Skip to content
ISMS.online

The Ultimate Guide to ISO 27001

ISO/IEC 27001 is an Information security management standard that provides organisations with a structured framework to safeguard their information assets and ISMS, covering risk assessment, risk management and continuous improvement. In this article we'll explore what it is, why you need it, and how to achieve certification.

Author
Sam Peters
Updated January 26, 2026
4/5 Stars

Achieve Robust Information Security with ISO 27001:2022

Our platform empowers your organisation to align with ISO 27001, ensuring comprehensive security management. This international standard is essential for protecting sensitive data and enhancing resilience against cyber threats. With over 70,000 certificates issued globally, ISO 27001’s widespread adoption underscores its importance in safeguarding information assets.

Why ISO 27001 Matters

Achieving ISO 27001:2022 certification emphasises a comprehensive, risk-based approach to improving information security management, ensuring your organisation effectively manages and mitigates potential threats, aligning with modern security needs. It provides a systematic methodology for managing sensitive information, ensuring it remains secure. Certification can reduce data breach costs by 30% and is recognised in over 150 countries, enhancing international business opportunities and competitive advantage.

How ISO 27001 Certification Benefits Your Business

  1. Achieve Cost Efficiency: Save time and money by preventing costly security breaches. Implement proactive risk management measures to significantly reduce the likelihood of incidents.
  2. Accelerate Sales Growth: Streamline your sales process by reducing extensive security documentation requests (RFIs). Showcase your compliance with international information security standards to shorten negotiation times and close deals faster.
  3. Boost Client Trust: Demonstrate your commitment to information security to enhance client confidence and build lasting trust. Increase customer loyalty and retain clients in sectors like finance, healthcare, and IT services.

 

Comprehensive Guide on How to Implement ISO 27001:2022 Certification

The standard’s structure includes a comprehensive Information Security Management System (ISMS) framework and a detailed ISO 27001 implementation guide that integrates risk management processes and Annex A controls. These components create a holistic security strategy, addressing various aspects of security (ISO 27001:2022 Clause 4.2). This approach not only enhances security but also fosters a culture of awareness and compliance within the organisation.

Streamlining Certification with ISMS.online

ISMS.online plays a crucial role in facilitating alignment by offering tools that streamline the certification process. Our platform provides automated risk assessments and real-time monitoring, simplifying the implementation of ISO 27001:2022 requirements. This not only reduces manual effort but also enhances efficiency and accuracy in maintaining alignment.

Join 25000 + Users Achieving ISO 27001 with ISMS.online. Book Your Free Demo Today!

Understanding ISO 27001:2022

ISO 27001 is a pivotal standard for improving an Information Security Management System (ISMS), offering a structured framework to protect sensitive data. This framework integrates comprehensive risk evaluation processes and Annex A controls, forming a robust security strategy. Organisations can effectively identify, analyse, and address vulnerabilities, enhancing their overall security posture.

Key Elements of ISO 27001:2022

  • ISMS Framework: This foundational component establishes systematic policies and procedures for managing information security (ISO 27001:2022 Clause 4.2). It aligns organisational goals with security protocols, fostering a culture of compliance and awareness.
  • Risk Evaluation: Central to ISO 27001, this process involves conducting thorough assessments to identify potential threats. It is essential for implementing appropriate security measures and ensuring continuous monitoring and improvement.
  • ISO 27001 Controls: ISO 27001:2022 outlines a comprehensive set of ISO 27001 controls within Annex A, designed to address various aspects of information security. These controls include measures for access control, cryptography, physical security, and incident management, among others. Implementing these controls ensures your Information Security Management System (ISMS) effectively mitigates risks and safeguards sensitive information.

iso 27001 requirements and structure

Aligning with International Standards

ISO 27001:2022 is developed in collaboration with the International Electrotechnical Commission (IEC), ensuring that the standard aligns with global best practices in information security. This partnership enhances the credibility and applicability of ISO 27001 across diverse industries and regions.

How ISO 27001 Integrates with Other Standards

ISO 27001:2022 seamlessly integrates with other standards like ISO 9001 for quality management, ISO 27002 for code of practice for information security controls and regulations like GDPR, enhancing compliance and operational efficiency. This integration allows organisations to streamline regulatory efforts and align security practices with broader business objectives. Initial preparation involves a gap analysis to identify areas needing improvement, followed by a risk evaluation to assess potential threats. Implementing Annex A controls ensures comprehensive security measures are in place. The final audit process, including Stage 1 and Stage 2 audits, verifies compliance and readiness for certification.

Why Is ISO 27001:2022 Important for Organisations?

ISO 27001 plays a vital role in strengthening your organisation’s data protection strategies. It provides a comprehensive framework for managing sensitive information, aligning with contemporary cybersecurity requirements through a risk-based approach. This alignment not only fortifies defences but also ensures adherence to regulations like GDPR, mitigating potential legal risks (ISO 27001:2022 Clause 6.1).

ISO 27001:2022 Integration with Other Standards

ISO 27001 is part of the broader ISO family of management system standards. This allows it to be seamlessly integrated with other standards, such as:

This integrated approach helps your organisation maintain robust operational standards, streamlining the certification process and enhancing compliance.

How Does ISO 27001:2022 Enhance Risk Management?

  • Structured Risk Management: The standard emphasises the systematic identification, assessment, and mitigation of risks, fostering a proactive security posture.
  • Incident Reduction: Organisations experience fewer breaches due to the robust controls outlined in Annex A.
  • Operational Efficiency: Streamlined processes enhance efficiency, reducing the likelihood of costly incidents.

Structured Risk Management with ISO 27001:2022

ISO 27001 requires organisations to adopt a comprehensive, systematic approach to risk management. This includes:

  • Risk Identification and Assessment: Identify potential threats to sensitive data and evaluate the severity and likelihood of those risks (ISO 27001:2022 Clause 6.1).
  • Risk Treatment: Select appropriate treatment options, such as mitigating, transferring, avoiding, or accepting risks. With the addition of new options like exploiting and enhancing, organisations can take calculated risks to harness opportunities.

Each of these steps must be reviewed regularly to ensure that the risk landscape is continuously monitored and mitigated as necessary.

 

What Are the Benefits for Trust and Reputation?

Certification signifies a commitment to data protection, enhancing your business reputation and customer trust. Certified organisations often see a 20% increase in customer satisfaction, as clients appreciate the assurance of secure data handling.

How ISO 27001 Certification Impacts Client Trust and Sales

  1. Increased Client Confidence: When prospective clients see that your organisation is ISO 27001 certified, it automatically elevates their trust in your ability to protect sensitive information. This trust is essential for sectors where data security is a deciding factor, such as healthcare, finance, and government contracting.
  2. Faster Sales Cycles: ISO 27001 certification reduces the time spent answering security questionnaires during the procurement process. Prospective clients will see your certification as a guarantee of high security standards, speeding up decision-making.
  3. Competitive Advantage: ISO 27001 certification positions your company as a leader in information security, giving you an edge over competitors who may not hold this certification.

How Does ISO 27001:2022 Offer Competitive Advantages?

ISO 27001 opens international business opportunities, recognised in over 150 countries. It cultivates a culture of security awareness, positively influencing organisational culture and encouraging continuous improvement and resilience, essential for thriving in today’s digital environment.

How Can ISO 27001 Support Regulatory Adherence?

Aligning with ISO 27001 helps navigate complex regulatory landscapes, ensuring adherence to various legal requirements. This alignment reduces potential legal liabilities and enhances overall governance.

Incorporating ISO 27001:2022 into your organisation not only strengthens your data protection framework but also builds a foundation for sustainable growth and trust in the global market.

Enhancing Risk Management with ISO 27001:2022

ISO 27001:2022 offers a robust framework for managing information security risks, vital for safeguarding your organisation’s sensitive data. This standard emphasises a systematic approach to risk evaluation, ensuring potential threats are identified, assessed, and mitigated effectively.

How Does ISO 27001 Structure Risk Management?

ISO 27001:2022 integrates risk evaluation into the Information Security Management System (ISMS), involving:

  • Risk Assessment: Conducting thorough evaluations to identify and analyse potential threats and vulnerabilities (ISO 27001:2022 Clause 6.1).
  • Risk Treatment: Implementing strategies to mitigate identified risks, using controls outlined in Annex A to reduce vulnerabilities and threats.
  • Continuous Monitoring: Regularly reviewing and updating practices to adapt to evolving threats and maintain security effectiveness.

What Techniques and Strategies Are Key?

Effective risk management under ISO 27001:2022 involves:

  • Risk Assessment and Analysis: Utilising methodologies like SWOT analysis and threat modelling to evaluate risks comprehensively.
  • Risk Treatment and Mitigation: Applying controls from Annex A to address specific risks, ensuring a proactive approach to security.
  • Continuous Improvement: Fostering a security-focused culture that encourages ongoing evaluation and enhancement of risk management practices.

 

How Can the Framework Be Tailored to Your Organisation?

ISO 27001:2022’s framework can be customised to fit your organisation’s specific needs, ensuring that security measures align with business objectives and regulatory requirements. By fostering a culture of proactive risk management, organisations with ISO 27001 certification experience fewer security breaches and enhanced resilience against cyber threats. This approach not only protects your data but also builds trust with stakeholders, enhancing your organisation’s reputation and competitive edge.

Key Changes in ISO 27001:2022

ISO 27001:2022 introduces pivotal updates, enhancing its role in modern cybersecurity. The most significant changes reside in Annex A, which now includes advanced measures for digital security and proactive threat management. These revisions address the evolving nature of security challenges, particularly the increasing reliance on digital platforms.

Key Differences Between ISO 27001:2022 and Earlier Versions

The differences between the 2013 and 2022 versions of ISO 27001 are crucial to understanding the updated standard. While there are no massive overhauls, the refinements in Annex A controls and other areas ensure the standard remains relevant to modern cybersecurity challenges. Key changes include:

  • Restructuring of Annex A Controls: Annex A controls have been condensed from 114 to 93, with some being merged, revised, or newly added. These changes reflect the current cybersecurity environment, making controls more streamlined and focused.
  • New Focus Areas: The 11 new controls introduced in ISO 27001:2022 include areas such as threat intelligence, physical security monitoring, secure coding, and cloud service security, addressing the rise of digital threats and the increased reliance on cloud-based solutions.

Understanding Annex A Controls

  • Enhanced Security Protocols: Annex A now features 93 controls, with new additions focusing on digital security and proactive threat management. These controls are designed to mitigate emerging risks and ensure robust protection of information assets.
  • Digital Security Focus: As digital platforms become integral to operations, ISO 27001:2022 emphasises securing digital environments, ensuring data integrity, and safeguarding against unauthorised access.
  • Proactive Threat Management: New controls enable organisations to anticipate and respond to potential security incidents more effectively, strengthening their overall security posture.

Detailed Breakdown of Annex A Controls in ISO 27001:2022

ISO 27001:2022 introduces a revised set of Annex A controls, reducing the total from 114 to 93 and restructuring them into four main groups. Here’s a breakdown of the control categories:

Control Group Number of Controls Examples
Organisational 37 Threat intelligence, ICT readiness, information security policies
People 8 Responsibilities for security, screening
Physical 14 Physical security monitoring, equipment protection
Technological 34 Web filtering, secure coding, data leakage prevention

New Controls
ISO 27001:2022 introduces 11 new controls focused on emerging technologies and challenges, including:

  • Cloud services: Security measures for cloud infrastructure.
  • Threat intelligence: Proactive identification of security threats.
  • ICT readiness: Business continuity preparations for ICT systems.

By implementing these controls, organisations ensure they are equipped to handle modern information security challenges.

