Skip to content
Phishing for Trouble –
The IO Podcast returns for Series 2 Listen now
ISMS.online

The Ultimate Guide to ISO 27001

ISO/IEC 27001 is an Information security management standard that provides organisations with a structured framework to safeguard their information assets and ISMS, covering risk assessment, risk management and continuous improvement. In this article we'll explore what it is, why you need it, and how to achieve certification.

Get your free guide to first time ISO 27001 certification

Get your free guide
Author
Sam Peters
Updated May 14, 2026
4/5 Stars

Achieve Robust Information Security with ISO 27001:2022

Our platform empowers your organisation to align with ISO 27001, ensuring comprehensive security management. This international standard is essential for protecting sensitive data and enhancing resilience against cyber threats. With over 70,000 certificates issued globally, ISO 27001’s widespread adoption underscores its importance in safeguarding information assets.

Why ISO 27001 Matters

Achieving ISO 27001:2022 certification emphasises a comprehensive, risk-based approach to improving information security management, ensuring your organisation effectively manages and mitigates potential threats, aligning with modern security needs. It provides a systematic methodology for managing sensitive information, ensuring it remains secure. Certification can reduce data breach costs by 30% and is recognised in over 150 countries, enhancing international business opportunities and competitive advantage.

How ISO 27001 Certification Benefits Your Business

  1. Achieve Cost Efficiency: Save time and money by preventing costly security breaches. Implement proactive risk management measures to significantly reduce the likelihood of incidents.
  2. Accelerate Sales Growth: Streamline your sales process by reducing extensive security documentation requests (RFIs). Showcase your compliance with international information security standards to shorten negotiation times and close deals faster.
  3. Boost Client Trust: Demonstrate your commitment to information security to enhance client confidence and build lasting trust. Increase customer loyalty and retain clients in sectors like finance, healthcare, and IT services.

 

Comprehensive Guide on How to Implement ISO 27001:2022 Certification

The standard’s structure includes a comprehensive Information Security Management System (ISMS) framework and a detailed ISO 27001 implementation guide that integrates risk management processes and Annex A controls. These components create a holistic security strategy, addressing various aspects of security (ISO 27001:2022 Clause 4.2). This approach not only enhances security but also fosters a culture of awareness and compliance within the organisation.

Streamlining Certification with ISMS.online

ISMS.online plays a crucial role in facilitating alignment by offering tools that streamline the certification process. Our platform provides automated risk assessments and real-time monitoring, simplifying the implementation of ISO 27001:2022 requirements. This not only reduces manual effort but also enhances efficiency and accuracy in maintaining alignment.

Join 25000 + Users Achieving ISO 27001 with ISMS.online. Book Your Free Demo Today!

Understanding ISO 27001:2022

ISO 27001 is a pivotal standard for improving an Information Security Management System (ISMS), offering a structured framework to protect sensitive data. This framework integrates comprehensive risk evaluation processes and Annex A controls, forming a robust security strategy. Organisations can effectively identify, analyse, and address vulnerabilities, enhancing their overall security posture.

Key Elements of ISO 27001:2022

  • ISMS Framework: This foundational component establishes systematic policies and procedures for managing information security (ISO 27001:2022 Clause 4.2). It aligns organisational goals with security protocols, fostering a culture of compliance and awareness.
  • Risk Evaluation: Central to ISO 27001, this process involves conducting thorough assessments to identify potential threats. It is essential for implementing appropriate security measures and ensuring continuous monitoring and improvement.
  • ISO 27001 Controls: ISO 27001:2022 outlines a comprehensive set of ISO 27001 controls within Annex A, designed to address various aspects of information security. These controls include measures for access control, cryptography, physical security, and incident management, among others. Implementing these controls ensures your Information Security Management System (ISMS) effectively mitigates risks and safeguards sensitive information.

iso 27001 requirements and structure

Aligning with International Standards

ISO 27001:2022 is developed in collaboration with the International Electrotechnical Commission (IEC), ensuring that the standard aligns with global best practices in information security. This partnership enhances the credibility and applicability of ISO 27001 across diverse industries and regions.

How ISO 27001 Integrates with Other Standards

ISO 27001:2022 seamlessly integrates with other standards like ISO 9001 for quality management, ISO 27002 for code of practice for information security controls and regulations like GDPR, enhancing compliance and operational efficiency. This integration allows organisations to streamline regulatory efforts and align security practices with broader business objectives. Initial preparation involves a gap analysis to identify areas needing improvement, followed by a risk evaluation to assess potential threats. Implementing Annex A controls ensures comprehensive security measures are in place. The final audit process, including Stage 1 and Stage 2 audits, verifies compliance and readiness for certification.

Why Is ISO 27001:2022 Important for Organisations?

ISO 27001 plays a vital role in strengthening your organisation’s data protection strategies. It provides a comprehensive framework for managing sensitive information, aligning with contemporary cybersecurity requirements through a risk-based approach. This alignment not only fortifies defences but also ensures adherence to regulations like GDPR, mitigating potential legal risks (ISO 27001:2022 Clause 6.1).

ISO 27001:2022 Integration with Other Standards

ISO 27001 is part of the broader ISO family of management system standards. This allows it to be seamlessly integrated with other standards, such as:

This integrated approach helps your organisation maintain robust operational standards, streamlining the certification process and enhancing compliance.

How Does ISO 27001:2022 Enhance Risk Management?

  • Structured Risk Management: The standard emphasises the systematic identification, assessment, and mitigation of risks, fostering a proactive security posture.
  • Incident Reduction: Organisations experience fewer breaches due to the robust controls outlined in Annex A.
  • Operational Efficiency: Streamlined processes enhance efficiency, reducing the likelihood of costly incidents.

Structured Risk Management with ISO 27001:2022

ISO 27001 requires organisations to adopt a comprehensive, systematic approach to risk management. This includes:

  • Risk Identification and Assessment: Identify potential threats to sensitive data and evaluate the severity and likelihood of those risks (ISO 27001:2022 Clause 6.1).
  • Risk Treatment: Select appropriate treatment options, such as mitigating, transferring, avoiding, or accepting risks. With the addition of new options like exploiting and enhancing, organisations can take calculated risks to harness opportunities.

Each of these steps must be reviewed regularly to ensure that the risk landscape is continuously monitored and mitigated as necessary.

 

What Are the Benefits for Trust and Reputation?

Certification signifies a commitment to data protection, enhancing your business reputation and customer trust. Certified organisations often see a 20% increase in customer satisfaction, as clients appreciate the assurance of secure data handling.

How ISO 27001 Certification Impacts Client Trust and Sales

  1. Increased Client Confidence: When prospective clients see that your organisation is ISO 27001 certified, it automatically elevates their trust in your ability to protect sensitive information. This trust is essential for sectors where data security is a deciding factor, such as healthcare, finance, and government contracting.
  2. Faster Sales Cycles: ISO 27001 certification reduces the time spent answering security questionnaires during the procurement process. Prospective clients will see your certification as a guarantee of high security standards, speeding up decision-making.
  3. Competitive Advantage: ISO 27001 certification positions your company as a leader in information security, giving you an edge over competitors who may not hold this certification.

How Does ISO 27001:2022 Offer Competitive Advantages?

ISO 27001 opens international business opportunities, recognised in over 150 countries. It cultivates a culture of security awareness, positively influencing organisational culture and encouraging continuous improvement and resilience, essential for thriving in today’s digital environment.

How Can ISO 27001 Support Regulatory Adherence?

Aligning with ISO 27001 helps navigate complex regulatory landscapes, ensuring adherence to various legal requirements. This alignment reduces potential legal liabilities and enhances overall governance.

Incorporating ISO 27001:2022 into your organisation not only strengthens your data protection framework but also builds a foundation for sustainable growth and trust in the global market.

Enhancing Risk Management with ISO 27001:2022

ISO 27001:2022 offers a robust framework for managing information security risks, vital for safeguarding your organisation’s sensitive data. This standard emphasises a systematic approach to risk evaluation, ensuring potential threats are identified, assessed, and mitigated effectively.

How Does ISO 27001 Structure Risk Management?

ISO 27001:2022 integrates risk evaluation into the Information Security Management System (ISMS), involving:

  • Risk Assessment: Conducting thorough evaluations to identify and analyse potential threats and vulnerabilities (ISO 27001:2022 Clause 6.1).
  • Risk Treatment: Implementing strategies to mitigate identified risks, using controls outlined in Annex A to reduce vulnerabilities and threats.
  • Continuous Monitoring: Regularly reviewing and updating practices to adapt to evolving threats and maintain security effectiveness.

What Techniques and Strategies Are Key?

Effective risk management under ISO 27001:2022 involves:

  • Risk Assessment and Analysis: Utilising methodologies like SWOT analysis and threat modelling to evaluate risks comprehensively.
  • Risk Treatment and Mitigation: Applying controls from Annex A to address specific risks, ensuring a proactive approach to security.
  • Continuous Improvement: Fostering a security-focused culture that encourages ongoing evaluation and enhancement of risk management practices.

 

How Can the Framework Be Tailored to Your Organisation?

ISO 27001:2022’s framework can be customised to fit your organisation’s specific needs, ensuring that security measures align with business objectives and regulatory requirements. By fostering a culture of proactive risk management, organisations with ISO 27001 certification experience fewer security breaches and enhanced resilience against cyber threats. This approach not only protects your data but also builds trust with stakeholders, enhancing your organisation’s reputation and competitive edge.

Key Changes in ISO 27001:2022

ISO 27001:2022 introduces pivotal updates, enhancing its role in modern cybersecurity. The most significant changes reside in Annex A, which now includes advanced measures for digital security and proactive threat management. These revisions address the evolving nature of security challenges, particularly the increasing reliance on digital platforms.

Key Differences Between ISO 27001:2022 and Earlier Versions

The differences between the 2013 and 2022 versions of ISO 27001 are crucial to understanding the updated standard. While there are no massive overhauls, the refinements in Annex A controls and other areas ensure the standard remains relevant to modern cybersecurity challenges. Key changes include:

  • Restructuring of Annex A Controls: Annex A controls have been condensed from 114 to 93, with some being merged, revised, or newly added. These changes reflect the current cybersecurity environment, making controls more streamlined and focused.
  • New Focus Areas: The 11 new controls introduced in ISO 27001:2022 include areas such as threat intelligence, physical security monitoring, secure coding, and cloud service security, addressing the rise of digital threats and the increased reliance on cloud-based solutions.

Understanding Annex A Controls

  • Enhanced Security Protocols: Annex A now features 93 controls, with new additions focusing on digital security and proactive threat management. These controls are designed to mitigate emerging risks and ensure robust protection of information assets.
  • Digital Security Focus: As digital platforms become integral to operations, ISO 27001:2022 emphasises securing digital environments, ensuring data integrity, and safeguarding against unauthorised access.
  • Proactive Threat Management: New controls enable organisations to anticipate and respond to potential security incidents more effectively, strengthening their overall security posture.

Detailed Breakdown of Annex A Controls in ISO 27001:2022

ISO 27001:2022 introduces a revised set of Annex A controls, reducing the total from 114 to 93 and restructuring them into four main groups. Here’s a breakdown of the control categories:

Control Group Number of Controls Examples
Organisational 37 Threat intelligence, ICT readiness, information security policies
People 8 Responsibilities for security, screening
Physical 14 Physical security monitoring, equipment protection
Technological 34 Web filtering, secure coding, data leakage prevention

New Controls
ISO 27001:2022 introduces 11 new controls focused on emerging technologies and challenges, including:

  • Cloud services: Security measures for cloud infrastructure.
  • Threat intelligence: Proactive identification of security threats.
  • ICT readiness: Business continuity preparations for ICT systems.

