operating models for managing cyber risk, rather than static compliance milestones,” he tells IO. “The principle of continuous improvement, embedded through regular review, challenge and adaptation, has been central to our approach at IO since inception and reflects what regulators increasingly expect to see in practice. Used in this way, frameworks provide a durable foundation for organisations to manage cyber risk in an environment of constant change, rather than a snapshot of compliance at a single point in time." Such an approach is particularly important for managing GDPR risk at a time when regulators are placing an ever-greater emphasis on context. "Regulators are very clearly signalling that ‘appropriate technical and organisational measures’ should be understood as contextual and evolving, rather than fixed or static. What is deemed appropriate will vary depending on factors such as risk exposure, data sensitivity and the threat landscape, and is increasingly being assessed after an incident has occurred,” he concludes. “In practice, this means regulators are less interested in whether a framework has been adopted, and more focused on how effectively it is being used to identify, review and manage information security risk over time.”
Read More
ISO 27001

From Fragmented to Fine-Tuned: How Logiq Built a Robust, ISO 27001-Certified ISMS

“IO eliminates ambiguity, increases accountability, and provides end-to-end traceability from risk to control to evidence.”

Lars Hauger CTO, Logiq

Learn how Logiq:

  • Achieved ISO 27001 certification in 12 months
  • Used the Assured Results Method to streamline compliance and certification
  • Leveraged Dunamis Technology’s consultancy to support success
  • Unlocked improved information security engagement across the business.

Logiq is a Nordic SaaS provider specialising in secure and high-availability information exchange between businesses. For more than 25 years, Logiq have operated a mission-critical digital trade network that handles large-scale EDI, e-invoicing, and document flows for enterprises throughout the Nordic region.

Logiq’s service platform runs 24/7 with >99.99% uptime and is an integral component in the financial and supply-chain processes of its customers.

“We needed a unified governance platform with predictable workflows, evidence management, and strong auditability.”

Lars Hauger CTO, Logiq

The business’s primary target was to achieve ISO 27001 certification by implementing a clearly structured, audit-ready information security management system (ISMS). This would also support continued compliance with key regulations like GDPR and NIS 2 as well as stringent financial-sector expectations.

Logiq had an existing information ISMS built across different tools and formats, including custom-built intranet, spreadsheets, internal repositories and locally-stored documents. While this approach was functional, it lacked integrated governance, automation, and centralised control. The Logiq team found that maintaining consistency, traceability and version control across policies, registers, controls and audits was challenging.

Lars and the team required guidance to accelerate implementation and ensure a robust, certification-ready ISMS structure, as well a centralised platform to consolidate their efforts and streamline compliance management.

Logiq brought on the services of Dunamis Technology to provide expert support and guidance throughout ISO 27001 implementation. The Dunamis Technology team helped to structure the business’s ISMS, configure registers, refine policy frameworks, and map evidence efficiently. Dunamis Technology recommended using the IO platform to address the issue of Logiq’s existing, fragmented governance environment.

“We solved this by implementing IO, creating a fully centralised, consistent, and version-controlled environment that eliminated ambiguity and increased accountability.”

Ronny Stavem CEO & Head of Digital Security Services, Dunamis Technology

Logiq migrated their existing ISMS content to the IO platform. They then used Dunamis Technology’s implementation methodology, IO’s comprehensive 11-step Assured Results Method (ARM) and the platform’s pre-configured ISO 27001 framework to establish a robust ISMS in line with the requirements of the standard.

“Our key focus was ensuring the IO platform was used optimally and translating complex standards and auditor expectations into practical, operationally suited workflows.”

Ronny Stavem CEO & Head of Digital Security Services, Dunamis Technology

The Logiq team leveraged the platform’s core compliance management features to ensure certification success: centralised policy management, risk management module, asset and supplier registers, automated compliance mapping, and structured reporting. The audit, corrective action and evidence-linking features also provided a clear audit trail.

“The guided frameworks, pre-configured ISO control sets, and automated modules for policies, assets, and audits significantly streamlined our workflows.”

Lars Hauger CTO, Logiq

The Logiq team cite the IO platform’s pre-configured ISO 27001 framework and automated evidence management as the most valuable elements of working with IO: “It eliminated uncertainty and simplified complex tasks.”

“Dunamis Technology provided expert guidance throughout the implementation helping structure our ISMS, configure registers, refine policy frameworks, and map evidence efficiently.”

Lars Hauger CTO, Logiq

Logiq achieved ISO 27001:2022 certification in approximately 12 months, including planning, migration of existing content, and internal readiness assessments. Lars estimates that working with Dunamis Technology and IO enabled the business to reduce ISMS maintenance, evidence handling and audit preparation time by 40-60%.

Lars said: “The consolidation of documentation alone saved substantial operational hours across the organisation.”

“IO eliminates ambiguity, increases accountability, and provides end-to-end traceability from risk to control to evidence.”

Lars Hauger CTO, Logiq

The support provided by Dunamis Technology also directly accelerated Logiq’s path to certification, ensuring the business’s workflow aligned with ISO 27001 requirements. Their audit experience helped Logiq to shape a definitive, certification-ready ISMS within the IO platform. They were able to translate standards and auditor expectations into practical, operationally suited workflows for Logiq.

“Dunamis Technology’s audit experience and practical recommendations were instrumental in shaping a certification-ready ISMS. Their experience ensured that our ISMS became both compliant and genuinely usable.”

Lars Hauger CTO, Logiq

Team Logiq has also unlocked unexpected benefits from using IO. With ISO 27001 compliance consolidated into one platform, the business has strengthened cross-department information security alignment. Roles and responsibilities are more transparent and non-security stakeholders are more engaged. As a result, Logiq has built a stronger organisation-wide governance culture.

“Even non-technical stakeholders were able to adopt the IO solution with confidence once they had adjusted to the new structure.”