iso 27002 new controls

Full Table of ISO 27001 Controls

Below is a full list of ISO 27001:2022 controls

ISO 27001:2022 Organisational Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Organisational Controls Annex A 5.1 Annex A 5.1.1
Annex A 5.1.2 		Policies for Information Security
Organisational Controls Annex A 5.2 Annex A 6.1.1 Information Security Roles and Responsibilities
Organisational Controls Annex A 5.3 Annex A 6.1.2 Segregation of Duties
Organisational Controls Annex A 5.4 Annex A 7.2.1 Management Responsibilities
Organisational Controls Annex A 5.5 Annex A 6.1.3 Contact With Authorities
Organisational Controls Annex A 5.6 Annex A 6.1.4 Contact With Special Interest Groups
Organisational Controls Annex A 5.7 NEW Threat Intelligence
Organisational Controls Annex A 5.8 Annex A 6.1.5
Annex A 14.1.1 		Information Security in Project Management
Organisational Controls Annex A 5.9 Annex A 8.1.1
Annex A 8.1.2 		Inventory of Information and Other Associated Assets
Organisational Controls Annex A 5.10 Annex A 8.1.3
Annex A 8.2.3 		Acceptable Use of Information and Other Associated Assets
Organisational Controls Annex A 5.11 Annex A 8.1.4 Return of Assets
Organisational Controls Annex A 5.12 Annex A 8.2.1 Classification of Information
Organisational Controls Annex A 5.13 Annex A 8.2.2 Labelling of Information
Organisational Controls Annex A 5.14 Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3 		Information Transfer
Organisational Controls Annex A 5.15 Annex A 9.1.1
Annex A 9.1.2 		Access Control
Organisational Controls Annex A 5.16 Annex A 9.2.1 Identity Management
Organisational Controls Annex A 5.17 Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3 		Authentication Information
Organisational Controls Annex A 5.18 Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6 		Access Rights
Organisational Controls Annex A 5.19 Annex A 15.1.1 Information Security in Supplier Relationships
Organisational Controls Annex A 5.20 Annex A 15.1.2 Addressing Information Security Within Supplier Agreements
Organisational Controls Annex A 5.21 Annex A 15.1.3 Managing Information Security in the ICT Supply Chain
Organisational Controls Annex A 5.22 Annex A 15.2.1
Annex A 15.2.2 		Monitoring, Review and Change Management of Supplier Services
Organisational Controls Annex A 5.23 NEW Information Security for Use of Cloud Services
Organisational Controls Annex A 5.24 Annex A 16.1.1 Information Security Incident Management Planning and Preparation
Organisational Controls Annex A 5.25 Annex A 16.1.4 Assessment and Decision on Information Security Events
Organisational Controls Annex A 5.26 Annex A 16.1.5 Response to Information Security Incidents
Organisational Controls Annex A 5.27 Annex A 16.1.6 Learning From Information Security Incidents
Organisational Controls Annex A 5.28 Annex A 16.1.7 Collection of Evidence
Organisational Controls Annex A 5.29 Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3 		Information Security During Disruption
Organisational Controls Annex A 5.30 NEW ICT Readiness for Business Continuity
Organisational Controls Annex A 5.31 Annex A 18.1.1
Annex A 18.1.5 		Legal, Statutory, Regulatory and Contractual Requirements
Organisational Controls Annex A 5.32 Annex A 18.1.2 Intellectual Property Rights
Organisational Controls Annex A 5.33 Annex A 18.1.3 Protection of Records
Organisational Controls Annex A 5.34 Annex A 18.1.4 Privacy and Protection of PII
Organisational Controls Annex A 5.35 Annex A 18.2.1 Independent Review of Information Security
Organisational Controls Annex A 5.36 Annex A 18.2.2
Annex A 18.2.3 		Compliance With Policies, Rules and Standards for Information Security
Organisational Controls Annex A 5.37 Annex A 12.1.1 Documented Operating Procedures
ISO 27001:2022 People Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
People Controls Annex A 6.1 Annex A 7.1.1 Screening
People Controls Annex A 6.2 Annex A 7.1.2 Terms and Conditions of Employment
People Controls Annex A 6.3 Annex A 7.2.2 Information Security Awareness, Education and Training
People Controls Annex A 6.4 Annex A 7.2.3 Disciplinary Process
People Controls Annex A 6.5 Annex A 7.3.1 Responsibilities After Termination or Change of Employment
People Controls Annex A 6.6 Annex A 13.2.4 Confidentiality or Non-Disclosure Agreements
People Controls Annex A 6.7 Annex A 6.2.2 Remote Working
People Controls Annex A 6.8 Annex A 16.1.2
Annex A 16.1.3 		Information Security Event Reporting
ISO 27001:2022 Physical Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Physical Controls Annex A 7.1 Annex A 11.1.1 Physical Security Perimeters
Physical Controls Annex A 7.2 Annex A 11.1.2
Annex A 11.1.6 		Physical Entry
Physical Controls Annex A 7.3 Annex A 11.1.3 Securing Offices, Rooms and Facilities
Physical Controls Annex A 7.4 NEW Physical Security Monitoring
Physical Controls Annex A 7.5 Annex A 11.1.4 Protecting Against Physical and Environmental Threats
Physical Controls Annex A 7.6 Annex A 11.1.5 Working In Secure Areas
Physical Controls Annex A 7.7 Annex A 11.2.9 Clear Desk and Clear Screen
Physical Controls Annex A 7.8 Annex A 11.2.1 Equipment Siting and Protection
Physical Controls Annex A 7.9 Annex A 11.2.6 Security of Assets Off-Premises
Physical Controls Annex A 7.10 Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5 		Storage Media
Physical Controls Annex A 7.11 Annex A 11.2.2 Supporting Utilities
Physical Controls Annex A 7.12 Annex A 11.2.3 Cabling Security
Physical Controls Annex A 7.13 Annex A 11.2.4 Equipment Maintenance
Physical Controls Annex A 7.14 Annex A 11.2.7 Secure Disposal or Re-Use of Equipment
ISO 27001:2022 Technological Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Technological Controls Annex A 8.1 Annex A 6.2.1
Annex A 11.2.8 		User Endpoint Devices
Technological Controls Annex A 8.2 Annex A 9.2.3 Privileged Access Rights
Technological Controls Annex A 8.3 Annex A 9.4.1 Information Access Restriction
Technological Controls Annex A 8.4 Annex A 9.4.5 Access to Source Code
Technological Controls Annex A 8.5 Annex A 9.4.2 Secure Authentication
Technological Controls Annex A 8.6 Annex A 12.1.3 Capacity Management
Technological Controls Annex A 8.7 Annex A 12.2.1 Protection Against Malware
Technological Controls Annex A 8.8 Annex A 12.6.1
Annex A 18.2.3 		Management of Technical Vulnerabilities
Technological Controls Annex A 8.9 NEW Configuration Management
Technological Controls Annex A 8.10 NEW Information Deletion
Technological Controls Annex A 8.11 NEW Data Masking
Technological Controls Annex A 8.12 NEW Data Leakage Prevention
Technological Controls Annex A 8.13 Annex A 12.3.1 Information Backup
Technological Controls Annex A 8.14 Annex A 17.2.1 Redundancy of Information Processing Facilities
Technological Controls Annex A 8.15 Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3 		Logging
Technological Controls Annex A 8.16 NEW Monitoring Activities
Technological Controls Annex A 8.17 Annex A 12.4.4 Clock Synchronization
Technological Controls Annex A 8.18 Annex A 9.4.4 Use of Privileged Utility ProgramsAccess Rights
Technological Controls Annex A 8.19 Annex A 12.5.1
Annex A 12.6.2 		Installation of Software on Operational Systems
Technological Controls Annex A 8.20 Annex A 13.1.1 Networks Security
Technological Controls Annex A 8.21 Annex A 13.1.2 Security of Network Services
Technological Controls Annex A 8.22 Annex A 13.1.3 Segregation of Networks
Technological Controls Annex A 8.23 NEW Web filtering
Technological Controls Annex A 8.24 Annex A 10.1.1
Annex A 10.1.2 		Use of Cryptography
Technological Controls Annex A 8.25 Annex A 14.2.1 Secure Development Life Cycle
Technological Controls Annex A 8.26 Annex A 14.1.2
Annex A 14.1.3 		Application Security Requirements
Technological Controls Annex A 8.27 Annex A 14.2.5 Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents
Technological Controls Annex A 8.28 NEW Secure Coding
Technological Controls Annex A 8.29 Annex A 14.2.8
Annex A 14.2.9 		Security Testing in Development and Acceptance
Technological Controls Annex A 8.30 Annex A 14.2.7 Outsourced Development
Technological Controls Annex A 8.31 Annex A 12.1.4
Annex A 14.2.6 		Separation of Development, Test and Production Environments
Technological Controls Annex A 8.32 Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4 		Change Management
Technological Controls Annex A 8.33 Annex A 14.3.1 Test Information
Technological Controls Annex A 8.34 Annex A 12.7.1 Protection of Information Systems During Audit Testing

Navigating Implementation Challenges

Organisations may face challenges such as resource constraints and insufficient management support when implementing these updates. Effective resource allocation and stakeholder engagement are crucial for maintaining momentum and achieving successful compliance. Regular training sessions can help clarify the standard’s requirements, reducing compliance challenges.

Adapting to Evolving Security Threats

These updates demonstrate ISO 27001:2022’s adaptability to the changing security environment, ensuring organisations remain resilient against new threats. By aligning with these enhanced requirements, your organisation can bolster its security framework, improve compliance processes, and maintain a competitive edge in the global market.

How Can Organisations Successfully Attain ISO 27001 Certification?

Achieving ISO 27001:2022 requires a methodical approach, ensuring your organisation aligns with the standard’s comprehensive requirements. Here’s a detailed guide to navigate this process effectively:

Kickstart Your Certification with a Thorough Gap Analysis

Identify improvement areas with a comprehensive gap analysis. Assess current practices against ISO 27001 standard to pinpoint discrepancies. Develop a detailed project plan outlining objectives, timelines, and responsibilities. Engage stakeholders early to secure buy-in and allocate resources efficiently.

Implement an Effective ISMS

Establish and implement an Information Security Management System (ISMS) tailored to your organisational goals. Implement the 93 Annex A controls, emphasising risk assessment and treatment (ISO 27001:2022 Clause 6.1). Our platform, ISMS.online, automates compliance tasks, reducing manual effort and enhancing precision.

Perform Regular Internal Audits

Conduct regular internal audits to evaluate the effectiveness of your ISMS. Management reviews are essential for performance evaluation and necessary adjustments (ISO 27001:2022 Clause 9.3). ISMS.online facilitates real-time collaboration, boosting team efficiency and audit readiness.

Engage with Certification Bodies

Select an accredited certification body and schedule the audit process, including Stage 1 and Stage 2 audits. Ensure all documentation is complete and accessible. ISMS.online offers templates and resources to simplify documentation and track progress.

Overcome Common Challenges with a Free Consultation

Overcome resource constraints and resistance to change by fostering a culture of security awareness and continuous improvement. Our platform supports maintaining alignment over time, aiding your organisation in achieving and sustaining certification.

Schedule a free consultation to address resource constraints and navigate resistance to change. Learn how ISMS.online can support your implementation efforts and ensure successful certification.

ISO 27001:2022 and Supplier Relationships Requirements

ISO 27001:2022 has introduced new requirements to ensure organisations maintain robust supplier and third-party management programs. This includes:

  • Identifying and Assessing Suppliers: Organisations must identify and analyse third-party suppliers that impact information security. A thorough risk assessment for each supplier is mandatory to ensure compliance with your ISMS.
  • Supplier Security Controls: Ensure that your suppliers implement adequate security controls and that these are regularly reviewed. This extends to ensuring that customer service levels and personal data protection are not adversely affected.
  • Auditing Suppliers: Organisations should audit their suppliers’ processes and systems regularly. This aligns with the new ISO 27001:2022 requirements, ensuring that supplier compliance is maintained and that risks from third-party partnerships are mitigated.

 

Enhanced Employee Cybersecurity Awareness

ISO 27001:2022 continues to emphasise the importance of employee awareness. Implementing policies for ongoing education and training is critical. This approach ensures that your employees are not only aware of security risks but are also capable of actively participating in mitigating those risks.

  • Human Error Prevention: Businesses should invest in training programs that aim to prevent human error, one of the leading causes of security breaches.
  • Clear Policy Development: Establish clear guidelines for employee conduct regarding data security. This includes awareness programs on phishing, password management, and mobile device security.
  • Security Culture: Foster a security-aware culture where employees feel empowered to raise concerns about cybersecurity threats. An environment of openness helps organisations tackle risks before they materialise into incidents.

ISO 27001:2022 Requirements for Human Resource Security

One of the essential refinements in ISO 27001:2022 is its expanded focus on human resource security. This involves:

  • Personnel Screening: Clear guidelines for personnel screening before hiring are crucial to ensuring that employees with access to sensitive information meet required security standards.
  • Training and Awareness: Ongoing education is required to ensure that staff are fully aware of the organisation’s security policies and procedures.
  • Disciplinary Actions: Define clear consequences for policy violations, ensuring that all employees understand the importance of complying with security requirements.

These controls ensure that organisations manage both internal and external personnel security risks effectively.

Employee Awareness Programs and Security Culture

Fostering a culture of security awareness is crucial for maintaining strong defences against evolving cyber threats. ISO 27001:2022 promotes ongoing training and awareness programs to ensure that all employees, from leadership to staff, are involved in upholding information security standards.

  • Phishing Simulations and Security Drills: Conducting regular security drills and phishing simulations helps ensure employees are prepared to handle cyber incidents.
  • Interactive Workshops: Engage employees in practical training sessions that reinforce key security protocols, improving overall organisational awareness.

Continual Improvement and Cybersecurity Culture

Finally, ISO 27001:2022 advocates for a culture of continual improvement, where organisations consistently evaluate and update their security policies. This proactive stance is integral to maintaining compliance and ensuring the organisation stays ahead of emerging threats.

  • Security Governance: Regular updates to security policies and audits of cybersecurity practices ensure ongoing compliance with ISO 27001:2022.
  • Proactive Risk Management: Encouraging a culture that prioritises risk assessment and mitigation allows organisations to stay responsive to new cyber threats.

Optimal Timing for ISO 27001 Adoption

Adopting ISO 27001:2022 is a strategic decision that depends on your organisation’s readiness and objectives. The ideal timing often aligns with periods of growth or digital transformation, where enhancing security frameworks can significantly improve business outcomes. Early adoption provides a competitive edge, as certification is recognised in over 150 countries, expanding international business opportunities.

Conducting a Readiness Assessment

To ensure a seamless adoption, conduct a thorough readiness assessment to evaluate current security practices against the updated standard. This involves:

  • Gap Analysis: Identify areas needing improvement and align them with ISO 27001:2022 requirements.
  • Resource Allocation: Ensure adequate resources, including personnel, technology, and budget, are available to support the adoption.
  • Stakeholder Engagement: Secure buy-in from key stakeholders to facilitate a smooth adoption process.

Aligning Certification with Strategic Goals

Aligning certification with strategic goals enhances business outcomes. Consider:

  • Timeline and Deadlines: Be aware of industry-specific deadlines for compliance to avoid penalties.
  • Continuous Improvement: Foster a culture of ongoing evaluation and enhancement of security practices.

 

Utilising ISMS.online for Effective Management

Our platform, ISMS.online, plays a vital role in managing the adoption effectively. It offers tools for automating compliance tasks, reducing manual effort, and providing real-time collaboration features. This ensures your organisation can maintain compliance and track progress efficiently throughout the adoption process.

By strategically planning and utilising the right tools, your organisation can navigate the adoption of ISO 27001:2022 smoothly, ensuring robust security and compliance.

Where Does ISO 27001:2022 Align with Other Regulatory Standards?

ISO 27001 plays a significant role in aligning with key regulatory frameworks, such as GDPR and NIS 2, to enhance data protection and streamline regulatory adherence. This alignment not only strengthens data privacy but also improves organisational resilience across multiple frameworks.

How Does ISO 27001:2022 Enhance GDPR Compliance?

ISO 27001:2022 complements GDPR by focusing on data protection and privacy through its comprehensive risk management processes (ISO 27001:2022 Clause 6.1). The standard’s emphasis on safeguarding personal data aligns with GDPR’s stringent requirements, ensuring robust data protection strategies.

What Role Does ISO 27001:2022 Play in Supporting NIS 2 Directives?

The standard supports NIS 2 directives by enhancing cybersecurity resilience. ISO 27001:2022’s focus on threat intelligence and incident response aligns with NIS 2’s objectives, fortifying organisations against cyber threats and ensuring continuity of critical services.