By implementing these controls, organisations ensure they are equipped to handle modern information security challenges.

iso 27002 new controls

Full Table of ISO 27001 Controls

Below is a full list of ISO 27001:2022 controls

ISO 27001:2022 Organisational Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Organisational Controls Annex A 5.1 Annex A 5.1.1
Annex A 5.1.2 		Policies for Information Security
Organisational Controls Annex A 5.2 Annex A 6.1.1 Information Security Roles and Responsibilities
Organisational Controls Annex A 5.3 Annex A 6.1.2 Segregation of Duties
Organisational Controls Annex A 5.4 Annex A 7.2.1 Management Responsibilities
Organisational Controls Annex A 5.5 Annex A 6.1.3 Contact With Authorities
Organisational Controls Annex A 5.6 Annex A 6.1.4 Contact With Special Interest Groups
Organisational Controls Annex A 5.7 NEW Threat Intelligence
Organisational Controls Annex A 5.8 Annex A 6.1.5
Annex A 14.1.1 		Information Security in Project Management
Organisational Controls Annex A 5.9 Annex A 8.1.1
Annex A 8.1.2 		Inventory of Information and Other Associated Assets
Organisational Controls Annex A 5.10 Annex A 8.1.3
Annex A 8.2.3 		Acceptable Use of Information and Other Associated Assets
Organisational Controls Annex A 5.11 Annex A 8.1.4 Return of Assets
Organisational Controls Annex A 5.12 Annex A 8.2.1 Classification of Information
Organisational Controls Annex A 5.13 Annex A 8.2.2 Labelling of Information
Organisational Controls Annex A 5.14 Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3 		Information Transfer
Organisational Controls Annex A 5.15 Annex A 9.1.1
Annex A 9.1.2 		Access Control
Organisational Controls Annex A 5.16 Annex A 9.2.1 Identity Management
Organisational Controls Annex A 5.17 Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3 		Authentication Information
Organisational Controls Annex A 5.18 Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6 		Access Rights
Organisational Controls Annex A 5.19 Annex A 15.1.1 Information Security in Supplier Relationships
Organisational Controls Annex A 5.20 Annex A 15.1.2 Addressing Information Security Within Supplier Agreements
Organisational Controls Annex A 5.21 Annex A 15.1.3 Managing Information Security in the ICT Supply Chain
Organisational Controls Annex A 5.22 Annex A 15.2.1
Annex A 15.2.2 		Monitoring, Review and Change Management of Supplier Services
Organisational Controls Annex A 5.23 NEW Information Security for Use of Cloud Services
Organisational Controls Annex A 5.24 Annex A 16.1.1 Information Security Incident Management Planning and Preparation
Organisational Controls Annex A 5.25 Annex A 16.1.4 Assessment and Decision on Information Security Events
Organisational Controls Annex A 5.26 Annex A 16.1.5 Response to Information Security Incidents
Organisational Controls Annex A 5.27 Annex A 16.1.6 Learning From Information Security Incidents
Organisational Controls Annex A 5.28 Annex A 16.1.7 Collection of Evidence
Organisational Controls Annex A 5.29 Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3 		Information Security During Disruption
Organisational Controls Annex A 5.30 NEW ICT Readiness for Business Continuity
Organisational Controls Annex A 5.31 Annex A 18.1.1
Annex A 18.1.5 		Legal, Statutory, Regulatory and Contractual Requirements
Organisational Controls Annex A 5.32 Annex A 18.1.2 Intellectual Property Rights
Organisational Controls Annex A 5.33 Annex A 18.1.3 Protection of Records
Organisational Controls Annex A 5.34 Annex A 18.1.4 Privacy and Protection of PII
Organisational Controls Annex A 5.35 Annex A 18.2.1 Independent Review of Information Security
Organisational Controls Annex A 5.36 Annex A 18.2.2
Annex A 18.2.3 		Compliance With Policies, Rules and Standards for Information Security
Organisational Controls Annex A 5.37 Annex A 12.1.1 Documented Operating Procedures
ISO 27001:2022 People Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
People Controls Annex A 6.1 Annex A 7.1.1 Screening
People Controls Annex A 6.2 Annex A 7.1.2 Terms and Conditions of Employment
People Controls Annex A 6.3 Annex A 7.2.2 Information Security Awareness, Education and Training
People Controls Annex A 6.4 Annex A 7.2.3 Disciplinary Process
People Controls Annex A 6.5 Annex A 7.3.1 Responsibilities After Termination or Change of Employment
People Controls Annex A 6.6 Annex A 13.2.4 Confidentiality or Non-Disclosure Agreements
People Controls Annex A 6.7 Annex A 6.2.2 Remote Working
People Controls Annex A 6.8 Annex A 16.1.2
Annex A 16.1.3 		Information Security Event Reporting
ISO 27001:2022 Physical Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Physical Controls Annex A 7.1 Annex A 11.1.1 Physical Security Perimeters
Physical Controls Annex A 7.2 Annex A 11.1.2
Annex A 11.1.6 		Physical Entry
Physical Controls Annex A 7.3 Annex A 11.1.3 Securing Offices, Rooms and Facilities
Physical Controls Annex A 7.4 NEW Physical Security Monitoring
Physical Controls Annex A 7.5 Annex A 11.1.4 Protecting Against Physical and Environmental Threats
Physical Controls Annex A 7.6 Annex A 11.1.5 Working In Secure Areas
Physical Controls Annex A 7.7 Annex A 11.2.9 Clear Desk and Clear Screen
Physical Controls Annex A 7.8 Annex A 11.2.1 Equipment Siting and Protection
Physical Controls Annex A 7.9 Annex A 11.2.6 Security of Assets Off-Premises
Physical Controls Annex A 7.10 Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5 		Storage Media
Physical Controls Annex A 7.11 Annex A 11.2.2 Supporting Utilities
Physical Controls Annex A 7.12 Annex A 11.2.3 Cabling Security
Physical Controls Annex A 7.13 Annex A 11.2.4 Equipment Maintenance
Physical Controls Annex A 7.14 Annex A 11.2.7 Secure Disposal or Re-Use of Equipment
ISO 27001:2022 Technological Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Technological Controls Annex A 8.1 Annex A 6.2.1
Annex A 11.2.8 		User Endpoint Devices
Technological Controls Annex A 8.2 Annex A 9.2.3 Privileged Access Rights
Technological Controls Annex A 8.3 Annex A 9.4.1 Information Access Restriction
Technological Controls Annex A 8.4 Annex A 9.4.5 Access to Source Code
Technological Controls Annex A 8.5 Annex A 9.4.2 Secure Authentication
Technological Controls Annex A 8.6 Annex A 12.1.3 Capacity Management
Technological Controls Annex A 8.7 Annex A 12.2.1 Protection Against Malware
Technological Controls Annex A 8.8 Annex A 12.6.1
Annex A 18.2.3 		Management of Technical Vulnerabilities
Technological Controls Annex A 8.9 NEW Configuration Management
Technological Controls Annex A 8.10 NEW Information Deletion
Technological Controls Annex A 8.11 NEW Data Masking
Technological Controls Annex A 8.12 NEW Data Leakage Prevention
Technological Controls Annex A 8.13 Annex A 12.3.1 Information Backup
Technological Controls Annex A 8.14 Annex A 17.2.1 Redundancy of Information Processing Facilities
Technological Controls Annex A 8.15 Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3 		Logging
Technological Controls Annex A 8.16 NEW Monitoring Activities
Technological Controls Annex A 8.17 Annex A 12.4.4 Clock Synchronization
Technological Controls Annex A 8.18 Annex A 9.4.4 Use of Privileged Utility ProgramsAccess Rights
Technological Controls Annex A 8.19 Annex A 12.5.1
Annex A 12.6.2 		Installation of Software on Operational Systems
Technological Controls Annex A 8.20 Annex A 13.1.1 Networks Security
Technological Controls Annex A 8.21 Annex A 13.1.2 Security of Network Services
Technological Controls Annex A 8.22 Annex A 13.1.3 Segregation of Networks
Technological Controls Annex A 8.23 NEW Web filtering
Technological Controls Annex A 8.24 Annex A 10.1.1
Annex A 10.1.2 		Use of Cryptography
Technological Controls Annex A 8.25 Annex A 14.2.1 Secure Development Life Cycle
Technological Controls Annex A 8.26 Annex A 14.1.2
Annex A 14.1.3 		Application Security Requirements
Technological Controls Annex A 8.27 Annex A 14.2.5 Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents
Technological Controls Annex A 8.28 NEW Secure Coding
Technological Controls Annex A 8.29 Annex A 14.2.8
Annex A 14.2.9 		Security Testing in Development and Acceptance
Technological Controls Annex A 8.30 Annex A 14.2.7 Outsourced Development
Technological Controls Annex A 8.31 Annex A 12.1.4
Annex A 14.2.6 		Separation of Development, Test and Production Environments
Technological Controls Annex A 8.32 Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4 		Change Management
Technological Controls Annex A 8.33 Annex A 14.3.1 Test Information
Technological Controls Annex A 8.34 Annex A 12.7.1 Protection of Information Systems During Audit Testing

Navigating Implementation Challenges

Organisations may face challenges such as resource constraints and insufficient management support when implementing these updates. Effective resource allocation and stakeholder engagement are crucial for maintaining momentum and achieving successful compliance. Regular training sessions can help clarify the standard’s requirements, reducing compliance challenges.

Adapting to Evolving Security Threats

These updates demonstrate ISO 27001:2022’s adaptability to the changing security environment, ensuring organisations remain resilient against new threats. By aligning with these enhanced requirements, your organisation can bolster its security framework, improve compliance processes, and maintain a competitive edge in the global market.

How Can Organisations Successfully Attain ISO 27001 Certification?

Achieving ISO 27001:2022 requires a methodical approach, ensuring your organisation aligns with the standard’s comprehensive requirements. Here’s a detailed guide to navigate this process effectively:

Kickstart Your Certification with a Thorough Gap Analysis

Identify improvement areas with a comprehensive gap analysis. Assess current practices against ISO 27001 standard to pinpoint discrepancies. Develop a detailed project plan outlining objectives, timelines, and responsibilities. Engage stakeholders early to secure buy-in and allocate resources efficiently.

Implement an Effective ISMS

Establish and implement an Information Security Management System (ISMS) tailored to your organisational goals. Implement the 93 Annex A controls, emphasising risk assessment and treatment (ISO 27001:2022 Clause 6.1). Our platform, ISMS.online, automates compliance tasks, reducing manual effort and enhancing precision.

Perform Regular Internal Audits

Conduct regular internal audits to evaluate the effectiveness of your ISMS. Management reviews are essential for performance evaluation and necessary adjustments (ISO 27001:2022 Clause 9.3). ISMS.online facilitates real-time collaboration, boosting team efficiency and audit readiness.

Engage with Certification Bodies

Select an accredited certification body and schedule the audit process, including Stage 1 and Stage 2 audits. Ensure all documentation is complete and accessible. ISMS.online offers templates and resources to simplify documentation and track progress.

Overcome Common Challenges with a Free Consultation

Overcome resource constraints and resistance to change by fostering a culture of security awareness and continuous improvement. Our platform supports maintaining alignment over time, aiding your organisation in achieving and sustaining certification.

Schedule a free consultation to address resource constraints and navigate resistance to change. Learn how ISMS.online can support your implementation efforts and ensure successful certification.