Lars Hauger CTO, Logiq

The Logiq team continue to evolve their ISMS in line with ISO 27001’s continuous improvement requirements by expanding ISMS workflows and maturing supplier management controls. The business is also leveraging the IO platform for broader compliance areas including NIS 2 and future regulatory requirements with the support and expertise of Dunamis Technology.

“The platform’s architecture is ideal for managing multiple standards simultaneously, which is critical for Logiq given their future compliance needs.”

Ronny Stavem CEO & Head of Digital Security Services, Dunamis Technology

Read More
ISO 27001

The Biggest AI Governance Challenges in 2026

This year’s Safer Internet Day theme, smart tech, safe choices – exploring the safe and responsible use of AI, stresses the importance of responsible AI use. AI use has become commonplace in business, offering leaders a tempting combination of increased productivity and reduced costs. As such, organisations are now using AI for everything from their recruitment efforts to their threat monitoring. However, implementing and using AI ethically, responsibly, and safely isn’t just a nice-to-have. It’s key to ensuring compliance with regulations like the EU AI Act, safeguarding sensitive customer information, and mitigating risk. Our State of Information Security Report 2025 exposed the key AI-related challenges organisations are facing, from governance and implementation struggles to AI-powered attacks and emerging threats. In this blog, we explore these challenges and how organisations can address them. Shadow AI One in three (34%) respondents to the State of Information Security Report 2025 said internal misuse of generative AI tools, also known as shadow AI, was a key emerging threat concern for their business over the next 12 months. Meanwhile, 37% shared that their employees had already used generative AI tools without organisational permission or guidance. Shadow AI is a pressing issue for organisations. Unauthorised AI use can increase the risk of data breaches and violations of data protection regulations, potentially leading to heavy fines for non-compliance as well as reputational damage. To manage shadow AI use, businesses must first identify where AI is being used and what it’s being used for. Consider limiting access to these domains and platforms until your business has established and shared clear governance and usage policies. Create AI usage policies that define which AI tools are approved and which are not. Establish guidelines around the types of data that can and cannot be entered into prompts – for example intellectual property, customer data and financial data should never be entered into free, public versions of large language models. Implement an employee education programme to ensure staff are aware of their information security responsibilities, including safe AI usage. Firewalls or DNS filtering to block prohibited sites can act as strong technical controls, however this may lead to employees finding other ways to access them regardless. Consider fostering an open environment where there are clear policies for use and employees can ask questions about new AI tools, with a streamlined approval process. The Pace of AI Adoption Over half (54%) of the respondents to our State of Information Security Report admit their business adopted AI technology too quickly and is now facing challenges in scaling it back or implementing it more responsibly. The Report’s findings reflect the vast gulf between the pace of AI adoption and the pace of AI governance. Often, businesses are implementing guardrails around AI usage only after errors have occurred, leaving businesses scrambling to course correct. ISO 42001 can offer a robust, proactive solution. The standard provides a framework for establishing, maintaining and continually improving an AI management system (AIMS), emphasising ethical, responsible AI use. Organisations can take a strategic approach to ongoing compliance using the Plan-Do-Check-Act (PDCA) cycle. To achieve ISO 42001 compliance, businesses must establish an AI policy, assign AI roles and responsibilities, assess and document the impacts of AI systems, implement processes for the responsible use of AI systems, assess AI risk, and more. The emphasis on continual improvement requires businesses to continually evolve their AIMS for ongoing certification. ISO 42001 certification can enable your organisation to manage AI risk, ensure stakeholder trust and transparency, and streamline compliance with regulations like the EU AI Act. Emerging AI-Powered Threats Respondents to our State of Information Security Report 2025 cited several AI-related risks their top emerging threat concerns for the next 12 months. 42% were concerned about AI-generated misinformation and disinformation, while 38% cited AI phishing as a core issue. 34% of respondents said shadow AI was a concern, while 28% were concerned about deepfake impersonation during virtual meetings. The data suggests many of these threats are already reality – over a quarter (26%) of respondents had experienced AI data poisoning in the last 12 months. Implementing information security best practices, such as those provided by the ISO 27001 framework, can also support businesses in tackling AI-driven threats. The ISO 27001 standard requires organisations to implement (or justify their reasoning for choosing not to implement) core controls such as privileged access rights, employee information security awareness training, threat intelligence and secure authentication. These best practices form a solid baseline from which organisations can mitigate risks associated with AI-driven threats. Privileged access rights, for example, could limit the damage of an employee falling victim to an AI-powered phishing attack by limiting their user-level access to information and systems, while information security training and awareness could stop that employee falling victim to the attack entirely. Case Study: AI Clearing Construction platform AI Clearing knew that ISO 42001 certification would demonstrate that their AI system adhered to the highest standards and rigorous testing, increasing customer trust. The business leveraged the IO platform for their compliance, streamlining ISO 42001 implementation while retaining complete control over their governance, risk and privacy requirements. Learn how AI Clearing built a robust AIMS, efficiently managed AI risk and achieved the world’s first ISO 42001 certification: Read the AI Clearing case study The Strategic AI Governance Advantage AI technology offers a tempting selection of benefits for businesses, but it can also increase business risk. It powers some of the biggest cyber threats facing organisations in 2026. This Safer Internet Day, we encourage businesses to consider leveraging frameworks like ISO 42001 to implement AI safely, responsibly, and in line with regulatory requirements. Businesses that take a strategic approach to AI governance will be able to proactively manage AI risk, boost customer trust and unlock operational efficiencies.
Read More
ISO 27001