How Does ISO 27001:2022 Integrate with Other ISO Standards?

ISO 27001 integrates effectively with other ISO standards, such as ISO 9001 and ISO 14001, creating synergies that enhance overall regulatory alignment and operational efficiency. This integration facilitates a unified approach to managing quality, environmental, and security standards within an organisation.

How Can Organisations Achieve Comprehensive Regulatory Alignment with ISO 27001:2022?

Organisations can achieve comprehensive regulatory alignment by synchronising their security practices with broader requirements. Our platform, ISMS.online, offers extensive certification support, providing tools and resources to simplify the process. Industry associations and webinars further enhance understanding and implementation, ensuring organisations remain compliant and competitive.

Can ISO 27001:2022 Effectively Mitigate New Security Challenges?

Emerging threats, including cyber-attacks and data breaches, necessitate robust strategies. ISO 27001:2022 offers a comprehensive framework for managing risks, emphasising a risk-based approach to identify, assess, and mitigate potential threats.

How Does ISO 27001:2022 Enhance Cyber Threat Mitigation?

ISO 27001:2022 strengthens mitigation through structured risk management processes. By implementing Annex A controls, organisations can proactively address vulnerabilities, reducing cyber incidents. This proactive stance builds trust with clients and partners, differentiating businesses in the market.

What Measures Ensure Cloud Security with ISO 27001:2022?

Cloud security challenges are prevalent as organisations migrate to digital platforms. ISO 27001:2022 includes specific controls for cloud environments, ensuring data integrity and safeguarding against unauthorised access. These measures foster customer loyalty and enhance market share.

How Does ISO 27001:2022 Prevent Data Breaches?

Data breaches pose significant risks, impacting reputation and financial stability. ISO 27001:2022 establishes comprehensive protocols, ensuring continuous monitoring and improvement. Certified organisations often experience fewer breaches, maintaining effective security measures.

How Can Organisations Adapt to Evolving Threat Landscapes?

Organisations can adapt ISO 27001:2022 to evolving threats by regularly updating security practices. This adaptability ensures alignment with emerging threats, maintaining robust defences. By demonstrating a commitment to security, certified organisations gain a competitive edge and are preferred by clients and partners.

Cultivating a Security Culture with ISO 27001 Compliance

ISO 27001 serves as a cornerstone in developing a robust security culture by emphasising awareness and comprehensive training. This approach not only fortifies your organisation’s security posture but also aligns with current cybersecurity standards.

How to Enhance Security Awareness and Training

Security awareness is integral to ISO 27001:2022, ensuring your employees understand their roles in protecting information assets. Tailored training programmes empower staff to recognise and respond to threats effectively, minimising incident risks.

What Are Effective Training Strategies?

Organisations can enhance training by:

  • Interactive Workshops: Conduct engaging sessions that reinforce security protocols.
  • E-Learning Modules: Provide flexible online courses for continuous learning.
  • Simulated Exercises: Implement phishing simulations and incident response drills to test readiness.

 

How Does Leadership Influence Security Culture?

Leadership plays a pivotal role in embedding a security-focused culture. By prioritising security initiatives and leading by example, management instils responsibility and vigilance throughout the organisation, making security integral to the organisational ethos.

What Are the Long-Term Benefits of Security Awareness?

ISO 27001:2022 offers sustained improvements and risk reduction, enhancing credibility and providing a competitive edge. Organisations report increased operational efficiency and reduced costs, supporting growth and opening new opportunities.

How Does ISMS.online Support Your Security Culture?

Our platform, ISMS.online, aids organisations by offering tools for tracking training progress and facilitating real-time collaboration. This ensures that security awareness is maintained and continuously improved, aligning with ISO 27001:2022’s objectives.

Navigating Challenges in ISO 27001:2022 Implementation

Implementing ISO 27001:2022 involves overcoming significant challenges, such as managing limited resources and addressing resistance to change. These hurdles must be addressed to achieve certification and enhance your organisation’s information security posture.

Identifying Common Implementation Hurdles

Organisations often face difficulties in allocating adequate resources, both financial and human, to meet ISO 27001:2022’s comprehensive requirements. Resistance to adopting new security practices can also impede progress, as employees may be hesitant to alter established workflows.

Efficient Resource Management Strategies

To optimise resource management, prioritise tasks based on risk assessment outcomes, focusing on high-impact areas (ISO 27001:2022 Clause 6.1). Our platform, ISMS.online, automates compliance tasks, reducing manual effort and ensuring critical areas receive the necessary attention.

Overcoming Resistance to Change

Effective communication and training are key to mitigating resistance. Engage employees in the implementation process by highlighting the benefits of ISO 27001:2022, such as enhanced data protection and GDPR alignment. Regular training sessions can foster a culture of security awareness and compliance.

Enhancing Implementation with ISMS.online

ISMS.online plays a pivotal role in overcoming these challenges by providing tools that enhance collaboration and streamline documentation. Our platform supports integrated compliance strategies, aligning ISO 27001 with standards like ISO 9001, thereby improving overall efficiency and regulatory adherence. By simplifying the implementation process, ISMS.online helps your organisation achieve and maintain ISO 27001:2022 certification effectively.

ISO 27001 Frequently Asked Questions

What are the key differences between ISO 27001:2022 and earlier versions?

ISO 27001:2022 introduces pivotal updates to meet evolving security demands, enhancing its relevance in today’s digital environment. A significant change is the expansion of Annex A controls, now totaling 93, which include new measures for cloud security and threat intelligence. These additions underscore the growing importance of digital ecosystems and proactive threat management.

Impact on Compliance and Certification
The updates in ISO 27001:2022 require adjustments in compliance processes. Your organisation must integrate these new controls into its Information Security Management Systems (ISMS), ensuring alignment with the latest requirements (ISO 27001:2022 Clause 6.1). This integration streamlines certification by providing a comprehensive framework for managing information risks.

New Controls and Their Significance
The introduction of controls focused on cloud security and threat intelligence is noteworthy. These controls help your organisation protect data in complex digital environments, addressing vulnerabilities unique to cloud systems. By implementing these measures, you can enhance your security posture and reduce the risk of data breaches.

Adapting to New Requirements
To adapt to these changes, your organisation should conduct a thorough gap analysis to identify areas needing improvement. This involves assessing current practices against the updated standard, ensuring alignment with new controls. By using platforms like ISMS.online, you can automate compliance tasks, reducing manual effort and enhancing efficiency.

These updates highlight ISO 27001:2022’s commitment to addressing contemporary security challenges, ensuring your organisation remains resilient against emerging threats.

Why should Compliance Officers prioritise ISO 27001:2022?

ISO 27001:2022 is pivotal for compliance officers seeking to enhance their organisation’s information security framework. Its structured methodology for regulatory adherence and risk management is indispensable in today’s interconnected environment.

Navigating Regulatory Frameworks
ISO 27001:2022 aligns with global standards like GDPR, providing a comprehensive framework that ensures data protection and privacy. By adhering to its guidelines, you can confidently navigate complex regulatory landscapes, reducing legal risks and enhancing governance (ISO 27001:2022 Clause 6.1).

Proactive Risk Management
The standard’s risk-based approach enables organisations to systematically identify, assess, and mitigate risks. This proactive stance minimises vulnerabilities and fosters a culture of continuous improvement, essential for maintaining a robust security posture. Compliance officers can utilise ISO 27001:2022 to implement effective risk treatment strategies, ensuring resilience against emerging threats.

Enhancing Organisational Security
ISO 27001:2022 significantly enhances your organisation’s security posture by embedding security practices into core business processes. This integration boosts operational efficiency and builds trust with stakeholders, positioning your organisation as a leader in information security.

Effective Implementation Strategies
Compliance officers can implement ISO 27001:2022 effectively by utilising platforms like ISMS.online, which streamline efforts through automated risk assessments and real-time monitoring. Engaging stakeholders and fostering a security-aware culture are crucial steps in embedding the standard’s principles across your organisation.

By prioritising ISO 27001:2022, you not only safeguard your organisation’s data but also drive strategic advantages in a competitive market.

How does ISO 27001:2022 enhance security frameworks?

ISO 27001:2022 establishes a comprehensive framework for managing information security, focusing on a risk-based approach. This approach allows your organisation to systematically identify, assess, and address potential threats, ensuring robust protection of sensitive data and adherence to international standards.

Key Strategies for Threat Mitigation

  • Conducting Risk Assessments: Thorough evaluations identify vulnerabilities and potential threats (ISO 27001:2022 Clause 6.1), forming the basis for targeted security measures.
  • Implementing Security Controls: Annex A controls are utilised to address specific risks, ensuring a holistic approach to threat prevention.
  • Continuous Monitoring: Regular reviews of security practices allow adaptation to evolving threats, maintaining the effectiveness of your security posture.

Data Protection and Privacy Alignment
ISO 27001:2022 integrates security practices into organisational processes, aligning with regulations like GDPR. This ensures that personal data is handled securely, reducing legal risks and enhancing stakeholder trust.

Building a Proactive Security Culture
By fostering security awareness, ISO 27001:2022 promotes continuous improvement and vigilance. This proactive stance minimises vulnerabilities and strengthens your organisation’s overall security posture. Our platform, ISMS.online, supports these efforts with tools for real-time monitoring and automated risk assessments, positioning your organisation as a leader in information security.

Incorporating ISO 27001:2022 into your security strategy not only fortifies defences but also enhances your organisation’s reputation and competitive advantage.

What advantages does ISO 27001:2022 offer to CEOs?

ISO 27001:2022 is a strategic asset for CEOs, enhancing organisational resilience and operational efficiency through a risk-based methodology. This standard aligns security protocols with business objectives, ensuring robust information security management.

How does ISO 27001:2022 enhance strategic business integration?

Risk Management Framework:
ISO 27001:2022 provides a comprehensive framework for identifying and mitigating risks, safeguarding your assets, and ensuring business continuity.

Regulatory Compliance Standards:
By aligning with global standards like GDPR, it minimises legal risks and strengthens governance, essential for maintaining market trust.

What are the competitive advantages of ISO 27001:2022?

Reputation Enhancement:
Certification demonstrates a commitment to security, boosting customer trust and satisfaction. Organisations often report increased client confidence, leading to higher retention rates.

Global Market Access:
With acceptance in over 150 countries, ISO 27001:2022 facilitates entry into international markets, offering a competitive edge.

How can ISO 27001:2022 drive business growth?

Operational Efficiency:
Streamlined processes reduce security incidents, lowering costs and improving efficiency.

Innovation and Digital Transformation:
By fostering a culture of security awareness, it supports digital transformation and innovation, driving business growth.

Integrating ISO 27001:2022 into your strategic planning aligns security measures with organisational goals, ensuring they support broader business objectives. Our platform, ISMS.online, simplifies compliance, offering tools for real-time monitoring and risk management, ensuring your organisation remains secure and competitive.

How to facilitate digital transformation with ISO 27001:2022

ISO 27001:2022 provides a comprehensive framework for organisations transitioning to digital platforms, ensuring data protection and adherence to international standards. This standard is pivotal in managing digital risks and enhancing security measures.

How to Manage Digital Risks Effectively
ISO 27001:2022 offers a risk-based approach to identify and mitigate vulnerabilities. By conducting thorough risk assessments and implementing Annex A controls, your organisation can proactively address potential threats and maintain robust security measures. This approach aligns with evolving cybersecurity requirements, ensuring your digital assets are safeguarded.

How to Foster Secure Digital Innovation
Integrating ISO 27001:2022 into your development lifecycle ensures security is prioritised from design to deployment. This reduces breach risks and enhances data protection, allowing your organisation to pursue innovation confidently while maintaining compliance.

How to Build a Culture of Digital Security
Promoting a culture of security involves emphasising awareness and training. Implement comprehensive programmes that equip your team with the skills needed to recognise and respond to digital threats effectively. This proactive stance fosters a security-conscious environment, essential for successful digital transformation.

By adopting ISO 27001:2022, your organisation can navigate digital complexities, ensuring security and compliance are integral to your strategies. This alignment not only protects sensitive information but also enhances operational efficiency and competitive advantage.

What are the key considerations for implementing ISO 27001:2022?

Implementing ISO 27001:2022 involves meticulous planning and resource management to ensure successful integration. Key considerations include strategic resource allocation, engaging key personnel, and fostering a culture of continuous improvement.

Strategic Resource Allocation
Prioritising tasks based on comprehensive risk assessments is essential. Your organisation should focus on high-impact areas, ensuring they receive adequate attention as outlined in ISO 27001:2022 Clause 6.1. Utilising platforms like ISMS.online can automate tasks, reducing manual effort and optimising resource use.

Engaging Key Personnel
Securing buy-in from key personnel early in the process is vital. This involves fostering collaboration and aligning with organisational goals. Clear communication of the benefits and objectives of ISO 27001:2022 helps mitigate resistance and encourages active participation.

Fostering a Culture of Continuous Improvement
Regularly reviewing and updating your Information Security Management Systems (ISMS) to adapt to evolving threats is crucial. This involves conducting periodic audits and management reviews to identify areas for enhancement, as specified in ISO 27001:2022 Clause 9.3.

Steps for Successful Implementation
To ensure successful implementation, your organisation should:

  • Conduct a gap analysis to identify areas needing improvement.
  • Develop a comprehensive project plan with clear objectives and timelines.
  • Utilise tools and resources, such as ISMS.online, to streamline processes and enhance efficiency.
  • Foster a culture of security awareness through regular training and communication.

By addressing these considerations, your organisation can effectively implement ISO 27001:2022, enhancing its security posture and ensuring alignment with international standards.

Book a Demo with ISMS.online

Start your ISO 27001:2022 journey with ISMS.online. Schedule a personalised demo now to see how our comprehensive solutions can simplify your compliance and streamline your implementation processes. Enhance your security framework and boost operational efficiency with our cutting-edge tools.

How Can ISMS.online Streamline Your Compliance Journey?