ISO 27001:2022 and Supplier Relationships Requirements

ISO 27001:2022 has introduced new requirements to ensure organisations maintain robust supplier and third-party management programs. This includes:

  • Identifying and Assessing Suppliers: Organisations must identify and analyse third-party suppliers that impact information security. A thorough risk assessment for each supplier is mandatory to ensure compliance with your ISMS.
  • Supplier Security Controls: Ensure that your suppliers implement adequate security controls and that these are regularly reviewed. This extends to ensuring that customer service levels and personal data protection are not adversely affected.
  • Auditing Suppliers: Organisations should audit their suppliers’ processes and systems regularly. This aligns with the new ISO 27001:2022 requirements, ensuring that supplier compliance is maintained and that risks from third-party partnerships are mitigated.

 

Enhanced Employee Cybersecurity Awareness

ISO 27001:2022 continues to emphasise the importance of employee awareness. Implementing policies for ongoing education and training is critical. This approach ensures that your employees are not only aware of security risks but are also capable of actively participating in mitigating those risks.

  • Human Error Prevention: Businesses should invest in training programs that aim to prevent human error, one of the leading causes of security breaches.
  • Clear Policy Development: Establish clear guidelines for employee conduct regarding data security. This includes awareness programs on phishing, password management, and mobile device security.
  • Security Culture: Foster a security-aware culture where employees feel empowered to raise concerns about cybersecurity threats. An environment of openness helps organisations tackle risks before they materialise into incidents.

ISO 27001:2022 Requirements for Human Resource Security

One of the essential refinements in ISO 27001:2022 is its expanded focus on human resource security. This involves:

  • Personnel Screening: Clear guidelines for personnel screening before hiring are crucial to ensuring that employees with access to sensitive information meet required security standards.
  • Training and Awareness: Ongoing education is required to ensure that staff are fully aware of the organisation’s security policies and procedures.
  • Disciplinary Actions: Define clear consequences for policy violations, ensuring that all employees understand the importance of complying with security requirements.

These controls ensure that organisations manage both internal and external personnel security risks effectively.

Employee Awareness Programs and Security Culture

Fostering a culture of security awareness is crucial for maintaining strong defences against evolving cyber threats. ISO 27001:2022 promotes ongoing training and awareness programs to ensure that all employees, from leadership to staff, are involved in upholding information security standards.

  • Phishing Simulations and Security Drills: Conducting regular security drills and phishing simulations helps ensure employees are prepared to handle cyber incidents.
  • Interactive Workshops: Engage employees in practical training sessions that reinforce key security protocols, improving overall organisational awareness.

Continual Improvement and Cybersecurity Culture

Finally, ISO 27001:2022 advocates for a culture of continual improvement, where organisations consistently evaluate and update their security policies. This proactive stance is integral to maintaining compliance and ensuring the organisation stays ahead of emerging threats.

  • Security Governance: Regular updates to security policies and audits of cybersecurity practices ensure ongoing compliance with ISO 27001:2022.
  • Proactive Risk Management: Encouraging a culture that prioritises risk assessment and mitigation allows organisations to stay responsive to new cyber threats.

Optimal Timing for ISO 27001 Adoption

Adopting ISO 27001:2022 is a strategic decision that depends on your organisation’s readiness and objectives. The ideal timing often aligns with periods of growth or digital transformation, where enhancing security frameworks can significantly improve business outcomes. Early adoption provides a competitive edge, as certification is recognised in over 150 countries, expanding international business opportunities.

Conducting a Readiness Assessment

To ensure a seamless adoption, conduct a thorough readiness assessment to evaluate current security practices against the updated standard. This involves:

  • Gap Analysis: Identify areas needing improvement and align them with ISO 27001:2022 requirements.
  • Resource Allocation: Ensure adequate resources, including personnel, technology, and budget, are available to support the adoption.
  • Stakeholder Engagement: Secure buy-in from key stakeholders to facilitate a smooth adoption process.

Aligning Certification with Strategic Goals

Aligning certification with strategic goals enhances business outcomes. Consider:

  • Timeline and Deadlines: Be aware of industry-specific deadlines for compliance to avoid penalties.
  • Continuous Improvement: Foster a culture of ongoing evaluation and enhancement of security practices.

 

Utilising ISMS.online for Effective Management

Our platform, ISMS.online, plays a vital role in managing the adoption effectively. It offers tools for automating compliance tasks, reducing manual effort, and providing real-time collaboration features. This ensures your organisation can maintain compliance and track progress efficiently throughout the adoption process.

By strategically planning and utilising the right tools, your organisation can navigate the adoption of ISO 27001:2022 smoothly, ensuring robust security and compliance.

Where Does ISO 27001:2022 Align with Other Regulatory Standards?

ISO 27001 plays a significant role in aligning with key regulatory frameworks, such as GDPR and NIS 2, to enhance data protection and streamline regulatory adherence. This alignment not only strengthens data privacy but also improves organisational resilience across multiple frameworks.

How Does ISO 27001:2022 Enhance GDPR Compliance?

ISO 27001:2022 complements GDPR by focusing on data protection and privacy through its comprehensive risk management processes (ISO 27001:2022 Clause 6.1). The standard’s emphasis on safeguarding personal data aligns with GDPR’s stringent requirements, ensuring robust data protection strategies.

What Role Does ISO 27001:2022 Play in Supporting NIS 2 Directives?

The standard supports NIS 2 directives by enhancing cybersecurity resilience. ISO 27001:2022’s focus on threat intelligence and incident response aligns with NIS 2’s objectives, fortifying organisations against cyber threats and ensuring continuity of critical services.

How Does ISO 27001:2022 Integrate with Other ISO Standards?

ISO 27001 integrates effectively with other ISO standards, such as ISO 9001 and ISO 14001, creating synergies that enhance overall regulatory alignment and operational efficiency. This integration facilitates a unified approach to managing quality, environmental, and security standards within an organisation.

How Can Organisations Achieve Comprehensive Regulatory Alignment with ISO 27001:2022?

Organisations can achieve comprehensive regulatory alignment by synchronising their security practices with broader requirements. Our platform, ISMS.online, offers extensive certification support, providing tools and resources to simplify the process. Industry associations and webinars further enhance understanding and implementation, ensuring organisations remain compliant and competitive.

Can ISO 27001:2022 Effectively Mitigate New Security Challenges?

Emerging threats, including cyber-attacks and data breaches, necessitate robust strategies. ISO 27001:2022 offers a comprehensive framework for managing risks, emphasising a risk-based approach to identify, assess, and mitigate potential threats.

How Does ISO 27001:2022 Enhance Cyber Threat Mitigation?

ISO 27001:2022 strengthens mitigation through structured risk management processes. By implementing Annex A controls, organisations can proactively address vulnerabilities, reducing cyber incidents. This proactive stance builds trust with clients and partners, differentiating businesses in the market.

What Measures Ensure Cloud Security with ISO 27001:2022?

Cloud security challenges are prevalent as organisations migrate to digital platforms. ISO 27001:2022 includes specific controls for cloud environments, ensuring data integrity and safeguarding against unauthorised access. These measures foster customer loyalty and enhance market share.

How Does ISO 27001:2022 Prevent Data Breaches?

Data breaches pose significant risks, impacting reputation and financial stability. ISO 27001:2022 establishes comprehensive protocols, ensuring continuous monitoring and improvement. Certified organisations often experience fewer breaches, maintaining effective security measures.

How Can Organisations Adapt to Evolving Threat Landscapes?

Organisations can adapt ISO 27001:2022 to evolving threats by regularly updating security practices. This adaptability ensures alignment with emerging threats, maintaining robust defences. By demonstrating a commitment to security, certified organisations gain a competitive edge and are preferred by clients and partners.

Cultivating a Security Culture with ISO 27001 Compliance

ISO 27001 serves as a cornerstone in developing a robust security culture by emphasising awareness and comprehensive training. This approach not only fortifies your organisation’s security posture but also aligns with current cybersecurity standards.

How to Enhance Security Awareness and Training

Security awareness is integral to ISO 27001:2022, ensuring your employees understand their roles in protecting information assets. Tailored training programmes empower staff to recognise and respond to threats effectively, minimising incident risks.

What Are Effective Training Strategies?

Organisations can enhance training by:

  • Interactive Workshops: Conduct engaging sessions that reinforce security protocols.
  • E-Learning Modules: Provide flexible online courses for continuous learning.
  • Simulated Exercises: Implement phishing simulations and incident response drills to test readiness.

 

How Does Leadership Influence Security Culture?

Leadership plays a pivotal role in embedding a security-focused culture. By prioritising security initiatives and leading by example, management instils responsibility and vigilance throughout the organisation, making security integral to the organisational ethos.

What Are the Long-Term Benefits of Security Awareness?

ISO 27001:2022 offers sustained improvements and risk reduction, enhancing credibility and providing a competitive edge. Organisations report increased operational efficiency and reduced costs, supporting growth and opening new opportunities.

How Does ISMS.online Support Your Security Culture?

Our platform, ISMS.online, aids organisations by offering tools for tracking training progress and facilitating real-time collaboration. This ensures that security awareness is maintained and continuously improved, aligning with ISO 27001:2022’s objectives.

Navigating Challenges in ISO 27001:2022 Implementation

Implementing ISO 27001:2022 involves overcoming significant challenges, such as managing limited resources and addressing resistance to change. These hurdles must be addressed to achieve certification and enhance your organisation’s information security posture.

Identifying Common Implementation Hurdles

Organisations often face difficulties in allocating adequate resources, both financial and human, to meet ISO 27001:2022’s comprehensive requirements. Resistance to adopting new security practices can also impede progress, as employees may be hesitant to alter established workflows.

Efficient Resource Management Strategies

To optimise resource management, prioritise tasks based on risk assessment outcomes, focusing on high-impact areas (ISO 27001:2022 Clause 6.1). Our platform, ISMS.online, automates compliance tasks, reducing manual effort and ensuring critical areas receive the necessary attention.

Overcoming Resistance to Change

Effective communication and training are key to mitigating resistance. Engage employees in the implementation process by highlighting the benefits of ISO 27001:2022, such as enhanced data protection and GDPR alignment. Regular training sessions can foster a culture of security awareness and compliance.

Enhancing Implementation with ISMS.online

ISMS.online plays a pivotal role in overcoming these challenges by providing tools that enhance collaboration and streamline documentation. Our platform supports integrated compliance strategies, aligning ISO 27001 with standards like ISO 9001, thereby improving overall efficiency and regulatory adherence. By simplifying the implementation process, ISMS.online helps your organisation achieve and maintain ISO 27001:2022 certification effectively.

ISO 27001 Frequently Asked Questions

What are the key differences between ISO 27001:2022 and earlier versions?

ISO 27001:2022 introduces pivotal updates to meet evolving security demands, enhancing its relevance in today’s digital environment. A significant change is the expansion of Annex A controls, now totaling 93, which include new measures for cloud security and threat intelligence. These additions underscore the growing importance of digital ecosystems and proactive threat management.

Impact on Compliance and Certification
The updates in ISO 27001:2022 require adjustments in compliance processes. Your organisation must integrate these new controls into its Information Security Management Systems (ISMS), ensuring alignment with the latest requirements (ISO 27001:2022 Clause 6.1). This integration streamlines certification by providing a comprehensive framework for managing information risks.

New Controls and Their Significance
The introduction of controls focused on cloud security and threat intelligence is noteworthy. These controls help your organisation protect data in complex digital environments, addressing vulnerabilities unique to cloud systems. By implementing these measures, you can enhance your security posture and reduce the risk of data breaches.

Adapting to New Requirements
To adapt to these changes, your organisation should conduct a thorough gap analysis to identify areas needing improvement. This involves assessing current practices against the updated standard, ensuring alignment with new controls. By using platforms like ISMS.online, you can automate compliance tasks, reducing manual effort and enhancing efficiency.