Why Regulators And Investors Expect Companies To Address a Triple Risk

Organizations fret about security and privacy risk. And more recently, they've paid attention to AI risk. But how often do they think of all three in the same conversation? Increasingly, it's becoming clear that they should. Laws covering data protection, cybersecurity, and AI have quadrupled since 2016 across the U.S., EU, UK, and China. The SEC has already proved that it's serious about cybersecurity. Its cybersecurity rules, effective December 2023, are already reshaping how public companies handle breach disclosure. Form 8-K Item 1.05 now requires companies to disclose material cybersecurity incidents within four business days of determining materiality, not from when the incident was discovered. Form 10-K Item 106 mandates annual disclosure of risk management processes and board oversight structures. The Commission isn't afraid to punish companies that it believes to have downplayed security incidents. Just over a year ago in October 2024, the SEC settled enforcement actions against four public companies (Unisys, Avaya, Check Point, and Mimecast) for misleading investors about the impact of the 2020 SolarWinds cyberattack. The combined penalties approached $7 million. Unisys alone paid $4 million for describing cyber risks as "hypothetical" in its filings, while internal teams knew of actual intrusions. Between December 2023 and January 2025, 55 cybersecurity incidents were reported via Form 8-K filings. Beyond the SolarWinds-related actions, Flagstar paid $3.55 million in December 2024 for describing a breach affecting 1.5 million people as mere "access" when data had actually been exfiltrated. These penalties demonstrate a need to connect cybersecurity disclosure with broader enterprise risk management. The SEC's formation of a new Cyber and Emerging Technologies Unit in February 2025 signals this scrutiny will continue. That replaced the Crypto Assets and Cyber Unit. CETU also hints at the importance of factoring AI into these risks, as it specifically includes both AI and cybersecurity practices in its mandate. Fragmented Governance Creates Compounding Exposure American companies with European operations also face additional pressure from the EU AI Act, which took effect in August 2024. The law, which comes with compliance deadlines staggered through 2027, applies extraterritorially. U.S. businesses placing AI systems in the EU market or deploying AI whose outputs affect EU users must comply. The stakes are substantial. Penalties for prohibited AI practices reach €35 million or 7 percent of global annual revenue, whichever is higher. High-risk categories, covering AI used for employment decisions, credit scoring, and healthcare diagnostics, require conformity assessments, technical documentation, and human oversight mechanisms. Prohibitions on unacceptable-risk AI systems took effect in February 2025. AI Is Showing Up In Disclosure Documents Investor expectations are shifting as these risks evolve. Regulators and shareholders are making it clear that the old model of separate teams managing cybersecurity, privacy, and AI as distinct domains no longer works. AI has migrated from boardroom opportunity discussions to the risk factors section of annual reports with remarkable speed. Seventy-two percent of S&P 500 companies now disclose material AI risks, up from just 12 percent in 2023. The concerns they cite most frequently are reputational damage (38 percent of disclosing companies), cybersecurity implications, and regulatory uncertainty. Board oversight has followed. According to ISS-Corporate, 31.6 percent of S&P 500 companies disclosed board oversight of AI in their 2024 proxy statements. That's an 84 percent year-over-year increase. Those that don't impose such oversight risk material shareholder harm, which could lead to potential negative vote recommendations. Last year Glass Lewis, a proxy advisory firm that advises institutional shareholders on how to vote, issued new benchmark guidelines directly addressing AI governance. The trouble with managing cybersecurity, privacy, and AI separately is that incidents relating each of these bleed into the others. A single breach can simultaneously trigger SEC disclosure obligations, GDPR notification requirements, state privacy laws, and (if personal data trained an AI system) emerging AI regulations. So the time has come to merge consideration of these risk areas, but none of this is easy. According to the National Association of Corporate Directors' July 2025 governance outlook, AI is now a routine topic for 61 percent of boards, yet few have integrated it properly into governance structures. Why? Cultural friction is one reason. Security, privacy, and AI teams have historically operated with different vocabularies, risk frameworks, and reporting structures. Technology integration adds another layer of difficulty; siloed GRC tools create fragmented approaches to risk assessment, audit documentation, and evidence collection. Budget constraints force painful tradeoffs between building integrated infrastructure and meeting immediate compliance deadlines. Standards Frameworks Offer A Path Forward The good news: major standards bodies anticipated this convergence. ISO's High-Level Structure means that ISO 27001 (information security), ISO 27701 (privacy), and the newer ISO 42001 (AI management systems) share compatible architectures, enabling organizations to build unified management systems rather than parallel bureaucracies. Practical integration typically starts with cross-functional steering committees that include privacy, cybersecurity, legal, and AI representatives. From there, organizations develop shared risk taxonomies and (where budgets allow) unified GRC platforms that eliminate redundant assessments. Role boundaries are already blurring: according to an IAPP and EY survey, 69 percent of chief privacy officers have acquired AI governance responsibilities. Organizations that don't evolve their practices along these lines risk regulatory exposure. For those that do, lower regulatory friction, reduced audit burden, and stronger investor confidence await.
Read More
ISO 27001

How Spenn Group Unlocked ISO 27001 Success with IO and Dunamis Technology

“The IO platform acted as a single hub to link essential items like risks, assets, and controls. The integrations made it easier for us to collect evidence, manage risk, and demonstrate a clear audit trail.”

Kristian Kolstad Chief Product & Technology Officer (CPTO), Spenn Group

Learn how Spenn Group:

  • Achieved ISO 27001 certification in 10 months
  • Used the IO platform to streamline ISMS implementation and ISO 27001 compliance
  • Leveraged Dunamis Technology’s vCISO expertise to support success
  • Built a culture of information security engagement across the business.

Spenn Group AS (Spenn Group) builds and operates a platform enabling an ecosystem of customer loyalty programs. Based in Norway, the company operates the new Nordic loyalty currency, Spenn, established in collaboration with Strawberry, Norwegian Air Shuttle, and Reitan Retail. Spenn unifies reward programs allowing members to earn and redeem points across hotels, flights, and groceries, making it a common, flexible ecosystem for loyalty in the Nordics.