  • Automate and Simplify Tasks: Our platform reduces manual effort and enhances precision through automation. The intuitive interface guides you step-by-step, ensuring all necessary criteria are met efficiently.
  • What Support Does ISMS.online Offer?: With features like automated risk assessments and real-time monitoring, ISMS.online helps maintain a robust security posture. Our solution aligns with ISO 27001:2022’s risk-based approach, proactively addressing vulnerabilities (ISO 27001:2022 Clause 6.1).
  • Why Schedule a Personalised Demo?: Discover how our solutions can transform your strategy. A personalised demo illustrates how ISMS.online can meet your organisation’s specific needs, offering insights into our capabilities and benefits.

How Does ISMS.online Enhance Collaboration and Efficiency?

Our platform fosters seamless teamwork, enabling your organisation to achieve ISO 27001:2022 certification. By utilising ISMS.online, your team can enhance its security framework, improve operational efficiency, and gain a competitive edge. Book a demo today to experience the transformative power of ISMS.online and ensure your organisation remains secure and compliant.

Sam Peters

Sam is Chief Product Officer at ISMS.online and leads the development on all product features and functionality. Sam is an expert in many areas of compliance and works with clients on any bespoke or large-scale projects.

Related Topics

ISO 27001

The Resilience Factor: Breaking Down the BridgePay Ransomware Attack

Operational shutdown is the last thing any business wants, but it is a very real risk during a ransomware attack. This is a lesson US payment gateway provider BridgePay learnt the hard way. By Kate O’Flaherty In February, US payment gateway provider BridgePay was hit by a ransomware attack that knocked key systems offline, triggering a widespread outage. The incident had a ripple effect, disrupting many of BridgePay’s customers for weeks. Restaurants and retailers were forced to tell customers they could no longer accept card payments, while the City of Palm Bay, Florida’s online billing payment portal was kicked offline. The BridgePay outage was a lesson in the importance of resilience, especially in critical sectors such as finance. “The attack was an operational shutdown,” Oliver Newbury, chief strategy officer at Halcyon says. “That tells you resilience either was not designed for this scenario or had not been properly exercised.” Textbook Ransomware It comes at a time when ransomware resilience is on the agenda, with a UK ban on payments for critical national infrastructure and public sector organisations on the horizon. Verizon’s Data Breach Investigations report found businesses detected ransomware in 44% of all cyber-attacks. Meanwhile, 19% of respondents to IO’s  State of Information Security report said they had experienced a ransomware incident in the past 12 months. Where a significant proportion of organisations have experienced attacks, often involving data encryption and extortion, the costs escalate dramatically when response and recovery are ad hoc rather than planned. In BridgePay’s case, the incident itself was “a textbox ransomware attack”, says Harry Mason, head of client services at IT managed service provider Mason Infotech. “A user identity was compromised, services were switched off by the attacker, and a ransom was demanded for recovery. This resulted in the platform being down for three weeks before it was fully operational again.” Yet while customer card details remained safe, the costs of the incident piled up quickly. “A lot of time and money was spent employing the forensic, recovery and security specialist teams needed to get back online,” Mason points out. Ransomware attacks like the one that hit BridgePay succeed and cause disruption because of gaps in oversight, says Rob O’Connor, EMEA CISO at Insight. “This includes unclear accountability, under-tested recovery plans, weak supplier risk management and insufficient scrutiny of cyber resilience.” Systemic Risk In many organisations, gaps between cybersecurity, business continuity and compliance functions are creating systemic exposure. The problem grows when these functions sit side by side, rather than being fully integrated, according to Halcyon’s Newbury. Trouble often shows up “at the edges between teams”, Stewart Parkin, global CTO at Assured Data Protection tells IO. “Security wants to isolate and contain. Continuity wants to bring systems back quickly. Compliance wants accurate reporting and regulator notifications. If those conversations haven’t happened before an incident, they’ll collide during one.” It is only when ransomware strikes that the disconnect becomes obvious, Newbury agrees. “Decision rights blur, priorities clash and escalation routes stall. The result is that downtime drags on, not because the technology cannot be restored, but because the organisation was not aligned to respond.” In the case of BridgePay, where ransomware quite literally took the business and its customers offline, it shows why downtime in payment systems is now viewed as a systemic risk, with regulatory and reputational implications. The BridgePay incident had such a large impact because “just a handful of key players” now support “a significant proportion” of global digital payments, says Luke Fardell, lead cyber analyst in cyber underwriting at Tokio Marine Kiln. This means a single disruption “can cascade across multiple sectors and industries at once”, potentially affecting retailers, utilities, public services and small and medium sized enterprises (SMEs), Fardell explains. As regulators seek to avoid this level of disruption in critical industries, legislation is increasingly mandating measures beyond simply preventing attacks. “Someone can have excellent firewalls and still end up offline,” points out Assured Data Protection’s Parkin. “What they now want to see is proof you can recover, properly and within defined timeframes.” The EU’s Digital Operational Resilience Act (DORA) regulation is a key example. The regulation mandates that businesses, such as banks and insurance companies, must demonstrate that they can recover to a state of business as usual within a set time frame. “A key component of this is undergoing regular stress testing that holds them to specific 'return to operation' and 'restore point objective' targets,” explains Mason Infotech’s Mason. Structured, Board-Visible Resilience Governance. The BridgePay incident and cascading fall-out shows the very real costs of downtime as a result of ransomware attacks. To avoid a similar fate, financial infrastructure environments must now create structured, board-visible resilience governance. In plain terms, this requires the board to understand exactly which services matter most and how long they can afford them to be down, according to Assured Data Protection’s Parkin. “It means dependencies are mapped properly, recovery is tested regularly, and suppliers are held to clear resilience standards. Decision-making must be rehearsed, not improvised.” For optimum results, training is crucial, encompassing “the full breadth of the business”, says Mason Infotech’s Mason. C-suite should know what is expected of them and how to action it, he says, adding that “everyone must understand supply chain risks”, with “particular attention on tier-1 dependencies and the failover plan in the event they go down”. At the same time, frameworks such as ISO 27001 can help firms identify, assess, and address potential threats, ensuring robust protection of sensitive data and adherence to international standards. Regular reporting and assessment of risks is key to ensuring a business is ready to get back online if they are “subject to a ransomware attack tomorrow”, Mason adds. “This looks like putting RTO and RPO timelines in place and testing them regularly to check they are achievable. In the event of an attack, there must also be a system in place for incident reporting.” There are multiple lessons to be learned from the BridgePay incident, but ultimately, it is a reminder that ransomware is no longer just about encrypted files, says Halcyon’s Newbury. “In payment environments, it is a direct test of whether governance and recovery are strong enough to keep the business standing when prevention fails.” Expand Your Knowledge Blog: State of Information Security Report: 11 Key Statistics and Trends for the Finance Industry Podcast: Phishing for Trouble Episode #09 - What Not to Do in a Disaster Blog: Pay the Ransom or Not? Government Considerations on Paying a Way Out of Cybercrime
Read More
ISO 14001

How nesevo Unlocked Multi-Certification Compliance Success with IO

“The most useful IO feature was the Headstart content. The “adapt or adopt” concept was a game changer for us; the ARM also helped a lot to get going.”

Philipp Zuderell Chief Information Security Officer, nesevo

Learn how nesevo:

  • Achieved ISO 27001 certification in nine months and ISO 14001 certification in three months
  • Used IO’s built-in Headstart content and Assured Results Method to ensure certification success
  • Are preparing to expand compliance across quality management, health and safety management, and more.

nesevo provides data centre and office IT services to customers across the globe. From structured cabling and data centre relocations to networking hardware procurement, technical office installations, and WiFi optimisation, the business provides a 360° service approach covering procurement, pre-configuration, logistics, installation, patching, and testing.

The nesevo team were preparing to pursue ISO 27001 certification, but they were struggling to manage compliance efficiently across disparate documents and spreadsheets. To streamline the process, they needed a solution that enabled them to consolidate their ISO 27001 compliance management into one platform. They also required initial guidance in understanding the standard’s structure and addressing requirements.

“The requirements of ISO 27001 were overwhelming in the beginning. I understood pretty quickly that it would be impossible to manage with only generic tools like Excel.”

Philipp Zuderell Chief Information Security Officer, nesevo

A key consideration was to ensure the team could evolve and improve their information security management system (ISMS) without requiring ongoing support and on-site visits from expensive external consultants. As such, the business needed a solution that supported the team in achieving and maintaining ISO 27001 compliance independently.

“Our tools should be convenient and easy to use, both on and off-site, while at the same time being secure.”

Philipp Zuderell Chief Information Security Officer, nesevo

“For a company like nesevo with teams working across multiple countries and time zones, having our ISMS and EMS in a cloud-based platform is essential. It allows our globally distributed team to collaborate on compliance processes from anywhere while maintaining a consistent and transparent approach to information security and environmental management.”

Nils Kubowitsch Head of Marketing and Environmental Impact Assessor, nesevo

Philipp and the team implemented the IO platform to centralise their ISO 27001 compliance management and certification. They used the platform’s Headstart content: a bank of tools and pre-written policy and control templates. The team also followed the platform’s 11-step Assured Results Method (ARM), which enabled them to work through the compliance process without bringing in an external consultant.

“The most useful IO feature was the Headstart content. The “adapt or adopt” concept was a game changer for us; the ARM also helped a lot to get going.”

Philipp Zuderell Chief Information Security Officer, nesevo

In addition to centralising their compliance, Philipp and the team received support from IO to manage and schedule their internal and external audits. IO has an extensive partner network featuring a range of consultants and auditor partners. Team nesevo were put in contact with IO’s partners, Cybercontrols and PJR, who provided internal and external auditing respectively. These partners were also familiar with the IO platform, which streamlined the overall certification process.

“Having IO as a partner also means that we get support managing and scheduling our internal and external audits, which is something I didn’t expect, but is a huge benefit.”

Philipp Zuderell Chief Information Security Officer, nesevo

Using the IO platform to streamline their compliance management and ARM to guide the implementation process, nesevo achieved ISO 27001 certification in just nine months. The process was simplified by the guidance provided by nesevo’s dedicated compliance success manager (CSM), Wayne, who supported the team through implementation.

“I found the IO platform quite easy to use and navigate. Wayne would also follow up every 1-2 weeks during the implementation process and loop in the right people to answer all questions.”

Philipp Zuderell Chief Information Security Officer, nesevo

The business swiftly followed their ISO 27001 success with ISO 14001 certification, which they achieved in three months. Now, the team are using the platform to work towards ISO 45001 and ISO 9001 compliance and certification. Philipp shares that the IO platform’s built-in review reminder function and the content ownership and sign-off process are the most valuable for the nesevo team as they maintain and improve their ISMS and EMS.

“The review reminders, content ownership responsibilities, and the sign-off process are all ISO requirements that are taken care of by the IO platform, so you don’t have to worry about them.”

Philipp Zuderell Chief Information Security Officer, nesevo

Longer-term, the nesevo team plan to accomplish both ISO 45001 and ISO 9001 certification alongside their existing ISO 27001 and ISO 14001 achievements. Using the IO platform will enable them to continue achieving, maintaining, and managing compliance without bringing in external consultants. They are also considering R2 certification, an important standard for IT asset disposition and electronics recycling businesses.