These updates highlight ISO 27001:2022’s commitment to addressing contemporary security challenges, ensuring your organisation remains resilient against emerging threats.

Why should Compliance Officers prioritise ISO 27001:2022?

ISO 27001:2022 is pivotal for compliance officers seeking to enhance their organisation’s information security framework. Its structured methodology for regulatory adherence and risk management is indispensable in today’s interconnected environment.

Navigating Regulatory Frameworks
ISO 27001:2022 aligns with global standards like GDPR, providing a comprehensive framework that ensures data protection and privacy. By adhering to its guidelines, you can confidently navigate complex regulatory landscapes, reducing legal risks and enhancing governance (ISO 27001:2022 Clause 6.1).

Proactive Risk Management
The standard’s risk-based approach enables organisations to systematically identify, assess, and mitigate risks. This proactive stance minimises vulnerabilities and fosters a culture of continuous improvement, essential for maintaining a robust security posture. Compliance officers can utilise ISO 27001:2022 to implement effective risk treatment strategies, ensuring resilience against emerging threats.

Enhancing Organisational Security
ISO 27001:2022 significantly enhances your organisation’s security posture by embedding security practices into core business processes. This integration boosts operational efficiency and builds trust with stakeholders, positioning your organisation as a leader in information security.

Effective Implementation Strategies
Compliance officers can implement ISO 27001:2022 effectively by utilising platforms like ISMS.online, which streamline efforts through automated risk assessments and real-time monitoring. Engaging stakeholders and fostering a security-aware culture are crucial steps in embedding the standard’s principles across your organisation.

By prioritising ISO 27001:2022, you not only safeguard your organisation’s data but also drive strategic advantages in a competitive market.

How does ISO 27001:2022 enhance security frameworks?

ISO 27001:2022 establishes a comprehensive framework for managing information security, focusing on a risk-based approach. This approach allows your organisation to systematically identify, assess, and address potential threats, ensuring robust protection of sensitive data and adherence to international standards.

Key Strategies for Threat Mitigation

  • Conducting Risk Assessments: Thorough evaluations identify vulnerabilities and potential threats (ISO 27001:2022 Clause 6.1), forming the basis for targeted security measures.
  • Implementing Security Controls: Annex A controls are utilised to address specific risks, ensuring a holistic approach to threat prevention.
  • Continuous Monitoring: Regular reviews of security practices allow adaptation to evolving threats, maintaining the effectiveness of your security posture.

Data Protection and Privacy Alignment
ISO 27001:2022 integrates security practices into organisational processes, aligning with regulations like GDPR. This ensures that personal data is handled securely, reducing legal risks and enhancing stakeholder trust.

Building a Proactive Security Culture
By fostering security awareness, ISO 27001:2022 promotes continuous improvement and vigilance. This proactive stance minimises vulnerabilities and strengthens your organisation’s overall security posture. Our platform, ISMS.online, supports these efforts with tools for real-time monitoring and automated risk assessments, positioning your organisation as a leader in information security.

Incorporating ISO 27001:2022 into your security strategy not only fortifies defences but also enhances your organisation’s reputation and competitive advantage.

What advantages does ISO 27001:2022 offer to CEOs?

ISO 27001:2022 is a strategic asset for CEOs, enhancing organisational resilience and operational efficiency through a risk-based methodology. This standard aligns security protocols with business objectives, ensuring robust information security management.

How does ISO 27001:2022 enhance strategic business integration?

Risk Management Framework:
ISO 27001:2022 provides a comprehensive framework for identifying and mitigating risks, safeguarding your assets, and ensuring business continuity.

Regulatory Compliance Standards:
By aligning with global standards like GDPR, it minimises legal risks and strengthens governance, essential for maintaining market trust.

What are the competitive advantages of ISO 27001:2022?

Reputation Enhancement:
Certification demonstrates a commitment to security, boosting customer trust and satisfaction. Organisations often report increased client confidence, leading to higher retention rates.

Global Market Access:
With acceptance in over 150 countries, ISO 27001:2022 facilitates entry into international markets, offering a competitive edge.

How can ISO 27001:2022 drive business growth?

Operational Efficiency:
Streamlined processes reduce security incidents, lowering costs and improving efficiency.

Innovation and Digital Transformation:
By fostering a culture of security awareness, it supports digital transformation and innovation, driving business growth.

Integrating ISO 27001:2022 into your strategic planning aligns security measures with organisational goals, ensuring they support broader business objectives. Our platform, ISMS.online, simplifies compliance, offering tools for real-time monitoring and risk management, ensuring your organisation remains secure and competitive.

How to facilitate digital transformation with ISO 27001:2022

ISO 27001:2022 provides a comprehensive framework for organisations transitioning to digital platforms, ensuring data protection and adherence to international standards. This standard is pivotal in managing digital risks and enhancing security measures.

How to Manage Digital Risks Effectively
ISO 27001:2022 offers a risk-based approach to identify and mitigate vulnerabilities. By conducting thorough risk assessments and implementing Annex A controls, your organisation can proactively address potential threats and maintain robust security measures. This approach aligns with evolving cybersecurity requirements, ensuring your digital assets are safeguarded.

How to Foster Secure Digital Innovation
Integrating ISO 27001:2022 into your development lifecycle ensures security is prioritised from design to deployment. This reduces breach risks and enhances data protection, allowing your organisation to pursue innovation confidently while maintaining compliance.

How to Build a Culture of Digital Security
Promoting a culture of security involves emphasising awareness and training. Implement comprehensive programmes that equip your team with the skills needed to recognise and respond to digital threats effectively. This proactive stance fosters a security-conscious environment, essential for successful digital transformation.

By adopting ISO 27001:2022, your organisation can navigate digital complexities, ensuring security and compliance are integral to your strategies. This alignment not only protects sensitive information but also enhances operational efficiency and competitive advantage.

What are the key considerations for implementing ISO 27001:2022?

Implementing ISO 27001:2022 involves meticulous planning and resource management to ensure successful integration. Key considerations include strategic resource allocation, engaging key personnel, and fostering a culture of continuous improvement.

Strategic Resource Allocation
Prioritising tasks based on comprehensive risk assessments is essential. Your organisation should focus on high-impact areas, ensuring they receive adequate attention as outlined in ISO 27001:2022 Clause 6.1. Utilising platforms like ISMS.online can automate tasks, reducing manual effort and optimising resource use.

Engaging Key Personnel
Securing buy-in from key personnel early in the process is vital. This involves fostering collaboration and aligning with organisational goals. Clear communication of the benefits and objectives of ISO 27001:2022 helps mitigate resistance and encourages active participation.

Fostering a Culture of Continuous Improvement
Regularly reviewing and updating your Information Security Management Systems (ISMS) to adapt to evolving threats is crucial. This involves conducting periodic audits and management reviews to identify areas for enhancement, as specified in ISO 27001:2022 Clause 9.3.

Steps for Successful Implementation
To ensure successful implementation, your organisation should:

  • Conduct a gap analysis to identify areas needing improvement.
  • Develop a comprehensive project plan with clear objectives and timelines.
  • Utilise tools and resources, such as ISMS.online, to streamline processes and enhance efficiency.
  • Foster a culture of security awareness through regular training and communication.

By addressing these considerations, your organisation can effectively implement ISO 27001:2022, enhancing its security posture and ensuring alignment with international standards.

Book a Demo with ISMS.online

Start your ISO 27001:2022 journey with ISMS.online. Schedule a personalised demo now to see how our comprehensive solutions can simplify your compliance and streamline your implementation processes. Enhance your security framework and boost operational efficiency with our cutting-edge tools.

How Can ISMS.online Streamline Your Compliance Journey?

  • Automate and Simplify Tasks: Our platform reduces manual effort and enhances precision through automation. The intuitive interface guides you step-by-step, ensuring all necessary criteria are met efficiently.
  • What Support Does ISMS.online Offer?: With features like automated risk assessments and real-time monitoring, ISMS.online helps maintain a robust security posture. Our solution aligns with ISO 27001:2022’s risk-based approach, proactively addressing vulnerabilities (ISO 27001:2022 Clause 6.1).
  • Why Schedule a Personalised Demo?: Discover how our solutions can transform your strategy. A personalised demo illustrates how ISMS.online can meet your organisation’s specific needs, offering insights into our capabilities and benefits.

How Does ISMS.online Enhance Collaboration and Efficiency?

Our platform fosters seamless teamwork, enabling your organisation to achieve ISO 27001:2022 certification. By utilising ISMS.online, your team can enhance its security framework, improve operational efficiency, and gain a competitive edge. Book a demo today to experience the transformative power of ISMS.online and ensure your organisation remains secure and compliant.

Sam Peters

Sam is Chief Product Officer at ISMS.online and leads the development on all product features and functionality. Sam is an expert in many areas of compliance and works with clients on any bespoke or large-scale projects.