As a fast-growing startup, Spenn Group needed to rapidly – but strategically – implement an information security management system (ISMS) to achieve ISO 27001 certification. The business also needed to demonstrate General Data Protection Regulation (GDPR) compliance. While the team was aware of these key information security and data privacy requirements, the business did not have the internal resources required to efficiently implement ISO 27001 and align with GDPR requirements.

“We were a startup and wanted to implement information security in our work early on, since a certification was a requirement from our founders (Norwegian, Strawberry and Reitan Retail) and it would be a competitive advantage.”

Kristian Kolstad CPTO, Spenn Group

Kristian and the Spenn Group team knew that establishing and continually improving a robust, ISO 27001-certified ISMS would allow the business to protect its sensitive customer data and satisfy the trust requirements of Spenn Group’s high-profile corporate owners. In addition, successful certification and the trust associated with competent information security management would also provide a competitive advantage for the business.

Spenn Group used the expert virtual Chief Information Security Officer (vCISO) guidance and support provided by IO partner, Dunamis Technology. The Dunamis Technology team recognised the business’s need for swift certification and recommended IO’s efficient compliance management platform to implement and manage the complex policies, controls and documentation required for ISO 27001 certification.

“Spenn Group needed to rapidly implement security as a startup while avoiding the time-consuming manual, document-centric approach some of their managers had previously experienced. This was addressed by leveraging the IO platform, which provided templates and built-in processes to get them quickly up and running.”

Ronny Stavem CEO & Head of Digital Security Services, Dunamis Technology

The platform’s built-in templates, processes and guidelines enabled Kristian and the Spenn Group team to quickly establish an ISMS with the ongoing support of Dunamis Technology.

“The pre-built content of policies, controls, and frameworks allowed us to begin the ISO 27001 implementation with a significant portion of the documentation already complete, reducing administrative overhead.”

Kristian Kolstad CPTO, Spenn Group

With Dunamis Technology’s expertise and the business’s ISO 27001 project contained within the user-friendly, intuitive IO platform, Spenn Group took a holistic, structured approach to implementing the ISO 27001 standard, working strategically through certification requirements.

“The IO platform acted as a single hub to link essential items like risks, assets, and controls. The integrations made it easier for us to collect evidence, manage risk, and demonstrate a clear audit trail.”

Kristian Kolstad CPTO, Spenn Group

Dunamis Technology ensured top management at Spenn Group was involved from early in the process and provided workshops to support progress. The vCISO support and guidance they provided enabled Kristian and the Spenn Group team to move swiftly and confidently through the ISO 27001 certification process.

“Dunamis Technology’s support allowed us to rapidly establish a robust ISMS framework, utilise the IO platform effectively, and confidently navigate the complex requirements necessary to achieve ISO 27001 certification.”

Kristian Kolstad CPTO, Spenn Group

Spenn Group successfully achieved ISO 27001 certification in around 9-10 months. Kristian estimates that by using IO and Dunamis Technology, the business achieved this in just 50% of the time it would have taken them had they used a manual, document-centric approach.

For Spenn Group, the most valuable element of using the IO platform was the ability to maintain control over the project implementation and to establish a clear overview and understanding of the ISMS structure. Kristian said: “This clarity ensured the team knew what needed to be done and why, making the entire certification process manageable.”

The IO platform’s usability and key integrations have also enabled Spenn Group to encourage employee engagement with information security, a core tenet of ISO 27001 compliance, and something Dunamis Technology had identified as vital to ongoing success.

“An unexpected but important benefit of IO was that the platform’s user-friendliness and centralised nature led to easier organisational embedding. This ensured that the security work more readily became an integrated and natural part of Spenn Group’s daily operations and culture. We are using Slack for internal communication and integrating IO with Slack has given us employee involvement.”

Kristian Kolstad CPTO, Spenn Group

Kristian also praised the support provided by the Dunamis Technology team: “Their expertise and forward-thinking approach ensured the complex implementation process was managed effectively, resulting in a smooth and confident path to achieving certification.”

The Spenn Group team are focusing their efforts on the ongoing operation and maintenance of their ISMS to ensure the business sustains its ISO 27001 certification. However, the company is also considering implementing the ISO 9001 standard to expand their management systems into quality assurance.