Read More
ISO 27001

Neurodiversity Celebration Week: Bringing Awareness to Action

As we enter Neurodiversity Celebration Week it is important that we consider why this week matters. For many people, it is an opportunity to spread awareness of neurodiversity, how it affects individuals, and how neurodivergent people experience the workplace and society more broadly. However, awareness alone is insufficient. In a world where only 31-34% of autistic people are employed it is important that we assess what it is we do with that awareness. How do we translate understanding into practical changes that create environments where people can perform at their best? One of the most meaningful ways to do this is through the way we lead and structure our work. In the literal sense of being a leader at work, but also in the operational design choices that shape how teams collaborate, make decisions, and manage risk. Once we understand this better, we can turn our awareness of neurodiversity into action. Why Inclusion Is a Security Issue The steps we take towards inclusivity aren’t just for the benefit of neurodiverse individuals; it’s for the benefit of your entire business. Cognitive diversity can often bring many new perspectives that can help your business operations, particularly when it comes to security discussions such as risk management. Different ways of analysing information or questioning assumptions can help uncover risks that may otherwise go unnoticed. However, when these discussions are unstructured, we can unintentionally close ourselves off to valuable perspectives that could contribute immensely to our understanding of different areas of the business and how to keep them secure. Fast-moving conversations, unclear expectations, or informal decision-making can make it harder for some people to contribute their thinking effectively. Security teams also frequently operate in high-pressure environments. During situations such as incident response, the clearer and more predictable a process is, the more confidently teams can respond. In many ways, the operational practices that support inclusion are also the same practices that strengthen governance, risk management, and security maturity. Five Practical Actions Security Leaders Can Take As with many infosec processes, we believe simplicity and sustainability are often the best way forward. That being said, here are five simple, and practical steps that security leaders can take to create a more inclusive and effective working environment: 1. Introduce Structure Into Risk Workshops and Meetings Circulating agendas in advance – This allows people to prepare their relevant thoughts on the topics of the workshop or meeting in preparation for the discussion. Often neurodiverse people communicate more confidently when they have what they want to say prepared beforehand. Providing agendas in advance allows everyone to prepare their contributions and engage more confidently in discussions. Sharing materials before discussions – Similar to above, this allows people to prepare for any discussion prior to the meeting. It also helps to erase any dominance bias especially when it comes to inclusion/exclusion of information. This allows people to do their own research beforehand or afterwards if this is a more effective way for them to retain information. It also gives them the opportunity to bring any of this research, or questions that have arisen from it to the discussion. Allowing written input alongside verbal discussion- Giving people the option to communicate in writing alongside verbal communication allows teams to cater to different communication styles. Some people may not feel confident speaking on a call and would prefer to plan and write out what they want to say so they can amend it to get their point across effectively. Allowing follow-up comments or written contributions after meetings can also encourage more thoughtful responses and improve the overall quality of feedback. 2. Prioritise Clear, Written Communication Clear written communication benefits everyone in an organisation, but it is particularly valuable in security and compliance environments where accountability and traceability matter. Documenting decisions and rationales- This reduces ambiguity on decisions made, who is accountable for them, and the reasons they have been put in place. It also helps people adjust to decisions quicker if they can see the intended outcome. This can be particularly helpful to neurodiverse people who struggle with unforeseen changes. It also strengthens governance oversight by creating a clear record that can be referenced later or reviewed during audits. Defining expectations clearly- People often feel more confident in their work when expectations are clearly defined. This helps individuals understand what success looks like and how their responsibilities contribute to wider organisational goals Clear expectations also make it easier for employees to o take ownership of their work, and gives them the tools to advocate for themselves on that basis. Reducing reliance on informal verbal updates- Informal verbal updates can easily be missed, misinterpreted, or forgotten. Ensuring they are clearly document in a place that can be referenced ensures that the information is reached and retained long term, by employees or an auditor. 3. Clarify Roles in Incident Response Plans Incident response environments can be high-pressure, and uncertainty can quickly create confusion. Clear roles and responsibilities help ensure that teams can respond quickly and confidently. Explicit role definitions- Knowing exactly who is responsible for what in a high-pressure environment can help alleviate the stress individuals may be feeling and allow them to focus solely on what they are responsible for and lessens the risk of confusion or responsibilities being overlooked. Clear escalation paths- Knowing who you can turn to when you need is often reassuring for employees. It means they never feel like they have to deal with anything alone and that there is support no matter their needs. It also gives managers good organisational visibility, whilst clear escalation paths ensure issues reach the right level of authority quickly. Defined decision authority- Making decisions during security incidents can be daunting, particularly when those decisions may have significant consequences. So, knowing who has decision authority in set circumstances helps employees to move more quickly and means the right person can make the right decision quicker.  4. Provide Multiple Formats for Training and Policy Engagement Security policies, training, and compliance guidance are most effective when people can engage with them in ways that work best for them. Written guidance- A lot of people process information better when given the opportunity to ingest the information at their own pace in their own time. It also means that the information can be referred to in order to refresh memory or in times of high stress. This allows the guidance to be retained more accurately, and long term. Recorded briefings- Some people, such as those with dyslexia, may struggle to take in written communication. This is why recorded briefings or recordings of meetings can be a much more helpful format for some to go back and refer to this information. It also means any of the information that needs to be passed on from the briefing can be done so easily, allowing sometimes important information to reach the places that it needs to, whenever it needs to. Structured documentation- Adding structure to your documents, including but not limited to a table of contents and headings, can make your information easier to digest- especially if it is being read over a  period of time and referred back to as it ensures people are able to navigate the information in the way they need at the time. This is particularly helpful for compliance documentation where employees may need to reference specific sections quickly. 5. Enable Asynchronous Contribution Not all valuable contributions happen in real time. Allowing people to contribute asynchronously can improve the quality of feedback and decision-making across security and compliance discussions. Shared documents for feedback- Shared documents allow team members to add comments, questions, or suggestions in their own time. This often encourages more thoughtful input than fast-moving discussions alone. Structured digital tools- Using structured tools such as ticketing systems, risk registers, or collaborative platforms can provide clear channels for feedback and contributions. These tools also help create traceable records of discussions and decisions. Clear deadlines for input- Clear deadlines allow people to comfortably plan their work and manage their contribution. It also means that if there are any issues they can ensure they are able to communicate this in a timely manner. Being able to prioritise your work and plan your working day can often make work less stressful for neurodivergent people who have difficulty with uncertainty and change.  You may notice that many of these steps are not exclusive to supporting neurodivergent individuals, but pretty much anyone in your business. This is because neurodivergent are not too different from neurotypical people in a lot of ways. Often people feel more comfortable with several options with regards to how they work, and inclusive design is about making sure we have options for everyone, not just one single group or way of working. Measuring inclusion through feedback and embedding review into governance cycles ensures that we are giving every employee in our organisation the opportunity to perform at their best, and to feel their best doing so. It is about not being rigid in the way we treat people but honouring that everybody works best differently. It is not a one size fits all option and requires continuous review and improvement. From Awareness to Operational Action As mentioned, awareness is just the starting point. It is the action off the basis of that awareness in how we work, how we structure our organisation, and how we treat others that we demonstrate a real investment in inclusivity and the benefits that come with it. Including different ways of learning, thinking, and communicating allows organisations to benefit from a broader range of perspectives, which can be critical when it comes to security and compliance. Security leaders can lead the way on this by embedding inclusion into operational design. This isn’t just a token gesture, but an intuitive and progressive way forward for the entire running of an organisation. Inclusion strengthens resilience and governance maturity by making sure everybody is able to understand and demonstrate their role in the organisation in the way that works best for them. The fact of the matter is, we often don’t know if somebody is neurodiverse or not unless they decide to speak on it. But it is our responsibility as leaders to make sure that everybody has the tools they need to feel happy and comfortable at work as this is the best way to work towards our shared goals. By designing systems that recognise different ways of working and learning, organisations not only support their people but also strengthen their ability to manage risk, respond to incidents, and achieve their shared goals. This is not just possible; it is the best decision you can make for your organisation. Expand Your Knowledge Discover how ISO 27001 Clauses 6.3 and 5.2 can support inclusive practices in your ISMS. Blog - Leadership Strategies for Balancing Security Workloads and Compliance Success Blog - Beyond Representation – Why Inclusion Is a Business-Critical Risk Strategy
Read More
ISO 27001

US Cyber Agreements Withdrawal Signals Corporate Risk

Recent actions by the US administration make multilateral cybersecurity coordination between that government and others less certain in the future. What does this mean for boards struggling to get their arms around cybersecurity and compliance risk? In January, the Trump administration withdrew the US from 66 international organisations. These included three with clear cybersecurity mandates: the Global Forum on Cyber Expertise, Freedom Online Coalition, and European Centre of Excellence for Countering Hybrid Threats. These groups help coordinate cyber policy, share expertise, and support cross-border incident response. Two were initiatives the US helped establish. Leaving them signals a more inward-facing cybersecurity posture and raises questions about how much international collaboration will continue to underpin cyber governance. This is not the administration’s first move affecting cyber cooperation. Earlier decisions saw staff reductions at CISA and changes to some of its operational priorities, which inevitably affect its capacity for international engagement. For businesses operating across the US, UK and Europe, the issue is less about any individual decision and more about what it signals: a gradual shift toward a more fragmented, regionally driven cybersecurity environment. The Challenge For Coordinated Incident Response Multilateral frameworks provide the connective tissue for intelligence sharing between national cybersecurity authorities. That infrastructure becomes especially important during large-scale incidents that cross borders. When crises hit, national CERTs and cybersecurity agencies manage domestic response. But complex cyber incidents often affect multiple jurisdictions simultaneously, requiring coordination at the regional or international level. Agreements such as the ENISA–CISA cooperation arrangement signed in late 2023 were designed to strengthen transatlantic coordination during major incidents. With the geopolitical environment shifting, the durability of these arrangements is less certain. Major cyber incidents already strain the response capacity of individual states. Cross-border events rely on cooperation between national authorities and regional institutions. UK and EU organizations will likely assume a greater share of that coordination role. The EU Cyber Blueprint, adopted last June, enhances crisis coordination at both political and technical levels. ENISA already has a mandate to support and coordinate responses to significant cross-border incidents. In the UK, the NCSC manages cross-government coordination for major cyber incidents and can work directly with affected organizations on response and communication. The infrastructure for international cooperation still exists. The question is whether it scales effectively in a more regionally fragmented environment, particularly if US participation in multilateral coordination becomes less central. Expect Regulatory Divergence That fragmentation also applies to regulation. US, UK, and EU cyber regulations have never been fully aligned. But as geopolitical priorities diverge, so too may regulatory expectations. Multilateral forums previously helped smooth those differences by creating spaces for coordination. Without that alignment, regulatory frameworks are likely to drift further apart, particularly around incident disclosure timelines, breach notification thresholds, and what counts as 'significant.' The EU has moved furthest toward prescriptive, cross-sectoral mandatory regulation. NIS 2 covers 18 critical sectors and imposes 24-hour early warning and 72-hour incident notification, with fines of up to €10 million or 2% of global turnover. The US regulatory environment is evolving in a different direction. The Trump administration's approach is largely deregulatory. The SEC's cybersecurity disclosure rules face political opposition, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) has been delayed, and there is no federal privacy law. For multinational organisations, the result is a more complicated compliance landscape. Companies may need to build parallel compliance programmes to cover multiple jurisdictions or accept greater exposure to local enforcement risk. Organisations operating across the US, UK and EU will need to navigate increasingly distinct regulatory expectations. Supply Chain and Third-Party Risk Third-party risk management was already an ongoing challenge, but the less that nation states collaborate on best practises and protections, the more complex that becomes. The EU Cyber Resilience Act will mandate software bill of materials (SBOMs) for all products with digital elements sold into the EU. The Digital Operational Resilience Act (DORA) adds another layer by giving EU regulators direct oversight of critical ICT providers, including US cloud companies serving EU financial institutions. The proposed EU Cybersecurity Act 2 goes further, introducing supply chain security frameworks specifically targeting third-country supplier risk. Meanwhile, the US approach is narrower, applying SBOMs primarily to federal procurement under EO 14028. The UK has no legislative equivalent. The result is three major markets operating under increasingly different product security expectations. A US company selling software into Europe faces product-level compliance obligations its domestic regulatory environment does not prepare it for. Without strong international coordination mechanisms, businesses themselves must manage that complexity. Why This Makes ISO 27001 More Valuable All of this means that corporate playbooks need updating. The smart money is betting on jurisdiction-agnostic frameworks. ISO 27001 suddenly looks prescient, because it translates across borders. Five controls in the 2022 version specifically address third-party security, reflecting the growing importance of vendor assurance. Perhaps more importantly, regulators from Singapore to Stockholm recognise it. While it does not replace jurisdiction-specific compliance requirements, it provides a consistent foundation organisations can use to manage security across multiple regulatory environments. In a fragmented governance landscape, that consistency becomes strategically useful. A Board-Level Risk, Not Just a Diplomatic One For boards, the withdrawal from international cyber cooperation frameworks may not represent an immediate operational threat. But it does point to a structural shift in how global cybersecurity governance is evolving. Cyber cooperation between governments has long helped reduce regulatory divergence, improve crisis coordination and create shared expectations around security practices. As those mechanisms weaken or evolve, businesses face greater responsibility for maintaining resilience, interoperability and supply chain assurance themselves. Global cybersecurity does not collapse when one major actor steps back from multilateral engagement. But it does become more complex. And for organisations operating across the US, UK and Europe, complexity is risk, one that must increasingly be managed within the enterprise rather than assumed to be stabilised by international coordination.
Read More
ISO 27001

How Autotech Group Drives Continuous Information Security Improvement with ISO 27001

“The certification is a byproduct of the journey – we’ve done this to improve ourselves as a business and improve our approach to information security management, end user training and processes.”

Jack Salsbury Head of IT and Information Security, Autotech Group

Learn how Autotech Group:

  • Achieved ISO 27001 certification in 11 months
  • Used the IO platform to streamline ISMS implementation
  • Leveraged SGG’s ISO 27001 expertise to support success
  • Embedded information security best practices for continuous improvement.

Autotech Group, an automotive and mobility sector specialist, consists of four brands: Autotech Recruit, Autotech Training, Autotech Academy and Autotech Connect.

The business is an award-winning specialist consultancy driving innovation across the automotive and wider mobility sectors. Through bespoke solutions built around the business’s three core areas of expertise – people, skills, and technology – they’re tackling one of the industry’s most urgent challenges: the growing workforce shortage.

The Autotech Group team needed to achieve ISO 27001 compliance as part of their strategic approach to information security. They knew that by building, maintaining, and improving an ISO 27001-compliant information security management system (ISMS), they could ensure the business’s approach to information security was in line with best practices.

“Information security doesn’t stay static. We’re always changing and evolving, making sure our information security is proportionate to what we need as a business rather than just adding in anything we can get.”

Jack Salsbury Head of IT and Information Security, Autotech Group

ISO 27001 certification would also enable Autotech Group to demonstrate to stakeholders that the business met core information security requirements. Many of Autotech Group’s suppliers and partners required evidence of information security compliance, with requirements often beyond the scope of baseline security frameworks like Cyber Essentials and Cyber Essentials Plus.

This made demonstrating effective information security measures crucial to ongoing success: ISO 27001 certification would be a catalyst for growth.

“For us, Cyber Essentials and Cyber Essentials Plus were no longer sufficient. ISO 27001 became that broader next step in terms of certification and being able to evidence our information security.”

Jack Salsbury Head of IT and Information Security, Autotech Group

However, with developing internal ISO 27001 expertise, the team needed additional support to work through the implementation and a platform to consolidate the compliance process.

The team employed the expertise of information security consultants, SGG, and leveraged the IO platform to centralise their compliance management. Internally, Autotech Group’s Project Manager, Nadège, provided dedicated project management. She aligned the ISO 27001 project structure and responsibilities with internal resources and business requirements to ultimately ensure successful certification.

Chris Gill, Head of Cybersecurity, GRC and Auditing at SGG, provided support throughout the certification process. He worked with the Autotech Group team to discuss areas of the standard that were slightly ambiguous and shared best practices for implementation. Chris said: “Both Jack and Nadège had a high level of competence when it came to information security. SGG’s role was to provide clarity on the technical requirements of ISO 27001:2022 and consult on how to effectively implement and conform to the requirements.”

“SGG brought clarity and expertise to the certification process, addressing areas of the standard where we needed support.”

Jack Salsbury Head of IT and Information Security, Autotech Group

Jack and Nadège used IO’s 11-step Assured Results Method (ARM) to take a strategic approach to implementation. They also used the platform’s built-in policy and control templates and adapted them to ensure they were specific to the context of the business.

“The platform gave us the framework and the content that we could adapt – our internal ISO 27001 experience was developing, so that was invaluable to support our success.”

Nadège Gavarret-Clarke Project Manager, Autotech Group

Using the IO platform, Autotech Group was also able to map requirements between ISO 27001 and ISO 9001, the quality management standard, and align controls where they overlapped. This prevented the duplication of work and streamlined compliance management across the two standards.