Related Topics

ISO 27001

The NVD Pullback Should Prompt A Resilience Approach To Vulnerability Management

On 15 April 2026, the National Institute of Standards and Technology (NIST) formally abandoned its longstanding mission to enrich all information about vulnerabilities published to its database. NIST runs the National Vulnerability Database (NVD), which contains information about Common Vulnerabilities and Exposures (CVEs). Each CVE represents a software or hardware vulnerability. CVEs don't contain much information on their own, which is where NIST came in. It assigned each of them a Common Vulnerability Scoring System (CVSS) score that indicates how severe it is. It also assigned Common Platform Enumeration (CPE) identifiers, which is a standard way to link vulnerabilities to specific tech products. NIST has been diligently enriching CVEs since the NVD began in 1999, but that all just changed. Under the restructured policy, full enrichment is limited to CVEs in three priority categories: CISA's Known Exploited Vulnerabilities (KEV) catalogue, software used by US federal agencies, and Executive Order 14028 critical software. Everything else is designated "Lowest Priority". A Rising Tide Of Vulnerabilities NIST's restructuring is an admission of overwhelm. It has been grappling with more work as the volume of CVEs has exploded. Submissions to the NVD increased 263% between 2020 and 2025, it said, adding that the first quarter of 2026 ran nearly one-third higher than the same period a year earlier. Last year it enriched roughly 42,000 vulnerabilities (45% more than any prior year). The agency hasn't been keeping pace with the rising workload. Last year it watched its backlog more than double. The April announcement saw it deal with that by declaring a form of CVE bankruptcy, moving thousands of backlogged records published before March 1, 2026 into the "Not Scheduled" category that it may or may not attend to in the future. NVD enrichment hadn't been meeting quality expectations either. A Commerce Department inspector general review found that NIST's severity scores matched those of independent assessors only 12% of the time, while nearly 80% of submissions already arrived carrying scores from the reporting party. The Growing Vulnerability Rift This is a big deal for vulnerability management teams. Without CPE data, vulnerability scanners that rely exclusively on NVD-derived enrichment cannot match a CVE to a product. NIST acknowledged that the new criteria "may not catch every potentially high-impact CVE". This all happens at a time when Vulnerability exploitation is becoming even more consequential. It surpassed stolen credentials as the leading breach vector across more than 31,000 incidents reviewed, according to Verizon's Data Breach Investigations Report. It's also becoming more automated. CrowdStrike's 2026 Annual Threat Report concluded that AI-enabled adversaries increased attacks by 89% year-over-year in 2025, with intruders deploying generative AI across "targeting, initial access, and development of malware and other tools". And the velocity of vulnerability reporting looks set to increase even more dramatically. Consider Mythos, the Anthropic AI model that has already uncovered vulnerabilities en masse and will likely be followed by other competitive models. Yet organizations are standing still. The speed of countermeasures lags behind the evolution of automated attacks: 77% of enterprise organisations still require more than a week to deploy a critical patch, says the Cloud Security Alliance. It's no wonder that it also found an estimated 38% to 45% of critical vulnerabilities sitting unpatched across the industry at any given time. From Ad-Hoc Management To Vulnerability Resilience Approaches to vulnerability management must adapt if we're to meet these challenges. Companies must begin looking at vulnerability management as one part of a broader resilience initiative. That should include looking at exploitability from a more holistic perspective. Measures here include prioritizing visibility over what's happening in the technology stack from end to end, to get a sense not just of what's exploitable in your infrastructure but what its blast radius and organizational impact looks like. It also means moving away from CVSS-centric vulnerability management. That was never a good idea, because a single score can't adequately assess the organizational risk of a vulnerability. A study by Japan's Kagawa University found that CVSS-only approaches with a 7.0 severity threshold achieve efficiency rates of only 0.2% to 0.5%. That means this narrow enterprise triage method addresses a tiny fraction of vulnerabilities that are actually exploitable. Comparatively, the study found that integrated frameworks do better. Developed by the Forum of Incident Response and Security Teams (FIRST), the Exploit Prediction Scoring System (EPSS) is a machine learning model that assigns vulnerabilities a score indicating how likely it is to be exploited in the real world in the next 30 days. Combining CVSS, EPSS, and data from CISA's KEV list reduces urgent prioritisation workloads by approximately 95%, from roughly 16,000 to 850 vulnerabilities, while maintaining 85.6% coverage, according to the Kagawa study. NIST has already broadened its coverage beyond CVSS. In June it updated the NVD to include Stakeholder-Specific Vulnerability Categorization (SSVC) data sourced from CISA. This is a decision framework for prioritizing vulnerability remediation, developed by Carnegie Mellon's Software Engineering Institute (CERT/CC) together with CISA. CISA provides this as part of the Vulnrichment program, its own attempt to help enrich CVE information. So the NVC has moved from a shallower, broader model to a narrower, richer one that takes a more holistic view of exploitability. ISMS As Operating Manual For compliance managers, the practical question is which governance framework can absorb this shift without forcing teams to rebuild their vulnerability programmes from scratch. ISO/IEC 27001 and its Annex A controls is directly aligned with the change. It treats vulnerability management not as a scoring exercise but as an integrated control within a wider information security management system. Control A.8.8 (Management of Technical Vulnerabilities) requires organisations to obtain timely information about technical vulnerabilities, evaluate exposure, and take appropriate measures. It also advises on extra measures beyond simple scoring, like penetration testing. Control A.5.7 (Threat Intelligence) requires the collection and analysis of threat data of exactly the kind EPSS and KEV provide. Read together with A.5.30 (ICT Readiness for Business Continuity), the standard frames vulnerability management as one input into operational resilience rather than a standalone scanner output. Certification gives compliance managers a defensible audit trail when regulators ask how the organisation prioritised CVEs without NVD enrichment. The management system should be able to cite things like commercial enrichment feeds, KEV monitoring, and EPSS scoring within existing control boundaries. We mustn't downplay the importance of what NIST just did, but we must also put it in context. This policy disruption forces organizations along a path they should already have been navigating. It's time to use multiple intelligence sources and think more holistically about exploitability, positioning vulnerability management as an integral part of a broader resilience approach. Expand Your Knowledge Podcast: Phishing for Trouble S02 E05: You're Compliant. Are You Resilient? Blog: Why Cyber Resilience Remains a Long Way off for Many UK Businesses Guide: The State of Information Security Report 2025
Read More
ISO 27001

Everything You Need To Know About the Cyber Resilience Act

The European Union's Cyber Resilience Act (CRA) is the first major regulation to treat cybersecurity as a product safety requirement rather than an organisational governance one. While there are many regulations that focus on how organisations manage cyber risk internally, the CRA takes a different approach. It focuses on the products themselves. More specifically, whether the software, devices, platforms, and connected technologies entering the European market are secure by design, maintained appropriately, and supported throughout their lifecycle. For years, cybersecurity has often been treated as a governance issue, an operational concern, or a technical challenge owned largely by security teams. The CRA signals something broader: cybersecurity is increasingly being treated as a product safety requirement and for organisations selling products into the EU market, the implications extend far beyond compliance. What Is the Cyber Resilience Act? At its core, the CRA is designed to improve the cybersecurity of products with digital elements. In practical terms, if a product contains software, connects to a network, exchanges data digitally, or includes embedded connected technology, it is likely to fall within scope. The regulation applies across the product lifecycle, introducing obligations around secure-by-design development, vulnerability management, security updates and patching, incident and vulnerability reporting, technical documentation and conformity assessments, and ongoing product security maintenance. It also introduces financial penalties and, perhaps more significantly, the possibility of products being restricted or removed from the market entirely if organisations fail to comply at a persistent and serious level. The intention is to reduce the volume of insecure digital products entering the European market while creating a more consistent baseline for cybersecurity expectations across member states. Importantly, this is not guidance or a recommended framework. The CRA is a legally enforceable regulation. Why the CRA Matters One of the reasons the CRA has attracted so much attention is because it changes where accountability sits. Historically, many cyber regulations have focused on organisational resilience: how businesses manage risk, respond to incidents, govern suppliers, and protect critical services. The CRA shifts attention to the security of the product itself. In effect, the regulation treats cybersecurity more like traditional product safety. Just as manufacturers are expected to ensure physical products meet safety standards before entering the market, the CRA expects digital products to meet baseline cybersecurity requirements before they can be sold in the EU. That creates significant implications for product development teams, engineering functions, software providers, procurement leaders, and supply chains. It also reinforces a wider market trend. Customers, regulators, insurers, and investors increasingly expect organisations to demonstrate not only that they can respond to cyber incidents, but that security has been embedded into products from the outset. Who Does the CRA Apply To? A common misconception is that the regulation only applies to organisations headquartered within the EU. In reality, the CRA applies to any organisation placing qualifying products onto the EU market, regardless of where the business itself is based. That means UK, US, and global organisations may all fall within scope if they sell products with digital elements into Europe. The regulation is expected to impact a wide range of organisations, including: Software vendors SaaS and cloud providers IoT manufacturers Hardware manufacturers with embedded software Industrial technology providers Importers and distributors of digital products Manufacturers carry the greatest responsibility under the regulation because they are accountable for ensuring compliance throughout the product lifecycle. There are also categories of “critical products” that face enhanced scrutiny and more rigorous conformity assessment requirements because of the level of cyber risk associated with them. What the CRA Requires The operational impact of the CRA is where many organisations are likely to feel the greatest pressure. The regulation is not simply about creating documentation or updating policies. It requires organisations to demonstrate that security has been operationalised throughout the product lifecycle. That includes embedding secure-by-design principles into development processes, maintaining effective vulnerability management capabilities, issuing security updates appropriately, and maintaining technical evidence of compliance. For many businesses, this will require stronger visibility across software components, dependencies, suppliers, and third-party risk. It will also place greater emphasis on mature vulnerability management processes and clearer escalation pathways between security, engineering, product, and compliance teams. In practice, some organisations may discover that the biggest challenge is not understanding the regulation itself, but operational readiness. Incident Reporting Under The CRA and the ENISA Platform One of the most operationally significant aspects of the CRA is the introduction of mandatory incident and vulnerability reporting obligations. Manufacturers will be required to report: Actively exploited vulnerabilities Severe incidents impacting the security of products with digital elements Importantly, the reporting obligations are tied specifically to product security and exploitation of vulnerabilities. This makes the CRA distinct from broader breach notification requirements under regulations such as GDPR or NIS 2. The timelines themselves are intentionally demanding. Under Article 14 of the CRA, organisations will be expected to submit: An early warning notification within 24 hours of becoming aware of an actively exploited vulnerability or severe incident A more detailed notification within 72 hours A final report within one month For many organisations, these reporting windows may prove difficult to achieve operationally, particularly where software supply chains are complex or visibility into dependencies is limited. The regulation also introduces a centralised reporting structure linked to the European Union Agency for Cybersecurity (ENISA). ENISA is developing a Single Reporting Platform (SRP) designed to streamline reporting across member states. Rather than requiring businesses to separately notify multiple national authorities, the intention is to create a more unified reporting mechanism. The reporting flow currently published describes the expected process as follows: A manufacturer identifies an exploited vulnerability or severe incident. An initial notification is submitted through the ENISA reporting platform. Relevant national authorities and Computer Security Incident Response Teams (CSIRTs) are informed. Follow-up technical information and remediation details are then submitted through the same structure. At the time of writing, the platform itself is still being developed, with the reporting obligations due to begin applying from September 2026. Operationally, these obligations are likely to place greater pressure on: Vulnerability monitoring Internal escalation procedures Software bill of materials (SBOM) visibility Supplier oversight Incident response coordination Cross-functional communication between engineering, security, legal, and compliance teams Key Dates Businesses Need To Know There are two major dates organisations should already be preparing for. From 11 September 2026, the CRA’s vulnerability and incident reporting obligations will begin to apply. The wider compliance obligations take effect from 11 December 2027. By this point, products entering the EU market must meet the CRA’s cybersecurity requirements, maintain technical documentation, complete relevant conformity assessments, and satisfy associated CE marking obligations- the conformity-marking requirement, familiar from physical product safety, that confirms a product meets applicable EU regulatory standards before market entry. Although those deadlines may appear distant, many organisations with complex supply chains or limited SBOM visibility are already discovering that operational preparation takes considerably longer than anticipated. What Businesses Often Get Wrong About the CRA One of the most common misunderstandings is the belief that the CRA is primarily an IoT regulation. While connected consumer devices are certainly within scope, the regulation applies much more broadly than many organisations initially assume. Enterprise software, cloud-connected platforms, industrial technologies, embedded software systems, and a wide range of connected products may all be impacted. Another misconception is that the regulation only applies to organisations headquartered within the EU. In reality, the CRA applies to organisations placing products with digital elements onto the EU market regardless of where the business itself is based. UK and US organisations selling into Europe face the same obligations as EU-based providers. There is also a tendency to underestimate how operational the regulation is. The CRA is not simply a documentation exercise or another policy-driven compliance framework. It requires organisations to demonstrate evidence of secure development practices, vulnerability handling processes, patch management capabilities, and ongoing product security maintenance. This means the regulation is likely to impact: Engineering and development teams Product functions DevOps and security operations Procurement and supplier management Legal and compliance teams Executive leadership Many organisations are also underestimating the amount of preparation time required. The biggest challenge is unlikely to be understanding the regulation itself. More often, the difficulty lies in operational readiness. Common gaps include: Limited visibility into software components and dependencies Incomplete SBOM management Weak supplier security oversight Fragmented vulnerability management processes Immature escalation and reporting procedures Difficulty evidencing secure-by-design development practices Finally, many businesses initially focus on the financial penalties associated with the regulation while overlooking the wider commercial implications. Authorities may restrict sales, require remediation actions, force recalls, or remove non-compliant products from the EU market altogether. For many organisations, continued access to the European market may ultimately become the strongest driver for CRA compliance. The Penalties for Non-Compliance The financial penalties under the CRA are substantial. For the most serious violations, organisations may face fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. These penalties may apply where organisations fail to meet cybersecurity requirements, neglect reporting obligations, or place non-compliant products onto the market. Additional penalties may apply where organisations provide inaccurate or misleading information to regulators. However, the financial penalties alone do not fully capture the business risk associated with the regulation. The potential impact on market access, customer trust, procurement eligibility, and supplier relationships may prove even more commercially significant. Preparing for the CRA: Where To Start For many organisations, preparation will require more than reviewing policies or updating compliance documentation. The regulation will likely force businesses to examine how security is embedded across product design, development, maintenance, supplier oversight, and incident response. For many organisations the best place to start is scope: understanding which products fall within the regulation and which don’t.  From there preparation can follow a logical sequence: Foundation: establish visibility. Most organisations find that the biggest early gap is not process maturity but basic visibility, specifically, the ability to map software components and dependencies through a maintained software bill of materials (SBOM). Without this, vulnerability management and supplier oversight have no reliable foundation to build on. Process: harden vulnerability and incident response. With visibility established, organisations can assess the maturity of their vulnerability management processes, their ability to meet the CRA's aggressive reporting timelines, and the effectiveness of escalation pathways between engineering, security, and compliance functions. Assurance: evidence secure-by-design practices. The final layer is evidencing that security has been embedded into the development lifecycle itself, not retrofitted after the fact. This is typically where organisations with mature governance frameworks, such as ISO 27001, find themselves better positioned: the controls infrastructure already exists; it needs to be extended and pointed at product security. This is also why many businesses are increasingly aligning existing governance and security frameworks with emerging product security requirements. Frameworks alone will not guarantee compliance, but organisations with mature governance, risk management, supplier oversight, and incident response capabilities are likely to be in a stronger position as CRA obligations take effect. The Direction of Travel The Cyber Resilience Act represents a significant evolution in cybersecurity regulation. Rather than focusing solely on organisational governance or resilience, the CRA places cybersecurity expectations directly onto digital products themselves. For organisations selling into the European market, this is likely to become not only a compliance issue, but a product strategy, operational resilience, and commercial trust issue as well. The organisations best positioned to respond successfully will likely be those that move beyond viewing the CRA as a last-minute compliance exercise and instead treat it as part of a broader shift towards secure-by-design operations, stronger resilience, and greater product accountability. Ultimately, the CRA reflects a wider reality facing modern businesses: cybersecurity is no longer simply an IT responsibility. It is increasingly becoming a core expectation of product quality, customer trust, and market access. Expand Your Knowledge Blog: From NIS2 to the Cyber Resilience Act: The "Product" Side of Governance Blog: Mind the Gap: The Salesforce Incident and the Evolving Nature of Cloud Risk Podcast: Phishing for Trouble S02 E05: You're Compliant. Are You Resilient?
Read More
ISO 27001