Read More
ISO 27001

WEF Report: Fraud Is Now CEOs’ Biggest Cyber Concern, but It’s Not the Only One

Five years is a long time in cybersecurity. Yet that’s how long the World Economic Forum (WEF) has been polling CEOs for its Global Cybersecurity Outlook reports. The hope is that the resulting insight will empower business leaders to adjust strategy and navigate a fast-evolving threat landscape. This year’s offering places fraud, AI and geopolitics firmly at the top of a growing list of concerns. And as was the case last year, cyber resilience is the goal all are aspiring to. Yet as we discussed in the IO (formerly ISMS.online) State of Information Security Report 2025, there’s often quite a gap between diagnosing the problem and doing something about it. What WEF Found WEF polled just over 800 C-level executives for this year’s report. Among its key findings are the following: Fraud takes top spot CEOs and CISOs diverged a little in terms of their top two concerns. While CISOs remained consistent from last year in citing (in order) ransomware and supply chain disruption, their CEO counterparts placed cyber-enabled fraud in top spot, followed by AI vulnerabilities. By fraud, they mean enterprise-focused threats like phishing/smishing/vishing, invoice fraud (like BEC), and insider fraud, but also crime types more commonly associated with consumer losses like ID theft and even investment fraud/crypto scams. The IO report seems to agree. It revealed that 30% of respondents experienced phishing over the previous 12 months, up from just 12% in 2024. As a recent report from Microsoft highlights, there’s a sophisticated and resilient global infrastructure in place to facilitate certain types of fraud like BEC which impact enterprises. But even nominally consumer-focused campaigns centred around things like ID theft can touch the corporate world. As Check Point argued in a recent write-up, when scammers are able to harvest personal and device information, including “liveness” selfies, from individuals they could use the info beyond ID fraud. Specifically, it could be operationalised to bypass corporate authentication systems, and impersonate employees in IT helpdesk password resets. And if individuals lose big sums in investment scams, they might be more vulnerable to coercion/blackmail as malicious insiders. AI is supercharging cyber risk AI was also highlighted by WEF respondents as a key driver of cyber risk. But interestingly, less in terms of its ability to power phishing, deepfakes and malware (which concerned 28%), and more in terms of data leaks which could arise from misuse of GenAI (30%). This points to a concern about the growing enterprise use of AI expanding the cyber-attack surface. In fact, 87% of respondents believe AI vulnerabilities are increasing (versus 77% who say the same about fraud and 65% supply chain disruption). IO data sheds more light on the issue. A third (34%) of respondents told us they’re concerned about shadow AI, with 54% admitting they adopted GenAI too quickly and now face challenges implementing it more responsibly. Risk tends to thrive in the shadows: what organisations can’t see, they can’t manage. Geopolitics is a key influencer of security strategy Nearly two-thirds of respondents told WEF that geopolitically motivated cyber attacks are a key consideration when devising their cyber-risk management strategies. Volatility in this area has forced almost all (91%) large organisations to adjust their approach to security, the report found. That matches IO’s take, which found that 88% of US and UK firms fear state-sponsored attacks, and nearly a quarter (23%) say their biggest concern for the year ahead is a lack of preparedness for “geopolitical escalation or wartime cyber operations”. A third (32%) claim that managing geopolitical risk is their primary motivation for strong infosec and compliance. More worryingly, 31% of WEF survey respondents reported low confidence in their nation’s ability to respond to major cyber incidents, up from 26% last year. The figure rises to 40% in Europe. The government must accelerate implementation of the measures in its Cyber Security and Resilience Bill and Cyber Action Plan. Supply chains remain a barrier to resilience Supply chains continue to be a significant source of cyber risk, and one that remains difficult to manage. Two-thirds (65%) of respondents told WEF it is their greatest challenge to becoming cyber resilient, up from 54% last year and just above the fast-moving threat landscape (63%) and legacy systems (49%). They’re right to be concerned. Some 61% of UK/US organisations told IO their business has been impacted by a security incident caused by a third-party vendor in the past year. Many said it led to customer/employee data breaches (38%), financial loss (35%), operational disruption (33%), churn/loss of trust (36%), and increased partner scrutiny (24%). Towards Resilience Against this backdrop, business and security leaders know they can’t stay 100% breach proof. So, the focus must shift towards resilience: how to anticipate, withstand and recover quickly from incidents, maintaining as close to “business as usual” as possible. As the JLR and M&S breaches have shown, this is easier said than done. According to WEF, the biggest barriers to cyber resilience are a rapidly evolving threat landscape and emerging technologies (61%); third-party vulnerabilities (46%); and cyber skills and expertise shortages (45%). Legacy and funding were also cited as key. So how can organisations surmount these challenges? Interestingly, the report found that more resilient organisations were more likely to: Hold board members personally liable in the event of breaches Have a positive view of cyber-related regulations Have adequate skills to achieve their cyber objectives Assess the security of AI tools before deployment Involve security in procurement Simulate incidents and plan recovery exercises with partners Assess the security maturity of suppliers. Many of these things are mandated by best practice standards like ISO 27001 and ISO 42001. The latter is particularly well suited to helping organisations close the governance gap and manage risk (including data leakage) across an expanding AI attack surface. According to IO, 80% of UK/US organisations have aligned with standards like this to build resilience in a structured, risk-based way. Against the backdrop of a volatile business and threat landscape, those who do not are at an increasing disadvantage.
Read More
ISO 27001

700Credit Breach: API Risks Put Financial Supply Chain Governance Under the Spotlight