“ARM gave us a rational way to approach the ISO 27001 standard, and we could use that to then drill down to each of the clauses and Annex A controls.”

Jack Salsbury Head of IT and Information Security, Autotech Group

With this holistic approach to compliance across people, process and platform, Autotech Group achieved ISO 27001 certification in 11 months. The business now has a robust ISMS, and the team are continuing to progress their approach to information security management, committing to the ISO 27001 requirement of continuous improvement.

Autotech Recruit is now one of the only recruitment businesses of its size to have both ISO 27001 and ISO 9001 certification, reflecting the team’s commitment to quality and security.

“IO has given us peace of mind that we can address improvements that come out of our audits and measure those improvements. We can see where we’re at, and when we make a change, we can see the impact. The IO platform gives us a really clear view of what we’ve improved on a control basis.”

Jack Salsbury Head of IT and Information Security, Autotech Group

While successful ISO 27001 certification was the core objective, Jack shared that it was equally important that the standard’s best practices were applied effectively across the business:

“The certification is a byproduct of the journey – we’ve done this to improve ourselves as a business and improve our approach to information security management, end user training and processes.”

Jack Salsbury Head of IT and Information Security, Autotech Group

Autotech Group have booked their next three audits with SGG to ensure ongoing compliance and evolve the maturity of their ISMS. Jack said: “One of the things I found most useful about working with SGG is discussing the expected level of maturity of an ISMS as you go through the journey.”

“It’s been great to see the way Autotech Group have matured their processes and policies since I’ve been working with them. I’m looking forward to conducting their internal audits to determine compliance with the requirements of ISO 27001:2022 and areas of improvement as our partnership evolves.”

Chris Gill Head of Cybersecurity, GRC and Auditing, SGG

The team are working on Autotech Group’s GDPR compliance over the coming months. Using the IO platform, they plan to start with a gap analysis to identify where the controls they implemented for ISO 27001 certification can align with GDPR requirements and where more work is required.

Read More
ISO 27001

EU Digital Omnibus Bill: Joined-up Compliance on the Agenda

The EU has introduced a new Digital Omnibus Bill designed to streamline data protection, cybersecurity and AI regulation. How can organisations ensure their own compliance strategies are adaptable and joined-up to remain resilient as digital regulation evolves? By Kate O’Flaherty Navigating the multitude of digital laws across numerous jurisdictions is a minefield for most organisations. And the ongoing struggle to comply with them all individually makes little sense, when so many of the regulations’ requirements overlap. It is with this in mind that the EU has proposed a Digital Omnibus Bill designed to streamline and align data protection, cybersecurity and AI regulation. First announced in November 2025, the Bill is currently under consultation and targeted for implementation in early 2027. It is expected to deliver up to 5 billion euros in savings by 2029. As digital regulation covering data protection, cybersecurity and AI converges, it is reshaping expectations around governance, accountability and risk management. Organisations now need adaptable and joined-up compliance strategies to remain resilient as digital regulation evolves. Perfect Moment for a Bill The Bill has arrived at the perfect moment. Over time, the accumulation of new rules on digital security, data integrity and privacy has increased complexity and driven up compliance costs for organisations operating in the EU, says Ben Lipczynski, director of security services at Origina. Regulations such as the EU General Data Protection Regulation (GDPR), Network and Information Systems 2 (NIS2), the Cyber Resilience Act and the EU AI Act have been introduced with clear objectives. Yet their overlap has “created unnecessary administrative burden and reduced competitiveness”, says Lipczynski. With the proposed Digital Omnibus Bill, the EU has recognised that “fragmented and duplicative digital regulation” is undermining the effectiveness of the single market, he tells IO. The Digital Omnibus is not just another law. It should be seen as the EU admitting that the old model of treating multiple regulations as separate silos no longer works, says Tracey Hannan-Jones, consulting director, information security and GRC and group DPO at UBDS Digital. “It is the EU's first attempt to partially unify the digital rulebook, with optimisation across data, AI and cyber, by amending existing instruments — rather layering new ones on top.” In reality, this means it's “a horizontal clean-up”. It amends GDPR, NIS2, EU AI Act, the Data Governance Act, and others, through “one coordinated package”, Hannan-Jones explains. Law Overlaps Current digital laws overlap across multiple areas. For example, NIS2, the Cyber Resilience Act and the EU AI Act overlap in relation to incident reporting and resilience requirements. These overlaps are expected to be addressed through the proposed Single-Entry Point, which aims to simplify and consolidate reporting obligations across frameworks, says Origina’s Lipczynski. This will be a major shift away from often siloed regulatory frameworks, which can result in “increased complexity and competing requirements”, says Lipczynski. Currently, when reporting cyber incidents, organisations may be required to report to multiple independent agencies — each prioritising different datasets within the incident report. “This can create significant administrative burden at a critical time.” Similarly, tracking and responding to changes across numerous regulations — often communicated through independent and dispersed channels — adds further complexity. “This fragmentation makes it harder to align response plans and governance structures, increasing both compliance effort and operational risk,” says Lipczynski. Alignment could allow organisations to streamline and standardise their compliance frameworks and realise operational efficiencies — and therefore savings, says Lipczynski. “Resource can then be directed to efforts which may further develop the capabilities and competitiveness of the business.” However, organisations should note that while regulatory convergence creates opportunities, it may also create some challenges, says David Dumont, partner, Hunton Andrews Kurth. “A harmonised and clear set of digital rules may require organisations to adopt a more comprehensive and consistent approach to their data practices and related obligations, leaving less room to hide behind the complexities and inconsistencies of the current patchwork of regulations.” Joined-up Digital Risk Governance in Practice The Digital Omnibus Bill is a clear sign that companies need to shake up siloed approaches to data protection, cybersecurity and AI compliance. Firms should strive for “joined-up” digital risk governance, which means that “internal multidisciplinary stakeholders must work together and speak the same language”, says Hunton Andrews Kurth’s Dumont. To achieve this, privacy, legal and compliance teams should try to translate legal requirements into technical terms. “This will help IT and data governance teams to identify relevant existing measures within the organisation and fully leverage them for compliance with the framework of new digital laws,” he advises. In practice, joined-up digital risk governance means establishing a single governance layer through which all sensitive data communications — whether email, file sharing, managed file transfer, or web forms — are routed, monitored, and controlled under one consistent set of policies, says Dario Perfettibile, general manager, EMEA GTM and customer operations at Kiteworks. “It means that the same encryption standards, access controls, and audit logs that satisfy GDPR's data protection requirements also serve as evidence for NIS2 incident reporting and Cyber Resilience Act vulnerability management.” It also means that when an employee shares data with a third-party AI vendor, the exchange is automatically governed by the same controls that protect patient records or financial transactions. “You’ll need a complete chain of custody visible to auditors across every applicable framework,” adds Perfettibile. Future-Proof Compliance With the Digital Omnibus Bill coming in a year, it makes sense to start future-proofing your compliance strategy now. Aligning with governance frameworks and ISO standards such as ISO 27001 (information security), ISO 42001 (AI management), and ISO 27701 (privacy), is crucial for navigating the changes. To ensure joined-up compliance going forward, UBDS Digital’s Hannan-Jones advises firms to consolidate their governance bodies. As part of this, she suggests the creation of a single digital risk committee to own data protection strategy (GDPR), cybersecurity posture (NIS2/CRA), AI governance (AI Act) and product compliance (CRA/sectoral rules). At the same time, if you're operating across multiple jurisdictions, the strategic move is to look at all laws and frameworks and map the overlap, not just the obligations, says Hannan-Jones. She advises building a matrix that shows where regulation such as GDPR, NIS and the AI Act require risk assessments, governance roles, technical and organisational measures, incident reporting and documentation with record-keeping. “Then design shared processes where the overlaps are strongest.” Organisations can standardise their assessments and documentation by developing one core risk assessment methodology with modules for privacy, AI, and security. “Ensure that unified baselines are captured including access control, logging and monitoring, testing and encryption,” she adds. As digital regulations converge, this should tie back to a unified incident response programme that classifies breaches across privacy, security and AI. “And, where appropriate, automatically map them to the relevant legal reporting duties and timelines,” says Hannan-Jones. “This will enable you to create one evidence trail that can be reused for multiple regulators.”
Read More
ISO 27001

Why Do GDPR Fines Keep Rising?

General Data Protection Regulation fines continue to increase as European regulators toughen their response to data incidents. According to the GDPR Enforcement Tracker, firms incurred over 330 fines in 2025. Law firm DLA Piper claims they totalled €1.2 billion. Social media firm TikTok was hit with 2025’s largest GDPR fine. Issued in Ireland, the €530 million fine concerned its sharing of European user data to China-based personnel. Last year also resulted in Luxembourg’s data supervisory authority upholding a 2021 €746m GDPR fine issued against Amazon after it harvested user data for advertising purposes without user consent. An appeal by Amazon was rejected, suggesting that European data protection watchdogs are serious about GDPR enforcement. The continued prevalence of GDPR fines can be attributed to a record increase in data breach notifications, which firms must issue within 72 hours of a data incident. DLA Piper found that, in 2025, these notifications reached 400 per day for the first time since GDPR’s 2018 implementation. Between January 2024 and January 2026, they topped 443 - up 22% from 363. DLA Piper attributes this to hacking driven by global geopolitical instability, increased press coverage of cybercrime, and the emergence of data breach laws and rules that mandate incident notifications. Clearly, data protection regulators aren’t prepared to ignore GDPR violations now that the law has been in place for eight years. However, with data the lifeblood of modern organisations and GDPR fines not just posing a financial risk but wider harm to businesses, what can they do to comply? Regulators Are Clamping Down A major reason behind the recent spate of GDPR fines is that regulators believe businesses have had more than enough time to understand the law and put it into practice, according to Lucas von Stockhausen, executive director of security engineering at application security firm Black Duck. He tells IO that data protection authorities have had enough of excuses used by non-compliant firms and are now focused on holding them accountable. Ignoring this could result in “substantial penalties” for companies, with regulators able to fine up to €20 million or 4% of global annual revenue for the worst infringements. Despite regulators continuing to clamp down on GDPR violations by issuing fines, many firms remain oblivious to this. Jake Moore, global cybersecurity advisor at antivirus software maker ESET, says data protection is a “tickbox exercise” for lots of organisations - when, in fact, it should be embedded throughout every area of a modern business. He says this results in "weak access controls” and failure to remember the location of sensitive data. Consequently, data can easily fall into the hands of unauthorised parties, and if businesses are unsure where they stored a particular piece of data, they’ll struggle to fulfil data deletion requests. These issues put firms at risk of GDPR fines. But GDPR non-compliance doesn't just put businesses at risk of costly fines - it can harm all aspects of a company's operations. Jo Brianti, a data protection specialist, says cleanup efforts can result in “operational disruption” when executives have to dedicate already-stretched schedules to cleanup efforts. Executives could even be liable for fines themselves if they knew about GDPR failures and didn’t intervene, she adds. She says neglecting GDPR can also damage firms’ reputations, expose them to costly lawsuits launched by affected customers, make it harder for businesses to operate in different markets by disrupting “platform obligations and cross-border data flows” and show up in due diligence reports, leading to a loss of sales and other business opportunities. AI Is Changing The Playing Field The growing adoption of artificial intelligence technology by businesses is also contributing to rising GDPR fines. As AI is trained on large datasets to function and improve over time, the risk of data leaks and subsequent regulatory action is significant. And because many firms use AI systems developed by third-party technology vendors, they don’t always have control over how the data they input into these applications is stored and protected. According to von Stockhausen of Black Duck, this means there’s a real risk of inadvertent data exposure and subsequent GDPR enforcement. He tells IO: “The efficiency gains can be tremendous, but from a GDPR standpoint, the central risk is clear: organisations must be able to guarantee that AI outputs do not reveal personal data.” When it comes to securing AI systems and the data upon which they rely, businesses aren’t just expected to follow GDPR guidelines. There’s also a growing legislative landscape dedicated to AI. It’s easy for firms to treat GDPR and AI compliance as separate entities, but this could be counterintuitive. ESET’s Moore explains that because data privacy and AI governance use identical datasets, businesses are better off “treating them as one joined-up discipline with clear ownership”. Doing so can result in simplified workloads and no duplicated work, making employees less likely to neglect data. Moore says it can result in fewer fines for businesses. Brianti is another firm believer in a joined-up approach to data and IT governance, explaining that regulators are now “converging GDPR with a wider digital package”. She uses the EU’s Digital Services, Digital Markets Act, and updates to existing data and AI-related laws as examples. According to Brianti, failing to comply with any one of these laws can cause “knock-on effects across multiple regulatory frameworks”. She tells IO: “This turns GDPR from a legal silo into a strategic risk affecting corporate governance, investor risk profiles, acquisition due diligence and reputation management.” Getting Compliance Right As regulators continue to enforce GDPR, von Stockhausen of Black Duck says their primary expectation is that businesses have implemented a “clear” data privacy strategy that explains the reasons behind personal data collection, whether the data is actually needed, and their data storage and protection methods. “Regulators are looking for companies that handle personal information deliberately, responsibly, and with a clear understanding of the risks,” he says. “Those that don’t are increasingly finding themselves under scrutiny.” But he says the most important way to stay compliant with GDPR is to be constantly vigilant about data privacy and security risks. To do this, he says businesses must enforce “demonstrable safeguards”, constantly monitor the threats posed by new technologies and adapt existing data privacy strategies accordingly. For businesses unsure where to start, Brianti recommends integrating best practices outlined in professional standards and frameworks into everyday processes to meet regulatory requirements such as GDPR. She says ISO 27001 is great for handling information security-related issues and ISO 27701 for privacy. Cyber Essentials and NIST 800-53 are two more of her top picks. Other recommendations from Brianti to ensure GDPR compliance include: logging the location of personal data and the way it's processed in an inventory; adopting privacy-by-design principles so products are always data secure; defining roles and responsibilities related to data privacy; educating staff on the importance of data privacy; documenting all decisions made about data privacy; determining data risks through impact assessments; keeping these assessments and everything related to data in a single environment; and ensuring all incident response activities are aligned. It’s easy to think of GDPR non-compliance as just paying a fine and moving on. But that’s just wishful thinking. GDPR enforcement can deal a huge blow to business operations and growth. That's why it should be treated as a strategic priority, rather than a tickbox exercise just to please bureaucrats. And when GDPR compliance is aligned with other IT-related governance activities, businesses can rest assured they’ll keep regulators happy and protect themselves from a fast-changing cyber threat landscape.
Read More
ISO 27001