How Ransomware Became a Business Resilience Problem

May was not a good month for Latvian national Deniss Zolotarjovs. The US Department of Justice secured a 102-month sentence against him for his role in Russian ransomware gang Karakurt. The case revealed that members of Karakurt had been using Russian government databases to intimidate corporate victims and screen their own recruits. This criminal network had also disrupted US 911 emergency dispatch services and extracted at least $15 million in ransoms from more than 54 named victim companies. This criminal enterprise is an example of a growing problem that corporate security teams cannot solve in isolation. Resilience planning that still treats the threat as an IT department problem is planning for the wrong adversary and underestimating the scope of the problem. Who's Involved Companies must change the actor profile that they have been building continuity plans for. These groups don't just operate internationally; they operate with state cooperation. In 2024 the US Treasury Department had already sanctioned ransomware group Trickbot for alleged ties to Russian intelligence. Trickbot spawned several other groups, including Conti, which in turn led to the creation of Karakurt. So, the sanctions for Trickbot's leaders carry through indirectly to Karakurt. The May prosecution turned what had been characterized as passive state tolerance into evidence of direct operational support. Karakurt paid bribes to exempt members from compulsory Russian military service and channeled corruption into the state apparatus to keep its operation running. For organizations headquartered in jurisdictions Moscow views as adversarial, the practical consequence is that the threat actor on the other side of the table behaves less like organized crime than like a quasi-contracted instrument of state policy. Where It Starts Improving ransomware resilience also means reconsidering where the breach actually starts. Security Scorecard’s 2025 review of 1,000 breaches found that 41.4% of ransomware attacks now begin through third-party access through vendor vulnerabilities, and that 35.5% of all breaches in 2024 had a third-party component. The European response treats the corporate perimeter as something that ends with the weakest contracted vendor: NIS2 explicitly extends cybersecurity obligations to "a much wider ecosystem of third-party vendors, suppliers, and digital service providers" supporting critical activities across the bloc. A procurement contract is now a regulated security artefact in a way it was not three years ago, and most multinationals' supplier-onboarding processes have been calibrated to a much less interconnected version of the risk. Where It Ends Breaches no longer end at IT infrastructure; they're affecting enterprise operations. The 2021 Colonial Pipeline attack forced an operational shutdown that disrupted the supply of roughly 45% of the fuel consumed along the US East Coast and triggered a federal emergency declaration. Asahi Group's September 2025 ransomware incident illustrated the same dynamic at a different scale. Factory floors were not technically infected, yet up to 30 domestic plants stopped producing because the IT systems coordinating orders, logistics, and interdependent supply chains were down. The lesson from Asaha Group is structural rather than technical: in highly digitized operations, an IT compromise propagates directly into the physical operating model. The more an organization has optimized its processes for efficiency the wider the blast radius tends to be. What Resilience Actually Means Now The Karakurt prosecution highlights a level and scope of geopolitical risk that is difficult for ordinary cyber insurance models to price. The Colonial and Asahi cases make clear that the operating model itself is the attack surface. Treating ransomware as an enterprise resilience problem rather than a security control problem is now the lowest bar the regulatory and threat environment requires. The institutions writing the new rules have started to describe resilience in language that boards, not CISOs, will act on. This covers governance, supplier oversight, business continuity, and the assumption that a breach will eventually arrive through a vendor the company does not control. The standards that already exist do most of the translation. ISO 27001's 2022 revision is the clearest case, because it rewrote its supplier controls around exactly the third-party exposure Security Scorecard’s numbers describe. Controls A.5.19 to A.5.23 make a business document who has access to what and write those security obligations into supplier agreements. These controls push the same scrutiny down the ICT supply chain to the cloud services and sub-processors that onboarding checks don't always reach. It turns the weakest-vendor perimeter into something a company can audit. ISO 22301 does the parallel job for continuity. It demands a business impact analysis and tested recovery objectives rather than faith that systems will come back, which is the gap the Asahi shutdown exposed. This is all good practice, but NIS2 converts much of it into legal duty. Its article 21 names supply-chain security as a specific obligation, not a recommendation. Choosing a framework is the easy part. The work is keeping dozens of overlapping controls, supplier assessments and continuity tests current across an organization whose perimeter runs through vendors it doesn't fully control. Using a unified platform to map one set of evidence against ISO 27001, ISO 22301 and NIS2 at once untangles and articulates supplier risk, providing an audit trail in a state a board can digest and act on before an incident rather than afterwards. Ransomware resilience stops being a binder somebody updates post-breach and becomes something the C-suite can prove. Expand Your Knowledge Blog: Cybercrime Vs Geopolitics: How Ransomware Is Becoming A Geopolitical Tool Blog: Phishing for Trouble S02 E05: You're Compliant. Are You Resilient? Guide: The State of Information Security Report 2025
Read More
ISO 27001

Cyber-Risk Management Is Fragmented: Here’s How to Fix It

Organisations have long understood the challenge of translating cyber into business risk. The CISO-boardroom communication breakdown is real and well documented. But are there deeper problems? For various reasons, cyber-risk management has grown in size and scope over the years. Today it might span everything from traditional security disciplines to privacy, supply chain risk, legal, AI governance and operational resilience. That inevitably creates data silos, coverage gaps and resilience challenges. If joined-up governance is the destination, what should the journey look like? When Visibility and Ownership Splinter There are various reasons why cyber-risk management has grown so unwieldy over the years. There was a time when security was much easier. Computing resources lived on-premises and organisations guarded the perimeter to keep out the bad stuff. This castle-and-moat approach evaporated with the arrival of cloud computing, remote working and SaaS applications. As the attack surface expanded it has taken in operational technology (OT), internet of things (IoT) systems, mobile devices, edge computing servers and more. More IT assets, more complexity, more fragmented oversight. AI infrastructure and services represent the latest expansion. Large language models (LLMs), agents, vector databases, machine learning pipelines, APIs, plugins, and cloud servers represent a new high-risk target for attack. As AI finds its way into more business-critical services, the potential for compromise, data theft and manipulation grows. Shadow AI is a particular concern. Two-thirds (65%) of organisations have suffered AI agent-related security incidents in the past year and even more (82%) suspect having unmanaged agents running in their environments. Supply chains are also to blame. The average enterprise now uses an estimated 61 security tools. And that’s just cyber. In almost all sectors, organisations have amassed a complex ecosystem of partners handling everything from logistics to professional services. Then there are digital suppliers. Open source components are a growing source of risk. The final factor is the regulatory environment. As new laws have emerged to encourage operational resilience and protect personal data, AI technology, smart devices and other tech, the burden on compliance teams has grown. In some cases (like NIS2), senior management is now held personally liable for non-compliance. That has shifted the accountability focus more squarely away from security teams and onto business leadership. What this Means According to research and advisory firm Info-Tech Research Group, there are three key barriers to integrated risk management: Lack of mature processes, shared language, risk culture, and modern tooling to support integrated risk management Rapidly evolving regulations, emerging technologies, and shifting geopolitical realities that make it difficult to maintain proactive risk practices Risk management that is treated as a compliance exercise rather than a strategic capability, leading to blind spots and missed opportunities to strengthen resilience In some cases, CISOs are expected to handle the growing burden. Cambridge University research shows this can lead to reactive risk management, tick-box compliance and often burnout. Separate IANS research reveals 52% of CISOs feel their scope is no longer fully manageable. The pressure is particularly acute in smaller organisations and can delay important strategic initiatives, the report warns. Ultimately, siloed risk management hurts the organisation by increasing opacity and breach risk, argues Black Duck CISO, Dom Glavach. “When siloes create disconnected oversight, especially as AI accelerates the pace, risks emerge across software supply chains, workflows, and business operations. Distributed ownership is necessary to keep pace as cyber risk spans security, product, privacy, compliance, and suppliers,” he tells IO (formerly ISMS.online). “When the silos disrupt oversight, organisations end up with blind spots, duplicate work, slower response, and difficulty proving that the controls were working across the organisation.” Time to Integrate So where do organisations go from here? Info-Tech has a four-point plan for integrated cyber-risk management: Establish goals and governance Develop mechanisms to identity and assess risks Develop risk response options Create a tooling, monitoring and reporting plan For Muhammad Yahya Patel, vCISO EMEA at Huntress, two key areas of focus should come first. “First, a common control framework that all functions map to so that when the CISO reports on security controls, the data protection officer (DPO) reports on privacy controls, and the AI governance lead reports on model risk, they're all speaking to the same underlying risk taxonomy, and the board can see the aggregate picture,” he tells IO. “Next, the supplier dimension needs attention because it's where the governance breakdown is most acute right now. Most organisations have third-party risk management processes that are point-in-time: an assessment at onboarding, a questionnaire at renewal. What they don't have is continuous visibility of whether the controls they relied on at assessment time are still in place. Continuous monitoring of supplier security posture, integrated with your internal risk picture, is a must have.” Where Frameworks Help Ronald Lewis, head of cybersecurity governance at Black Duck, likens the process to fine-tuning an old-fashioned clock, where every function is a cog. “Each cog has a specific role, but none operate independently. If one cog is misaligned, spinning too fast, too slow, or in the wrong direction, the whole system drifts. That’s exactly how cyber risk behaves in siloed environments. Controls don’t fail because they’re poorly designed; they fail because they’re not synchronised with decisions happening elsewhere,” he says. “That level of synchronisation doesn’t happen organically. It requires a framework. Whether it’s ISO 27001, NIST, or a well-constructed internal model, the point is to establish a common language, consistent taxonomy, and clear lines of traceability between risks, controls, and ownership.” Lewis explains that a strong framework forces integration across domains. “It creates the connective tissue between privacy, security, third-party risk, AI governance, and operational resilience. It enables you to see not just individual risks, but how they interact and scale,” he concludes. “Without that structure, you can’t get to joined-up oversight. With it, you can align the cogs, turning independently, but in the same direction, toward a single, measurable goal: a coherent, enterprise-wide understanding and management of cyber risk.” Expand Your Knowledge Podcast: Phishing for Trouble S2 E2: You're Compliant. Are You Resilient? Blog: Why Cyber Resilience Remains a Long Way Off for Many UK Businesses Blog: The Governance Gap: Why the EU AI Act Is the Moment Boards Can No Longer Treat Compliance as Someone Else’s Problem
Read More
ISO 27001