What does the 700Credit breach show about the financial data system and supply chain risks, and what lessons can be learned? By Kate O’Flaherty In December, credit report and identity verification services provider 700Credit admitted it had suffered a data breach impacting 5.8 million customers. The incident involved a compromised third-party API linked to the 700Credit web application. The breach was discovered in October 2025, but attackers gained access to the API in July, allowing them to steal sensitive data including names, dates of birth and social security numbers without being detected. It was a failure of visibility and supply chain governance that all firms should be aware of. What does the 700Credit breach show about the financial data system and supply chain risks, and what lessons can be learned? Application-Centric Fintechs, lenders, dealers and credit bureaus all rely on huge integration networks, often with APIs that offer direct access to sensitive data. When one node in the network goes down, everyone downstream inherits the impact. The 700Credit breach is a prime example of this vulnerability in action. With APIs allowing attackers to access customer data, the 700Credit incident shows “just how interconnected the financial ecosystem has become”, says Dan Kitchen, CEO, Razorblue. Although the company’s internal network was not compromised, attackers were still able to access and exfiltrate large volumes of financial-grade identity data via a trusted application layer integration. “This demonstrates that, in contemporary financial ecosystems, APIs and web applications effectively are the system, and compromise at this layer can be just as damaging as a core network intrusion,” says Mark Johnson, head of presales security at ANS. Large integration networks concentrate risk by creating high-value data access paths that bypass traditional controls, says Johnson. “APIs designed for efficiency and scale can become ‘straight-through’ conduits into sensitive personally identifiable information if over-privileged, insufficiently monitored or inadequately segmented.” In the case of 700Credit, governance structures didn’t keep pace with the complexity of the ecosystem. 700Credit’s attackers’ prolonged dwell time suggests that governance mechanisms have “not evolved to match the operational complexity of API-driven ecosystems”, Johnson observes. The 700Credit breach underscores a crucial point: 96% of API attacks come from authenticated sources, meaning attackers are not breaking in. They are instead using “legitimate, trusted credentials”, adds Eric Schwake, director of cybersecurity strategy at Salt Security. Since most organisations underestimate their API inventory by 90%, these supply chain vulnerabilities can result in as much as 10 times the amount of leaked data seen in traditional breaches, he warns. Opaque Financial Supply Chains The 700Credit incident is just one example of how the financial data system has become too complex, interconnected and opaque for the level of governance applied to it. Most organisations have no clear map of where their data flows, how it’s accessed, which partners can query it, how they secure it and how quickly they disclose incidents. Businesses “rarely have visibility beyond their immediate vendors, let alone the suppliers their vendors use”, says Razorblue’s Kitchen. The complexity of these chains has now outpaced traditional governance structures, leaving organisations exposed to third-party and even fourth-party failures, such as a credit bureau using an API that relies on a cloud provider or data enrichment service with its own vulnerabilities, he says. One of the core weaknesses in third party supply chain management is the lack of comprehensive visibility and control over vendors’ security postures, agrees Tracey Hannan-Jones information security consulting director, UBDS Digital. “Many organisations rely on external providers for essential services, but often fail to conduct rigorous, ongoing risk assessments or enforce standardised security controls across the supply chain. This creates blind spots where vulnerabilities can be introduced and exploited far too easily.” Another significant weakness is the absence of robust contractual and technical requirements for third-party providers, says Hannan-Jones. “Organisations frequently lack clear, enforceable agreements that mandate security standards, incident response protocols and regular audits.  Even when such requirements do exist, enforcement and monitoring can be inconsistent, especially as the number of suppliers grows.” Adding to the issue, cybersecurity teams usually don’t devote enough time or expertise to their third-party risks. The area is often seen as “tedious and repetitive”, says Pierre Noel, field CISO at Expel. “It’s extremely difficult to recruit seasoned cybersecurity specialists and convince them to perform a third-party assessment every week, month or year.” Firms often fail to take into account the reality that third-party risks evolve, Noel points out. “The relationship you have with ‘company A’ might start small and evolve significantly a year or two later. Unless your program accommodates this dynamic expansion, a significant and high-risk third-party could go unnoticed until it’s too late.” Regulatory Response The 700Credit incident has had a significant regulatory impact, with the firm sending breach notices to multiple state attorney general offices, including Maine. The firm submitted a consolidated report to the Federal Trade Commission in coordination with the National Automobile Dealers Association and the incident was also reported to the FBI. The regulatory response required after this type of incident shows that lawmakers increasingly view third-party failures as systemic risk. Overall, businesses “shouldn’t be overly optimistic about the reaction of the regulators to this type of issue”, says Expel’s Noel. They will generally advise, “ensure you have an adequate third party management process, and be ready to prove it at every internal or external audit”, he says. However, the regulator is unlikely to impose a process that would cater to a large number of third parties, or go further than just making sure the organisation obtains the ISO or SOC 2 certificate from the contractor, Noel says. “This is why businesses should acknowledge the discrepancy and take the first step to implement a risk management program that exceeds these foundational compliance requirements.” The Digital Operations Resilience Act (DORA), which came into force in the EU, directly addresses supply chain risks by imposing strict requirements on financial entities and their critical IT supply chain partners, says UBDS Digital’s Hannan-Jones. “DORA mandates that organisations implement comprehensive risk management frameworks for third-party relationships, including due diligence, contractual clauses ensuring data security, continuous monitoring, and the ability to terminate contracts if providers fail to meet resilience standards.  Regular testing, incident reporting and clear accountability for outsourced functions is also required.” Governance Structures With attackers able to access data via an API, the 700Credit breach has exposed the fact that in many cases, governance structures haven’t kept pace with the complexity of the ecosystem. Annual vendor questionnaires and legacy due-diligence processes simply don’t work when attackers can quietly pull millions of records through an API without being detected. To prevent this type of breach from happening, governance must include continuous monitoring, supply-chain transparency, obligation mapping, and ISO-aligned governance such as ISO 27001 and ISO 27701. But these are not just checkboxes. Businesses need to “move beyond static compliance” and “embrace continuous oversight”, says Razorblue’s Kitchen. That means “monitoring API traffic in real-time, not just during annual audits”. At the same time, firms should demand transparency from their vendors, mapping obligations and understanding who else is in the chain, he advises. Diane Downie, senior software architect at Black Duck, recommends that organisations take a zero-trust security posture, especially with access points to sensitive information. “Risk assessments of system architectures must consider mitigation against a compromised system, including those of their trusted partners.” Financial organisations can no longer rely on trust-based vendor relationships or slow disclosure processes. They need to be fundamentally more transparent, taking a standards-driven approach to managing their data ecosystem. The benefits of this approach are clear. The real cost of breaches goes far beyond regulatory penalties, creating substantial risk for operational paralysis and reputational damage, says Kitchen. “At a macro level, incidents like this can trigger sharp drops in share price, erode investor confidence, and create nervousness in the markets – especially for publicly traded firms in sensitive sectors like finance.”
Read More
ISO 27001