DXS International Breach: Lessons Learned for Healthcare

As high-stakes incidents in the healthcare sector surge, organisations must learn to manage information security, data protection and AI risk as a connected governance challenge. How can this be done? By Kate O’Flaherty On 14 December 2025, DXS International — which provides healthcare information and clinical decision support for roughly 10% of all NHS referrals in England — suffered a data breach impacting its office servers. In a filing with the London Stock Exchange, DXS International claimed the breach was “immediately contained” in a joint effort by its internal IT security teams in close cooperation with NHS England. But soon afterwards, the DevMan ransomware group claimed to have stolen 300GB of data, including internal budgets and financial files. While the incident itself had minimal impact and the company's front-line clinical services remained operational, it’s a prime example of how third-party risk can cascade through the supply chain. As incidents such as this surge, healthcare organisations must learn to manage information security, data protection and AI risk as a connected governance challenge. How can this be done? A Major Problem Because DXS International’s services remained up and running, it’s easy to dismiss the breach as uneventful. However, while frontline clinical services stayed up, other issues could show up further down the line, says Skip Sorrels, field CTO-CISO at Claroty. “When you compromise the administrative backbone of healthcare delivery, you're creating long-tail risks such as identity theft, phishing campaigns, and erosion of patient trust.” Sorrels points out that “operational” doesn't mean “safe”: “Attackers are deliberately targeting the softer administrative systems because they know these suppliers often lack the same security rigor as the clinical infrastructure they support." Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, concurs with this assessment. “Stolen data can be misused, affecting patient privacy for years.” He describes how financial repercussions, including investigation costs, legal fees and possible fines could strain resources already under pressure in public health services. “Moreover, it highlights systemic issues in digital health infrastructure, prompting broader scrutiny of how interconnected technologies handle sensitive information.” Third Party Risks UK healthcare has strengthened cyber efforts continuously since the WannaCry ransomware attack hit the NHS in 2017. Regulators are placing increasing focus on supply chains and, recognising that vulnerabilities in managed service providers or critical suppliers can have wide-reaching impacts, says Katharina Sommer, group head of government affairs at NCC Group. Third-party and supply-chain risks represent “one of the most pressing security challenges in healthcare”, as the sector increasingly relies on external vendors for essential services, says Curran. “Software supply chain attacks are highly dangerous and increasingly prevalent because they exploit the interconnected nature of modern software development,” Curran tells IO. “These attacks target vulnerabilities in dependencies, build processes, or third-party components, often allowing attackers to compromise multiple companies through a single point of failure.” Beyond the immediate impact, issues can be caused by smaller organisations with “large systemic footprints, but limited security maturity”, says Tracey Hannan-Jones, consulting director information security and GRC and group DPO at UBDS Digital. Making things worse, the healthcare sector is facing a visibility challenge, according to Claroty’s Sorrels. “Most healthcare organisations struggle to truly understand the security posture of their third and fourth-party vendors. You can't outsource a service and think you've outsourced the risk.” Regulatory Expectations In addition to supply chain security, regulation is increasingly mandating that critical services such as healthcare must take extra steps to boost resilience. When breaches do happen, those operating in the sector are expected to safeguard data and stick to stringent reporting requirements. The DXS International breach provides insight into the regulatory expectations governing healthcare data in the UK and EU, particularly under the General Data Protection Regulation (GDPR) and aligned UK data protection laws. “These frameworks mandate that organisations processing personal data, including health information, must ensure robust safeguards and respond transparently to incidents,” says Ulster University’s Curran. In this case, DXS's “prompt notification” to the Information Commissioner's Office (ICO) and law enforcement aligns with GDPR Article 33, which requires breach reporting within 72 hours if there is a risk to individuals' rights and freedoms, Curran says. Similarly, UK requirements under the Data Protection Act 2018 emphasise accountability, compelling entities to document and mitigate risks associated with data handling, Curran says. “The ICO's ongoing assessment of the incident reflects how regulators scrutinise not just the breach itself, but the adequacy of response measures, including containment and investigation protocols,” he tells IO. Regulators increasingly demand evidence of proactive risk management because reactive approaches have proven insufficient against evolving threats — as evidenced by the rising number of cyber incidents in healthcare, according to Curran. Interconnected Risks It comes at a time when cyber, privacy and AI risks are becoming inseparable in healthcare environments due to connected systems, data sharing and automation. Meanwhile, AI-driven tools are reshaping risk profiles. The DXS International incident exemplifies this convergence, where a supplier's breach could “potentially expose integrated networks handling patient data, blending cybersecurity threats with privacy concerns”, says Curran. Data sharing across ecosystems – between providers, suppliers, and even cross-border entities – further erodes traditional boundaries, he points out. “Under frameworks such as the NHS's Health and Social Care Network, information flows dynamically. This interconnectedness can lead to a cyber incident cascading into privacy violations, such as the inadvertent disclosure of sensitive health records.” With this risk in mind, treating cyber, privacy, and AI risks in silos within healthcare environments “fosters significant blind spots”, says Curran. Instead, firms need to take a joined-up approach to risk governance. This requires using integrated frameworks that bring together information security, data protection and AI governance to support resilience, trust and long-term compliance. For example, organisations need to consider AI agents and humans as “a combined workforce that interacts with software and infrastructure”, says Javvad Malik, lead CISO advisor at KnowBe4. “For this we need clear accountability, supplier assurance, and oversight that brings data, humans, and AI together to support trust and resilience.” Frameworks such as the National Cyber Security Centre’s Cyber Assessment Framework, ISO 27001 and NIST Cybersecurity Framework provide “practical tools to integrate controls, policies and risk metrics”, says NCC Group’s Sommer. “This helps organisations build trust, demonstrate compliance and manage cyber risk in a coherent and defensible way.” Ulster University’s Curran advises establishing “cross-functional teams” comprising experts from cybersecurity, privacy and AI to collaborate on risk assessments, ensuring that threats are evaluated through “a multifaceted lens”. Resilient, Trustworthy and Future-Ready Healthcare organisations and the suppliers they rely on must work to build more resilient, trustworthy and future-ready risk management practices. To win, organisations need to move towards a unified approach to risk, says Ivan Milenkovic, vice president risk technology EMEA at Qualys. “Instead of reinventing the wheel, the best teams integrate established international standards for security, privacy and the emerging frontier of AI management into one engine.” Central to this is embedding risk management into organisational culture through unified policies that mandate “regular, integrated audits”, Ulster University’s Curran advises. Meanwhile, implement a shared responsibility model with your vendors, says Claroty’s Sorrels. “Don't treat supplier contracts as 'set and forget’. Demand continuous transparency, evidence of security testing and proof they're meeting baseline standards.”
Read More
ISO 27001

What the LastPass Breach Tells Us About Compliance in 2026

The GDPR was always meant to be vague. By not listing prescriptive technical controls – as, for example, PCI DSS does – the regulation does a better job of staying relevant over time. Yet its principle of “technology neutrality” can also be a source of frustration to compliance teams. For more pragmatic guidance, many turn to best practice standards like ISO 27001:2022, which promotes a structured, risk-led approach to cybersecurity. Yet as data breaches at LastPass and other organisations have shown, it’s not a panacea – especially if teams don’t approach compliance with a mindset of continuous review and improvement. What Happened to LastPass? The 2022 LastPass breach is thought to have exposed the details of around 30 million global customers, including 1.6 million in the UK. By any standard, it was a fairly sophisticated attack, which featured two distinct phases: A threat actor compromised a software engineer’s laptop, which gave them access to an SSE-C key. They could theoretically have used this to access backups of customer data, including encrypted password vaults. However, the key was encrypted, and full access to the database also required a second AWS access key. A threat actor was able to exploit a vulnerability in the Plex video streaming service which had been downloaded to the personal laptop of a senior development operations engineer. This enabled them to install a keylogger and subsequently decrypt the SSE-C key and get hold of the AWS access key. That opened the door to those encrypted password vaults. Because master passwords to these vaults were stored locally on customer devices and never shared with LastPass, they should have been safe. But poor implementation of the PBKDF2 algorithm meant countless passwords were brute forced in the years since the breach, leading to an estimated $35m in cryptocurrency theft. What the ICO Said The Information Commissioner’s Office (ICO) fined LastPass £1.2m for its “failure to implement and use appropriate technical and organisational measures, contrary to Article 5(1)(f) UK GDPR and Article 32(1).” Specifically, the firm allowed senior engineers to use personal laptops to access production keys, it allowed employees to link personal and business vaults with the same master password, and it failed to rotate AWS keys after the first incident. Yet the regulator acknowledged that compliance with ISO 27001:2022 should have meant the company followed ICO own guidance on securing home working devices and segregating personal and business devices/accounts. It clearly didn’t. “LastPass is not an outlier. Our recent research found that more than a quarter (26%) of privacy professionals believe their organisation is likely to experience a material privacy breach within the next year. This level of risk is fast becoming the norm,” ISACA chief global strategy officer, Chris Dimitriadis, tells IO (formerly ISMS.online). “Compliance with standards such as ISO 27001 is essential – but it is only the starting point. The LastPass breach underlines a hard truth: privacy and data protection cannot be reduced to box-ticking. Organisations must move beyond minimal compliance towards enterprise-wide capability and maturity assessments.” Moving with the Times LastPass isn’t the first and certainly won’t be the last company to suffer a serious breach despite technically being certified with best practice standards. Other notable cases include: 23andMe: The DNA testing firm was fined £2.3m by the ICO after a breach impacting millions of customers. It failed to mandate multi-factor authentication (MFA) for users, had insufficient monitoring for unusual activity, and enabled threat actors to abuse an internal feature (DNA Relatives) to access more accounts than they should have been able to Interserve Group: The outsourcer was fined £4.4m after a breach of employee data. Despite the intrusion being flagged by the firm’s endpoint protection tooling, it failed to investigate Cases like this don’t highlight the shortcomings of standards like ISO 27001. They prove that many organisations still aren’t approaching compliance programmes with the right mindset. “While ISO 27001, SOC 2 and other standards are an excellent and time-tested baseline to assess corporate information security, they are not – and have never been – designed as a guarantee that a company is unhackable or that 100% of policies or procedures are properly followed,” explains ImmuniWeb CEO, Ilia Kolochenko. “Moreover, even if all policies and procedures are duly followed, it does not mean or imply that the underlying processes are technically flawless.” Dennis Martin, crisis management and business resilience specialist at technology services firm Axians UK, adds that standards-based compliance is only helpful when leaders insist controls work in practice. “Security measures must be tested, validated, and challenged regularly. Assumptions and documented processes are no substitute for evidence. A ‘don’t trust, test’ mindset is essential if organisations want confidence in their security posture,” he tells IO (formerly ISMS.online). “Effective compliance is continuous. Threats evolve, business operations change, and controls degrade over time. Regular review and improvement are necessary to ensure that what is written down still reflects reality.” Continuous Improvement In fact, ISO 27001:2022 “explicitly recognises” that security must not stand still, Oleria VP of security, Didier Vandenbroeck, tells IO. “A core principle of the standard is continual improvement, with auditors expected to raise opportunities for improvement where controls may be technically compliant but no longer appropriate to the evolving threat landscape,” he explains. “When certification becomes a tick-box exercise, that principle is lost. Certificates are ultimately meaningless if organisations do not follow them in practice or fail to challenge whether existing controls still make sense given how people actually work and how attackers operate.” IO CPO, Sam Peters, agrees. “This is why frameworks and standards are most effective when treated as living management systems, effectively operating models for managing cyber risk, rather than static compliance milestones,” he tells IO. “The principle of continuous improvement, embedded through regular review, challenge and adaptation, has been central to our approach at IO since inception and reflects what regulators increasingly expect to see in practice. Used in this way, frameworks provide a durable foundation for organisations to manage cyber risk in an environment of constant change, rather than a snapshot of compliance at a single point in time." Such an approach is particularly important for managing GDPR risk at a time when regulators are placing an ever-greater emphasis on context. "Regulators are very clearly signalling that ‘appropriate technical and organisational measures’ should be understood as contextual and evolving, rather than fixed or static. What is deemed appropriate will vary depending on factors such as risk exposure, data sensitivity and the threat landscape, and is increasingly being assessed after an incident has occurred,” he concludes. “In practice, this means regulators are less interested in whether a framework has been adopted, and more focused on how effectively it is being used to identify, review and manage information security risk over time.”
Read More
ISO 27001

From Fragmented to Fine-Tuned: How Logiq Built a Robust, ISO 27001-Certified ISMS

“IO eliminates ambiguity, increases accountability, and provides end-to-end traceability from risk to control to evidence.”

Lars Hauger CTO, Logiq

Learn how Logiq:

  • Achieved ISO 27001 certification in 12 months
  • Used the Assured Results Method to streamline compliance and certification
  • Leveraged Dunamis Technology’s consultancy to support success
  • Unlocked improved information security engagement across the business.

Logiq is a Nordic SaaS provider specialising in secure and high-availability information exchange between businesses. For more than 25 years, Logiq have operated a mission-critical digital trade network that handles large-scale EDI, e-invoicing, and document flows for enterprises throughout the Nordic region.

Logiq’s service platform runs 24/7 with >99.99% uptime and is an integral component in the financial and supply-chain processes of its customers.

“We needed a unified governance platform with predictable workflows, evidence management, and strong auditability.”

Lars Hauger CTO, Logiq

The business’s primary target was to achieve ISO 27001 certification by implementing a clearly structured, audit-ready information security management system (ISMS). This would also support continued compliance with key regulations like GDPR and NIS 2 as well as stringent financial-sector expectations.