Cybercrime Vs Geopolitics: How Ransomware Is Becoming A Geopolitical Tool

Nation states are ramping up destructive attacks utilising ransomware and wipers. What can be done to manage the risk? In 2017, Russia-linked adversaries unleashed an attack that later became known as NotPetya, as part of an ongoing campaign against Ukraine. Disguised to look like the Petya ransomware, the consequences of the devastating cyberattack were destruction, rather than financial gain. The damage from the wiper tool went far beyond its target, hitting companies across Europe and beyond. Nearly a decade later, wipers and ransomware are becoming key tools for nation state attackers to halt critical services and cause disruption. The 2021 Colonial Pipeline incident is a prime example of the damage that can occur as a result of this type of attack. Attributed to DarkSide — a group with Russian links — the attack forced the shutdown of the largest fuel pipeline in the US, triggering widespread fuel shortages. In 2021, North Korean government-linked adversaries perpetrated the Maui ransomware attacks against hospitals and diagnostic centres, with the aim of generating revenue and causing chaos. The escalating geopolitical situation including the Russia-Ukraine war and Iran conflict are adding to the threat, with growing fears of destructive attacks from adversaries linked with hostile nations such as China, Russia, Iran and North Korea (CRINK). It has led national security agencies to issue warnings, with the UK National Cyber Security Centre (NCSC) detailing tools to help businesses mitigate the risk. What can firms do to manage this growing issue? The Evolution of Ransomware There’s no doubt the risk of nation state attacks utilising ransomware as part of geopolitical aims is growing. Tracey Hannan-Jones, information security consulting director at UBDS Digital, believes the line between cybercrime and geopolitics “has never been thinner”. What was once the domain of financially motivated criminal gangs has evolved into a “sophisticated instrument of state power”, according to Hannan-Jones. This is seeing ransomware, malware and destructive cyberattacks used beyond extortion. “They are weapons of geographical disruption, deployed by nation-state actors to destabilise governments, cripple infrastructure, and project power — without a single shot being fired,” she says. Previously ransomware attacks followed a predictable logic: Encrypt, demand payment and profit. This has shifted dramatically as nation-state actors — most notably those aligned with Russia, North Korea, China, and Iran — have adopted and adapted the same techniques, often “with objectives far beyond financial gain”, says Hannan-Jones. Undermining Trust Gary Barlet, public sector CTO at Illumio, concurs with Hannan-Jones’ analysis. In some cases, attacks are designed to undermine public trust, create operational instability and apply economic pressure, says Barlet. He explains how many ransomware groups operate in environments where they receive indirect protection or tacit approval from governments that see strategic value in their activity. “This convergence creates a huge challenge for defenders who are no longer dealing with just isolated criminal activity.” The issue now is threats that sit in a “grey zone” between financially-motivated attacks and state-aligned operations, according to Barlet. “Ransomware groups increasingly behave like proxies, targeting foreign adversaries or contributing to broader destabilisation efforts.” At the same time, it’s difficult to identify the perpetrators, because cyber operations are deliberately designed to provide criminals with plausible deniability. “An attack may appear financially-motivated at first glance, but the operational timing, target selection, or broader impact may suggest strategic intent underneath,” explains Barlet. Opportunistic Vs Strategic Nation state attacks can be strategic or opportunistic. Money is often a motivator for nation state attacks, such as those perpetrated by North Korea. It is not unusual to observe nation state adversaries “monetising digital insecurity to generate illicit revenue”, says Jamie Moles, senior technical manager at ExtraHop. “By collaborating with cybercriminal syndicates, states deploy ransomware and exploit supply chain vulnerabilities. This financial extraction allows regimes to bypass international sanctions and fund ‘off-book’ intelligence operations.” Opportunity can sometimes play a part, with conflict in Iran allowing nations such as Russia to fly under the radar. Meanwhile, state-sponsored attackers sometimes take advantage of the cybercrime ecosystem to conceal their culpability in attacks, says Andrew Brandt, principal threat intelligence incident commander at Huntress. “Why spend the time to develop custom, bespoke malware when you can just take the leaked source code from Gh0stRAT and use that, instead?” Supply Chain and Critical Infrastructure Risk The risk is expanding further as supply chains become more digitally interconnected, seeing them inherit new points of failure that attackers are quick to exploit. Cybercriminals routinely abuse misconfigurations, insecure APIs and weak authentication to gain initial access before moving laterally toward critical systems, according to Illumio’s Barlet. Ransomware groups also know that disrupting supply chains can be far more damaging and profitable than stealing data. “Even short-lived disruption can ripple across global supply chains, particularly in just-in-time production environments where delays quickly go downstream,” says Barlet. As this threat grows, traditional security models can struggle, because they are built for incidents, rather than state-backed campaigns. Security models are often built around “a perimeter-based mindset”, according to Barlet. “Security teams think in binary terms about whether an attacker got in or not, meaning they often fail to account for what happens afterwards. This creates unrealistic expectations that every breach can be prevented.” However, when attackers breach the perimeter, they often move laterally across systems, escalating access and causing widespread disruption. “By focusing too heavily on the perimeter, organisations are effectively defending a finite boundary while ransomware actors operate freely inside once they get through it,” explains Barlet. He says the Jaguar Land Rover and retail attacks last year followed this pattern. “The attackers compromised networks, targeted systems critical to services and operations and exfiltrated sensitive information.” Limit the Impact As the attack lines continue to blur, it’s key to ensure resilience thinking, cross-sector awareness, supply chain visibility, and executive-level accountability. Frameworks such as ISO 27001 can provide a basis to manage risk amid increasing threats. With the nation state threat surging amid geopolitical disruption across the world, Barlet believes firms — particularly those operating in critical sectors — need to let go of the idea of total prevention and instead focus on limiting the impact of ransomware through breach containment. “A containment-first strategy forces attackers to slow down, making it harder for them to remain hidden and move across different systems,” he explains. “More importantly, it forces attackers to change their techniques and procedures, giving security teams a much better chance of detecting, responding to and recovering from attacks.” UBDS Digital’s Hannan-Jones thinks that the focus should be on resilience over prevention. “No organisation can guarantee it will not be attacked, so the focus must shift to resilience: The ability to detect, respond and recover with robust business continuity and disaster recovery planning.” Incident response preparedness is key, including rehearsed plans with “clear escalation paths and communication protocols to significantly reduce the impact of a successful attack”, says Hannan-Jones. Organisations should also prioritise threat intelligence integration, she advises. “This means moving beyond generic security alerts and consuming sector-specific, geopolitically-contextualised threat intelligence to understand which threat actors are active, their tactics, and their targets for proportionate risk management.” Expand Your Knowledge Podcast: Phishing for Trouble S01 E02: Security of Public Systems and Services Blog: Cyber Threats in a Time of Heightened Middle East Tensions: What UK CISOs Can Expect Blog: The Resilience Factor: Breaking Down the BridgePay Ransomware Attack
Read More
ISO 27001

North Korean IT Workers Are Targeting the UK: What Should You Do?