The Utilities Compliance Challenge

Utilities companies are dealing with fragmentation and silos, preventing a streamlined approach to compliance. A more solid foundation is needed, but how can this be done? By Kate O’Flaherty Utilities companies operate numerous disparate systems, many of which were never meant to be connected to the internet. It’s therefore no surprise that cybersecurity — and compliance with regulations covering the area — remain one of the sector’s greatest challenges. In 2010, the Stuxnet worm demonstrated the real-life threat posed by a cyber-attack on the sector, after centrifuges used in the Iranian nuclear programme were obliterated. More recently, the Russia-Ukraine war has seen several state-sponsored cyber-attempts on Ukraine’s electricity grid. Meanwhile, in the US, the water sector has also been under attack. The growing risk of attacks such as these and their devastating consequences has led to a number of regulations intended to shore up utilities security, including the EU Network and Information Systems Directive 2 (NIS2) and UK Cybersecurity and Resilience Bill. As utilities strive to comply with these multiple rules, some have criticised the industry for being slow to adapt. Indeed, a recent blog by Ernst & Young highlights a need for artificial intelligence (AI) technology to manage complex risk management strategies and ensure compliance. But in an industry already dealing with fragmentation and silos, is adding more tools really the answer? Keeping Pace With Regulation Many experts say no. Instead, utilities need a unified, engineered compliance backbone that matches the complexity of the physical systems they run. This starts with fixing the foundations, rather than layering new technologies on top of old fragmentation. Recent cyber incidents affecting utilities highlight a challenge that goes beyond keeping pace with regulation. The pressure utilities face is real, but it’s not because rules are moving faster than organisations can respond. It’s because the cost of fragmented, disconnected compliance and risk ownership is “rising faster than utilities can absorb”, Darren Guccione, CEO and co-founder at Keeper Security tells IO. Utilities operate some of the most interconnected physical systems in the world. Yet the processes governing cybersecurity, operational resilience, privacy, third-party access and regulatory compliance are often disconnected from one another. “Cybersecurity, operational technology (OT) security, privacy, audit and regulatory teams are often organised as parallel functions, each with their own controls, tools and reporting lines, but limited shared visibility or coordination,” Guccione points out. “That fragmentation creates real exposure.” These silos lead to “poor communication, duplication of effort, misunderstanding, and slow decision-making”, says Tracey Hannan-Jones, information security consulting director, UBDS Digital.  “So, when new regulations arrive, each department interprets then implements changes differently — or not at all — leading to inconsistencies, inefficiencies, and poorly designed compliance frameworks to address requirements.” The concept of "technical debt" in software — shortcuts that create compounding future costs — “maps perfectly to compliance”, says Rayna Stamboliyska, CEO at RS Consulting. “Every time a utility bolts a new regulatory requirement onto fragmented existing systems, rather than refactoring the foundation, the organisation accumulates ‘compliance debt’. The ‘cost of fragmented compliance’ is actually interest payments on ‘compliance debt’ — and UK utilities are paying compound interest without reducing principal.” Under-Tooled No amount of new technology can solve the issue — especially if it’s simply bolted on top of fragmented systems. In 2024, large enterprises were using an average of 45 cybersecurity tools, according to Gartner. This indicates that being “under-tooled” isn’t the core problem, says Rik Ferguson, VP of security intelligence at Forescout. “On paper, that tool depth can look reassuring. In practice, it often creates a different problem: A security environment that’s busy, noisy and difficult to operate as a coherent whole.” Boards often see extensive tooling and assume coverage is comprehensive, says Ferguson. “Security teams, meanwhile, spend huge amounts of time stitching together information, validating alerts and chasing activity that doesn’t always translate into measurable risk reduction.” Amid this complex environment, organisations may look to AI as the “saviour”. However, this is never going to work because AI thrives on “high-quality, integrated data”, says UBDS Digital’s Hannan-Jones. “In fragmented utilities, data is often poor-quality, scattered, inconsistent or inaccessible.  Without unified data, AI models can only produce limited or unreliable insights.” Another factor to consider is that AI cannot fix organisational silos, Hannan-Jones says. “AI can automate tasks or generate recommendations, but it cannot force departments to collaborate, or share information.” Streamlined Approach Rather than simply adding new tools, utilities firms should work on a streamlined approach to compliance. This can help facilitate central orchestration, local accountability, consistent controls, continuous monitoring and an integrated view of risk. As part of this, standardisation provides “a unified vocabulary and set of procedures” for risk, security, privacy and AI, says Hannan-Jones. For example, ISO 27001 covering information security, ISO 22701 on privacy, and ISO 42001 governing AI management. These frameworks require clear assignment of roles and responsibilities through a centralised approach. This ensures everyone knows who is accountable for what, which will improve coordination and communication, and reduce gaps, says Hannan-Jones. “Organisations can then enforce documented, repeatable processes for risk assessment, incident response and drive continuous improvement,” she explains. At the same time, since ISO standards are risk-based, they require organisations to consider risks holistically, rather than as a silo. The alignment of risk management with business objectives ensures that all departments are “working towards the same goals with a consistent approach”, says Hannan-Jones. When looking to streamline your organisation, the first step is to map and standardise your core processes, Hannan-Jones advises. “Document all key workflows across the organisation, including asset management, maintenance, incident response and risk management.  This will create clarity, expose duplications, identify gaps and provide a strong baseline for standardisation.” It’s important to ensure everyone, including leadership, is on board, says Hannan-Jones. “As senior leaders must champion the unified compliance approach, communicate its value, and allocate resources. Sustained change requires visible support from the top, with clear messaging across the whole organisation.” Benefits of Compliance While challenges remain, regulation is not getting more complex. Instead, it is exposing how messy and fragile internal structures have become. Risk in utilities only becomes an asset when it’s treated like the grid itself: A functioning system that’s connected, continuously monitored and engineered for resilience. The benefits are clear: When compliance becomes coordinated and integrated, utilities gain faster regulatory response, a stronger cyber posture, more trustworthy AI models, better board assurance, and reduced duplication and cost. Coordinated, integrated compliance allows firms to “reclaim operational capacity”, so they can redirect their energy towards improving security outcomes, says Conor Sherman, CISO in residence at Sysdig. “You can then spend your time improving the grid's resilience, rather than arguing over the provenance of a screenshot for an auditor.”
Read More
ISO 27001

How Paymenttools Achieved ISO 27001 Certification Success and Unified Compliance Management

“The IO platform is now our strategic umbrella system for managing our entire security and compliance landscape.”

Jan Oetting CISO, Paymenttools

Learn how Paymenttools:

  • Achieved ISO 27001 certification in nine months
  • Used the IO platform to implement a robust ISMS and ensure ISO 27001 compliance
  • Employed SGG’s support and expertise to deliver certification success
  • Continue to leverage the IO platform to manage their entire security and compliance landscape.