Logiq had an existing information ISMS built across different tools and formats, including custom-built intranet, spreadsheets, internal repositories and locally-stored documents. While this approach was functional, it lacked integrated governance, automation, and centralised control. The Logiq team found that maintaining consistency, traceability and version control across policies, registers, controls and audits was challenging.

Lars and the team required guidance to accelerate implementation and ensure a robust, certification-ready ISMS structure, as well a centralised platform to consolidate their efforts and streamline compliance management.

Logiq brought on the services of Dunamis Technology to provide expert support and guidance throughout ISO 27001 implementation. The Dunamis Technology team helped to structure the business’s ISMS, configure registers, refine policy frameworks, and map evidence efficiently. Dunamis Technology recommended using the IO platform to address the issue of Logiq’s existing, fragmented governance environment.

“We solved this by implementing IO, creating a fully centralised, consistent, and version-controlled environment that eliminated ambiguity and increased accountability.”

Ronny Stavem CEO & Head of Digital Security Services, Dunamis Technology

Logiq migrated their existing ISMS content to the IO platform. They then used Dunamis Technology’s implementation methodology, IO’s comprehensive 11-step Assured Results Method (ARM) and the platform’s pre-configured ISO 27001 framework to establish a robust ISMS in line with the requirements of the standard.

“Our key focus was ensuring the IO platform was used optimally and translating complex standards and auditor expectations into practical, operationally suited workflows.”

Ronny Stavem CEO & Head of Digital Security Services, Dunamis Technology

The Logiq team leveraged the platform’s core compliance management features to ensure certification success: centralised policy management, risk management module, asset and supplier registers, automated compliance mapping, and structured reporting. The audit, corrective action and evidence-linking features also provided a clear audit trail.

“The guided frameworks, pre-configured ISO control sets, and automated modules for policies, assets, and audits significantly streamlined our workflows.”

Lars Hauger CTO, Logiq

The Logiq team cite the IO platform’s pre-configured ISO 27001 framework and automated evidence management as the most valuable elements of working with IO: “It eliminated uncertainty and simplified complex tasks.”

“Dunamis Technology provided expert guidance throughout the implementation helping structure our ISMS, configure registers, refine policy frameworks, and map evidence efficiently.”

Lars Hauger CTO, Logiq

Logiq achieved ISO 27001:2022 certification in approximately 12 months, including planning, migration of existing content, and internal readiness assessments. Lars estimates that working with Dunamis Technology and IO enabled the business to reduce ISMS maintenance, evidence handling and audit preparation time by 40-60%.

Lars said: “The consolidation of documentation alone saved substantial operational hours across the organisation.”

“IO eliminates ambiguity, increases accountability, and provides end-to-end traceability from risk to control to evidence.”

Lars Hauger CTO, Logiq

The support provided by Dunamis Technology also directly accelerated Logiq’s path to certification, ensuring the business’s workflow aligned with ISO 27001 requirements. Their audit experience helped Logiq to shape a definitive, certification-ready ISMS within the IO platform. They were able to translate standards and auditor expectations into practical, operationally suited workflows for Logiq.

“Dunamis Technology’s audit experience and practical recommendations were instrumental in shaping a certification-ready ISMS. Their experience ensured that our ISMS became both compliant and genuinely usable.”

Lars Hauger CTO, Logiq

Team Logiq has also unlocked unexpected benefits from using IO. With ISO 27001 compliance consolidated into one platform, the business has strengthened cross-department information security alignment. Roles and responsibilities are more transparent and non-security stakeholders are more engaged. As a result, Logiq has built a stronger organisation-wide governance culture.

“Even non-technical stakeholders were able to adopt the IO solution with confidence once they had adjusted to the new structure.”

Lars Hauger CTO, Logiq

The Logiq team continue to evolve their ISMS in line with ISO 27001’s continuous improvement requirements by expanding ISMS workflows and maturing supplier management controls. The business is also leveraging the IO platform for broader compliance areas including NIS 2 and future regulatory requirements with the support and expertise of Dunamis Technology.

“The platform’s architecture is ideal for managing multiple standards simultaneously, which is critical for Logiq given their future compliance needs.”

Ronny Stavem CEO & Head of Digital Security Services, Dunamis Technology

Read More
ISO 27001

The Biggest AI Governance Challenges in 2026

This year’s Safer Internet Day theme, smart tech, safe choices – exploring the safe and responsible use of AI, stresses the importance of responsible AI use. AI use has become commonplace in business, offering leaders a tempting combination of increased productivity and reduced costs. As such, organisations are now using AI for everything from their recruitment efforts to their threat monitoring. However, implementing and using AI ethically, responsibly, and safely isn’t just a nice-to-have. It’s key to ensuring compliance with regulations like the EU AI Act, safeguarding sensitive customer information, and mitigating risk. Our State of Information Security Report 2025 exposed the key AI-related challenges organisations are facing, from governance and implementation struggles to AI-powered attacks and emerging threats. In this blog, we explore these challenges and how organisations can address them. Shadow AI One in three (34%) respondents to the State of Information Security Report 2025 said internal misuse of generative AI tools, also known as shadow AI, was a key emerging threat concern for their business over the next 12 months. Meanwhile, 37% shared that their employees had already used generative AI tools without organisational permission or guidance. Shadow AI is a pressing issue for organisations. Unauthorised AI use can increase the risk of data breaches and violations of data protection regulations, potentially leading to heavy fines for non-compliance as well as reputational damage. To manage shadow AI use, businesses must first identify where AI is being used and what it’s being used for. Consider limiting access to these domains and platforms until your business has established and shared clear governance and usage policies. Create AI usage policies that define which AI tools are approved and which are not. Establish guidelines around the types of data that can and cannot be entered into prompts – for example intellectual property, customer data and financial data should never be entered into free, public versions of large language models. Implement an employee education programme to ensure staff are aware of their information security responsibilities, including safe AI usage. Firewalls or DNS filtering to block prohibited sites can act as strong technical controls, however this may lead to employees finding other ways to access them regardless. Consider fostering an open environment where there are clear policies for use and employees can ask questions about new AI tools, with a streamlined approval process. The Pace of AI Adoption Over half (54%) of the respondents to our State of Information Security Report admit their business adopted AI technology too quickly and is now facing challenges in scaling it back or implementing it more responsibly. The Report’s findings reflect the vast gulf between the pace of AI adoption and the pace of AI governance. Often, businesses are implementing guardrails around AI usage only after errors have occurred, leaving businesses scrambling to course correct. ISO 42001 can offer a robust, proactive solution. The standard provides a framework for establishing, maintaining and continually improving an AI management system (AIMS), emphasising ethical, responsible AI use. Organisations can take a strategic approach to ongoing compliance using the Plan-Do-Check-Act (PDCA) cycle. To achieve ISO 42001 compliance, businesses must establish an AI policy, assign AI roles and responsibilities, assess and document the impacts of AI systems, implement processes for the responsible use of AI systems, assess AI risk, and more. The emphasis on continual improvement requires businesses to continually evolve their AIMS for ongoing certification. ISO 42001 certification can enable your organisation to manage AI risk, ensure stakeholder trust and transparency, and streamline compliance with regulations like the EU AI Act. Emerging AI-Powered Threats Respondents to our State of Information Security Report 2025 cited several AI-related risks their top emerging threat concerns for the next 12 months. 42% were concerned about AI-generated misinformation and disinformation, while 38% cited AI phishing as a core issue. 34% of respondents said shadow AI was a concern, while 28% were concerned about deepfake impersonation during virtual meetings. The data suggests many of these threats are already reality – over a quarter (26%) of respondents had experienced AI data poisoning in the last 12 months. Implementing information security best practices, such as those provided by the ISO 27001 framework, can also support businesses in tackling AI-driven threats. The ISO 27001 standard requires organisations to implement (or justify their reasoning for choosing not to implement) core controls such as privileged access rights, employee information security awareness training, threat intelligence and secure authentication. These best practices form a solid baseline from which organisations can mitigate risks associated with AI-driven threats. Privileged access rights, for example, could limit the damage of an employee falling victim to an AI-powered phishing attack by limiting their user-level access to information and systems, while information security training and awareness could stop that employee falling victim to the attack entirely. Case Study: AI Clearing Construction platform AI Clearing knew that ISO 42001 certification would demonstrate that their AI system adhered to the highest standards and rigorous testing, increasing customer trust. The business leveraged the IO platform for their compliance, streamlining ISO 42001 implementation while retaining complete control over their governance, risk and privacy requirements. Learn how AI Clearing built a robust AIMS, efficiently managed AI risk and achieved the world’s first ISO 42001 certification: Read the AI Clearing case study The Strategic AI Governance Advantage AI technology offers a tempting selection of benefits for businesses, but it can also increase business risk. It powers some of the biggest cyber threats facing organisations in 2026. This Safer Internet Day, we encourage businesses to consider leveraging frameworks like ISO 42001 to implement AI safely, responsibly, and in line with regulatory requirements. Businesses that take a strategic approach to AI governance will be able to proactively manage AI risk, boost customer trust and unlock operational efficiencies.
Read More
ISO 27001

Why Regulators And Investors Expect Companies To Address a Triple Risk

Organizations fret about security and privacy risk. And more recently, they've paid attention to AI risk. But how often do they think of all three in the same conversation? Increasingly, it's becoming clear that they should. Laws covering data protection, cybersecurity, and AI have quadrupled since 2016 across the U.S., EU, UK, and China. The SEC has already proved that it's serious about cybersecurity. Its cybersecurity rules, effective December 2023, are already reshaping how public companies handle breach disclosure. Form 8-K Item 1.05 now requires companies to disclose material cybersecurity incidents within four business days of determining materiality, not from when the incident was discovered. Form 10-K Item 106 mandates annual disclosure of risk management processes and board oversight structures. The Commission isn't afraid to punish companies that it believes to have downplayed security incidents. Just over a year ago in October 2024, the SEC settled enforcement actions against four public companies (Unisys, Avaya, Check Point, and Mimecast) for misleading investors about the impact of the 2020 SolarWinds cyberattack. The combined penalties approached $7 million. Unisys alone paid $4 million for describing cyber risks as "hypothetical" in its filings, while internal teams knew of actual intrusions. Between December 2023 and January 2025, 55 cybersecurity incidents were reported via Form 8-K filings. Beyond the SolarWinds-related actions, Flagstar paid $3.55 million in December 2024 for describing a breach affecting 1.5 million people as mere "access" when data had actually been exfiltrated. These penalties demonstrate a need to connect cybersecurity disclosure with broader enterprise risk management. The SEC's formation of a new Cyber and Emerging Technologies Unit in February 2025 signals this scrutiny will continue. That replaced the Crypto Assets and Cyber Unit. CETU also hints at the importance of factoring AI into these risks, as it specifically includes both AI and cybersecurity practices in its mandate. Fragmented Governance Creates Compounding Exposure American companies with European operations also face additional pressure from the EU AI Act, which took effect in August 2024. The law, which comes with compliance deadlines staggered through 2027, applies extraterritorially. U.S. businesses placing AI systems in the EU market or deploying AI whose outputs affect EU users must comply. The stakes are substantial. Penalties for prohibited AI practices reach €35 million or 7 percent of global annual revenue, whichever is higher. High-risk categories, covering AI used for employment decisions, credit scoring, and healthcare diagnostics, require conformity assessments, technical documentation, and human oversight mechanisms. Prohibitions on unacceptable-risk AI systems took effect in February 2025. AI Is Showing Up In Disclosure Documents Investor expectations are shifting as these risks evolve. Regulators and shareholders are making it clear that the old model of separate teams managing cybersecurity, privacy, and AI as distinct domains no longer works. AI has migrated from boardroom opportunity discussions to the risk factors section of annual reports with remarkable speed. Seventy-two percent of S&P 500 companies now disclose material AI risks, up from just 12 percent in 2023. The concerns they cite most frequently are reputational damage (38 percent of disclosing companies), cybersecurity implications, and regulatory uncertainty. Board oversight has followed. According to ISS-Corporate, 31.6 percent of S&P 500 companies disclosed board oversight of AI in their 2024 proxy statements. That's an 84 percent year-over-year increase. Those that don't impose such oversight risk material shareholder harm, which could lead to potential negative vote recommendations. Last year Glass Lewis, a proxy advisory firm that advises institutional shareholders on how to vote, issued new benchmark guidelines directly addressing AI governance. The trouble with managing cybersecurity, privacy, and AI separately is that incidents relating each of these bleed into the others. A single breach can simultaneously trigger SEC disclosure obligations, GDPR notification requirements, state privacy laws, and (if personal data trained an AI system) emerging AI regulations. So the time has come to merge consideration of these risk areas, but none of this is easy. According to the National Association of Corporate Directors' July 2025 governance outlook, AI is now a routine topic for 61 percent of boards, yet few have integrated it properly into governance structures. Why? Cultural friction is one reason. Security, privacy, and AI teams have historically operated with different vocabularies, risk frameworks, and reporting structures. Technology integration adds another layer of difficulty; siloed GRC tools create fragmented approaches to risk assessment, audit documentation, and evidence collection. Budget constraints force painful tradeoffs between building integrated infrastructure and meeting immediate compliance deadlines. Standards Frameworks Offer A Path Forward The good news: major standards bodies anticipated this convergence. ISO's High-Level Structure means that ISO 27001 (information security), ISO 27701 (privacy), and the newer ISO 42001 (AI management systems) share compatible architectures, enabling organizations to build unified management systems rather than parallel bureaucracies. Practical integration typically starts with cross-functional steering committees that include privacy, cybersecurity, legal, and AI representatives. From there, organizations develop shared risk taxonomies and (where budgets allow) unified GRC platforms that eliminate redundant assessments. Role boundaries are already blurring: according to an IAPP and EY survey, 69 percent of chief privacy officers have acquired AI governance responsibilities. Organizations that don't evolve their practices along these lines risk regulatory exposure. For those that do, lower regulatory friction, reduced audit burden, and stronger investor confidence await.
Read More

ISO 27001:2022 Requirements

ISO 27001:2022 Annex A Controls

Organisational Controls

People Controls

Physical Controls

Technological Controls

About ISO 27001

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

Ready to get started?

Book a demo