Paymenttools are technologists and payment experts with a deep background in retail. The business’s mission is to design payments that make life easier for everyone involved, from checkout staff to end customers, and to improve the shopping experience long-term.

With Paymenttools’ roots in commerce, the team understand that payment transactions are not an afterthought, but a strategic tool for modern business models. They take a holistic approach, considering everything from payment processes and loyalty programmes to our vision of an independent European payment system.

They are driven by a common goal: to future-proof payments with solutions that work reliably today and create real independence tomorrow.

With limited resources for security and risk management, the Paymenttools team needed a lean and pragmatic solution that could be operated by a small, focused team to successfully achieve ISO 27001 certification. As a cloud-native company with a large engineering focus, many traditional, bureaucratic security controls didn’t apply to the business, so being able to easily identify and implement relevant controls was a core priority.

“Our challenge was to maintain a high-security posture and compliance without slowing down our engineers.”

Jan Oetting CISO, Paymenttools

Jan and the team were using tools such as Google Workspace for defining policies and managing risk, but recognised this wasn’t an efficient approach. They required a dedicated platform to manage and maintain their information security management system (ISMS), rather than disparate tools and documentation.

They also needed expert support and guidance to work through the ISO 27001 compliance and certification process. The team needed someone to align with their core security ‘co-pilot’ philosophy: someone to act as a partner, not a blocker, enabling success and finding secure paths to ‘yes’.

“This overall work is part of our strategic shift from reactive compliance to proactive command over our defensive landscape.”

Jan Oetting CISO, Paymenttools

Paymenttools enlisted the expertise of SGG to implement an ISO 27001-compliant ISMS and conduct pre-certification audits, both pre-stage 1 and pre-stage 2. The business also leveraged the IO platform, using the platform’s pre-built ISO 27001 templates and workflows to ensure swift implementation and alignment.

“SGG provided crucial guidance on understanding the standard and how to approach the certification process in a pragmatic, business-focused manner.”

Jan Oetting CISO, Paymenttools

Using the IO platform enabled Paymenttools to streamline their ISO 27001 compliance and efficiently implement and manage associated controls and processes. Chris Gill, Head of Cybersecurity, GRC and Auditing at SGG, said: “The pre‑built templates and workflows aligned to ISO 27001 saved the business significant time and reduced complexity.”

With the support of SGG, Paymenttools leveraged the intuitive, user-friendly IO platform and the IO 11-step Assured Results Method (ARM) to work strategically through certification requirements.

“The Assured Result Methods (ARM) worked perfectly as promised, providing a huge head start where around 70% of the policies were immediately good enough to use. This allowed us to focus on our security strategy: state what you are doing, evaluate risk, then improve.”

Jan Oetting CISO, Paymenttools

The platform’s pre-built elements provided a baseline on which Paymenttools could build and evolve a bespoke, highly tailored ISMS. Core areas the business used included the risk register, asset inventory, interested parties map, security management track and the corrective actions and improvements track.

Collaboration was also a vital element of the partnership. To ensure ongoing success, SGG and Paymenttools consistently aligned on the business’s compliance efforts, ensuring ISO 27001 compliance was progressing as expected.

“The SGG team held workshops with Paymenttools’ staff as and when required to ensure ISO 27001:2022 concepts were clear and understandable.”

Chris Gill Head of Cybersecurity, GRC and Auditing, SGG

Paymenttools successfully achieved ISO 27001 certification in nine months. Jan estimates that by working with IO and SGG, the business saved around 100 person-days in the initial setup compared to a manual approach, plus the time saved in ongoing maintenance work.

“The time needed as overhead for managing different regulations and audits is significantly reduced.”

Jan Oetting CISO, Paymenttools

For Paymenttools, the most valuable elements of the IO platform were the modern policy documentation and asset inventory provided in the ISO 27001 project structure: “The most important element of the IO platform were the predefined policies, specifically because they are optimised for a modern company like ours.”

The Paymenttools team also benefited from the platform’s centralised information security approach across risk management, asset management, corrective actions, and incident response. This allowed the business to consolidate the compliance workload and delay the use of specialised tools until they were absolutely needed.

SGG’s strategic advice and expert guidance were instrumental in Paymenttools’ ISO 27001 achievement, steering the business’s security management in the right direction to ensure certification success.

“Chris at SGG provided crucial guidance on understanding the standard and how to approach the certification process in a pragmatic, business-focused manner. He acted as a true Co-Pilot. He discussed critical areas with the external auditors and justified our decisions, and also provided significant help with risk management.”

Jan Oetting CISO, Paymenttools

While the business successfully achieved ISO 27001 certification, continuous improvement is a requirement for ongoing compliance. As such, Paymenttools and SGG remain focused on maturing the business’s ISMS and remediating any findings.

“Since Paymenttools achieved ISO 27001:2022 certification, SGG have helped mature a number of Paymenttools processes including supplier management, the return of assets, and information security in project management.”

Chris Gill Head of Cybersecurity, GRC and Auditing, SGG

Since achieving ISO 27001 certification, Jan and the team have extended the scope of their compliance to include PCI DSS and the German KRITIS regulation, all within the IO platform. Paymenttools are now beginning to leverage the IO platform as a general policy and risk management tool for the organisation, extending its use beyond just security.

“The IO platform is now our strategic umbrella system for managing our entire security and compliance landscape.”

Jan Oetting CISO, Paymenttools

The team is currently integrating NIS 2 to ensure alignment with the regulation, the NIST Cybersecurity Framework (CSF) to measure maturity, and CoBit as a general control framework.

“We are continuing our journey to mature our security posture from ‘Compliance’ to ‘Command’.”

Jan Oetting CISO, Paymenttools

Read More

ISO 27001:2022 Requirements

ISO 27001:2022 Annex A Controls

Organisational Controls

People Controls

Physical Controls

Technological Controls

About ISO 27001

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

Ready to get started?

Book a demo