Insider risk was until recently largely considered to be limited to isolated incidents. Dangerous, yes. But usually, the result of negligent employees or the odd “lone wolf” motivated by greed or revenge. The discovery of a years-long campaign by North Korea to infiltrate Western companies has turned these assumptions upside down. The bad news for UK CISOs: it’s no longer just a problem for US businesses, according to Google. With Pyongyang taking insider threats to a whole new level, what can security leaders and their HR peers do to weed out the miscreants? And prevent the next wave of spies from tricking their way into in-house IT roles? The Latest TTPs According to Microsoft, North Korea’s “fraudulent remote worker scheme” has been ongoing since at least 2020, having placed thousands of IT workers into roles in Western organisations. Several indictments of North Korean spies and local facilitators have followed, lifting the lid on the scale of the operation. Now it seems to be expanding into Europe, according to Jamie Collier, Google Threat Intelligence Group (GTIG) lead advisor. “The scale of the threat posed by DPRK IT workers is continuing to grow, and UK organisations are firmly in scope. What began as a largely US-focused operation has expanded into a global campaign, with Europe now a key target,” he tells IO (formerly ISMS.online). “In one case, a DPRK IT worker leveraged facilitators in both the US and UK, with a corporate laptop – intended for use in New York – found to be operational in London. This points to a complex logistical chain, where devices and access are effectively proxied through trusted locations, allowing operatives to mask their true identity and location.” These workers create, rent or purchase identities matching the geolocation of the target organisation, and open new email, social media and GitHub accounts to build a convincing professional persona. Their facilitators validate these fraudulent identities and help by forwarding company devices and running laptop farms. The workers use remote management tools to connect to those device farms, located locally to the role, while VPNs, virtual private servers (VPSs), and proxy services hide their true identity. AI-powered deepfake images/videos and voice-changing software is also deployed to keep employers in the dark. A recent report from Flare and IBM X-Force uncovers more details on the sophistication of these schemes. It reveals the use of North Korean IT management platforms like “RB Site” and “NetkeyRegister” to provide “a structured back-office operation for tracking work, managing devices, and distributing software updates.” And the use of IP Messenger for covert comms. The job of security and HR teams is made harder by the fact that, in most cases, the goal of the campaign is not necessarily data theft or extortion but simply to generate money for the Kim Jong-un regime. Flare estimates it is generating as much as $500m annually, with some workers holding down multiple jobs at the same time. “In some cases, they’re not just securing roles, they’re excelling in them,” says Google’s Collier. “When we informed one client that an employee was a North Korean operative, the response was: ‘are you 100% sure, because he’s one of our best employees’.” Taming the Insider Threat Yet even if North Korean IT workers aren’t actively stealing data or extorting their employers, their mere presence represents a major compliance risk. “The Office of Financial Sanctions Implementation’s September 2024 advisory does not leave much room for ambiguity. Paying a DPRK IT worker, even unknowingly, can constitute a breach of UK and UN financial sanctions. The penalties are civil (strict liability, so ignorance is not a defence) or criminal (up to seven years),” explains Flare senior cybercrime researcher, Adrian Cheek. “OFSI reported around £500,000 in enforcement penalties in 2024-25, and it signed a new memorandum of understanding with the US Treasury that year, which means transatlantic cooperation on these cases is tightening. If your company also operates in the US, you face exposure on both sides and the reputational risk barely needs spelling out.” Cheek outlines several steps organisation should consider to mitigate the threat. These should start with fixing the hiring process, which is how most damage can be prevented. “Start with the basics: verify identity against government-issued ID, confirm right to work, and independently check employment history and references. Do not just call the number on the CV,” he tells IO (formerly ISMS.online). “For anything touching sensitive systems or data, go further. BS 7858-grade screening covers a verified five-year employment history with no unexplained gaps, sanctions and watchlist checks, and financial integrity checks where the law allows it.” Next should come improved interview screening. “This is the bit that most guidance overlooks. Standard technical interviews are trivially easy to pass with AI running on a second screen, which is exactly what these operatives do. You need to design interviews that break that workflow,” says Cheek. “Throw in something false and see what happens. And ask questions that need a real opinion, not a textbook answer. Avoid anything a candidate could answer by pasting the question into an LLM.” Hirers should also insist on live-screen sharing, and change interview formats between rounds, to throw off a potential faker. “If their fluency drops dramatically when they cannot prepare and do not have AI assistance lined up, that is a significant indicator,” says Cheek. For roles with access to sensitive data, at least one in-person meeting is essential. Finally, organisations can mitigate the risk of having a potential North Korean worker in their midst by applying least privilege, disabling local admin accounts, and restricting the ability to install remote desktop tools, Cheek concludes. “Do not hand a new contractor the keys to every repo and internal tool on day one. Provision access incrementally and review it regularly,” he says. “And if you cannot issue a managed device, make sure equivalent logging and endpoint visibility is in place.” Collaboration with HR Many of these efforts will require security teams to build bridges with their HR counterparts, says Mimecast cybersecurity strategist, Adenike Cosgrove. “Collaboration needs to be built into recruitment as standard, not treated as an escalation step,” she tells IO. “HR is often the first line of defence. They see the early signals: candidates who deflect identity questions, push back on verification or behave inconsistently.  Without a clear channel to surface those concerns to security, those signals disappear.” The same should apply to offboarding, to ensure network access is removed immediately following the termination of a suspected malicious insider, she says. “None of this works without agreement upfront: on what HR flags to security, what security communicates back, and how decisions get made when the picture is ambiguous”, Cosgrove adds. “Insider risk is ultimately a people problem. The teams closest to people and the teams closest to data need to be working from the same playbook. If HR and security aren’t working as one system, this threat slips straight through the gap between them.” The Role of Best Practice Frameworks The good news is that, although standards like ISO 27001 can feel “disconnected” from threats like this, “in practice they’re more relevant than ever”, says Cosgrove. “What ISO 27001 provides is structure,” she adds. “It forces alignment between HR screening, access controls and security oversight, which is exactly where this threat sits.” Flare’s Cheek goes further. He cites NIST CSF 2.0 as relevant for multinationals or companies working with US clients. And Cyber Essentials as basic but with useful access control requirements. But ISO 27001 is the most comprehensive for tackling the North Korean threat, he argues. Cheek references the following as useful and relevant here: Annex A 6.1 (Screening), which requires background checks proportionate to the role’s risk level, and ongoing screening Annex A 5.16 (Identity Management), which requires unique user identification and prohibits shared accounts Annex A 6.5 and 6.6, which require that confidentiality obligations survive termination and access gets revoked immediately, mitigating extortion risks Annex A 6.7 (Remote Working), which covers the risks of unmanaged devices verifying remote workers physically “The real value of ISO 27001, though, is cultural,” he concludes. “Researchers have been saying for over a year that insider risk needs to be a shared responsibility across security, HR, legal, audit, and finance. ISO 27001 gives you the structure to make that happen.” Expand Your Knowledge Blog: When the Help Desk is the Threat Podcast: Phishing for Trouble S02 E02: Boardroom to Breakroom- Building a Culture of Compliance Guide: The State of Information Security Report 2025
Read More
ISO 27001

The Governance Gap: Why the EU AI Act Is the Moment Boards Can No Longer Treat Compliance as Someone Else’s Problem

The EU AI Act is already in force, penalties are already active, and most enterprises cannot classify their own AI systems. The governance gap is no longer theoretical; it is a liability sitting on the balance sheet. For the past three years, boards have been enthusiastically deploying AI across hiring, credit decisioning, customer service, operations, and strategy. Most have done so without building the governance architecture to manage it. Now the regulatory framework has arrived, and it has arrived with teeth. Parts of the EU AI Act are already in force. Prohibitions on unacceptable AI practices came into effect in February 2025. Penalties for general-purpose AI model providers activated in August 2025. Full enforcement of regulations against high-risk AI systems will now take effect in stages across August and December 2027. The window between now and then is not breathing room. It is the entire runway. And yet the readiness gap is striking. An appliedAI study of 106 enterprise AI systems found that 40% could not clearly identify their own risk classification under the Act. The most basic step in the compliance process remains incomplete for a large proportion of enterprise deployments. A majority of C-suite leaders now identify regulatory non-compliance as their primary AI concern. The lagging factor is the operational response. This is the crux of the issue. The AI investment is real. The competitive pressure to deploy is real. The regulatory obligation is now real. What has not kept pace is governance. The Gap No One is Talking About Most enterprise AI conversations still centre on capability and investment. The governance conversation has lagged, and the consequences are already felt. Data from the IO State of Information Security Report states that 79% of organisations have adopted AI or machine learning in the past 12 months, with a further 19% planning to do so. That makes AI deployment near-universal. What makes the governance gap that follows all the more acute is this: 37% of organisations report that employees are using generative AI without permission. Additional research from IBM indicates that shadow AI-related incidents accounted for 20% of breaches over the past year, and 11% of breached organisations were unsure whether they had experienced a shadow AI incident. The implication for AI Act compliance is direct: where employees are deploying AI without organisational knowledge, the organisation may be operating high-risk AI systems it cannot classify, cannot monitor, and cannot evidence governance over. Under the Act, that is a deployer liability. You cannot govern what you cannot see. And most organisations cannot yet see all their AI. This problem does not lie in one part of the business. The EU AI Act creates simultaneous obligations across information security, data privacy, and AI governance. Any AI system that processes personal data falls under both the Act and the GDPR. Any system embedded in hiring, credit, or customer decisioning carries deployer obligations regardless of whether it was built in-house or procured from a vendor. Vendor contracts must now allocate AI compliance responsibilities. The AI governance supply chain is the organisation's responsibility. Most organisations have these functions in separate rooms, having separate conversations. That fragmentation is precisely the structural vulnerability the Act will expose. The Regulation Reaches Further than Most Boards Currently Understand The penalty structure is significant: fines of up to 35 million euros or 7% of global annual turnover for the most serious violations, a ceiling that exceeds even GDPR. Personal liability for senior management is provided for in the Act. And its reach is extraterritorial. Any organisation whose AI systems affect users or markets in the EU is in scope, regardless of its headquarters. London, New York, Singapore: if your AI touches the EU, you carry the obligation. For UK businesses operating under the assumption that post-Brexit regulatory distance provides any shelter here, it does not. The obligation follows the system, not the flag. The timeline is a sequence, not a single future date. The prohibitions are already in force. The general-purpose AI penalties are already active. December 2027 is not a distant deadline. Building an integrated governance infrastructure across functions that currently operate independently, on different cycles, with different tooling, takes more time than most organisations running reactive compliance programmes have left. Why the Checkbox Model Breaks Down The traditional compliance response; producing a risk assessment document, assigning a policy owner, and scheduling an annual review, does not work. The Act's requirements are technical and operational. AI systems must be continuously monitored, logged, and tested against current performance. Models drift. Training data becomes stale. Deployment contexts change. A governance model designed around periodic reviews cannot keep pace. The IO data makes the scale of this clear. 54% of respondents say they adopted AI technology too quickly and are now facing challenges scaling it back or implementing it more responsibly. Only 21% cite establishing responsible AI usage policies as a priority for the coming year. The contrast is striking, near-universal deployment, minimal governance priority. More fundamentally, no single function owns the full compliance surface that the Act examines. A legal team addressing only the privacy threat leaves security and AI risk exposed. A CISO addressing only security leaves classification and data governance uncovered. A product team addressing only AI risk has no visibility into the privacy or security posture of the systems it owns. Siloed responses to cross-functional regulations do not result in partial compliance. They produce the illusion of compliance, and that illusion is exactly what regulators are looking to test. The Resilience Loop The insight that separates organisations building genuine resilience from those managing isolated obligations is this: AI governance cannot be treated in isolation from information security and data privacy, because in practice these risks are inseparable. The resilience loop, the continuous, unified management of information security, data privacy, and AI governance as a single integrated system, is the architectural response to that reality. One that generates a clear overview of risks and mitigations, adapts to new regulatory requirements, and delivers the kind of demonstrable, auditable resilience that regulators, investors, and enterprise customers increasingly demand. The three domains the EU AI Act simultaneously activates are precisely the three domains the resilience loop unifies. An organisation already operating this way does not need to retrofit AI Act compliance onto existing programmes. The infrastructure is already in place, governing the full cross-functional surface that the regulation is examining. Organisations that have not yet made this shift are not facing a documentation gap. They are facing an architectural one. The Competitive Case Regulated sectors; financial services, healthcare, and critical infrastructure, are accelerating AI governance requirements for vendors and partners. Enterprise procurement increasingly includes AI governance assessments. Institutional investors are beginning to treat AI oversight maturity as part of their risk evaluation. The IO data points to what is already happening. Respondents report that the biggest increases in compliance ROI came from improved business decision-making, customer retention, and new sales opportunities, and those gains have strengthened considerably year on year. The pattern is consistent: organisations that move earliest on integrated governance pull away from those still managing compliance reactively, not because the governance itself is a competitive advantage, but because the infrastructure it builds enables faster, more confident deployment of the capabilities that are. The AI Act is not the ceiling on what governance requires. It is the floor. The Window is Shorter than Most Boards Currently Understand December 2027 is the hard line for high-risk AI systems. Building the integrated governance infrastructure to meet that deadline is not a project that starts in Q3 2026. It starts now. The organisations that act in this window will enter enforcement readiness from a position of strength. Those that wait will be retrofitting under pressure, against a deadline already visible on every regulator's horizon. The question every board should be asking is not whether to act. It is whether there is still time. And the answer, for now, is yes. Expand Your Knowledge Podcast: Phishing for Trouble S02 Ep02: AI: Trust, Ethics and Getting it Right from the Start Blog: Closing the Resilience Gap: Where the Government Says UK PLC is Still Failing Webinar: ISO 42001 in Action: Lessons from One of the World's First ISO 42001 Certifications
Read More
ISO 27001

Why Cyber Resilience Remains a Long Way Off for Many UK Businesses

Cyber resilience has emerged as one of the key areas of focus for the cyber-industry of the past few years. Even the government has cited it in a critical piece of pending legislation. But achieving it is proving somewhat difficult for the UK’s six million businesses. If the latest Whitehall research is anything to go by, the distance between the industry’s ambitions for resilience and what organisations are actually achieving remains considerable. This year’s Cyber security breaches survey is out. And its proof once again that the nation’s businesses are treading water when it comes to their cyber-resilience efforts. Only half (57%) of mid-sized firms and three-quarters (74%) of large businesses even have a security strategy in place – virtually unchanged from last year. There’s much work still to be done. The Journey to Resilience Resilience is about reframing cybersecurity against the backdrop of a volatile threat landscape, growing regulatory scrutiny and insatiable boardroom demands for digital investment. In a world where the cybercrime economy is worth trillions, the National Cyber Security Centre (NCSC) is dealing with four “nationally significant” attacks per week, and billions of compromised credentials are circulating, security teams have to accept that no organisation is 100% breach proof. In this context, the focus shifts beyond prevention to being able to prepare, respond, recover and learn from any attacks that do sneak through. This matters more than ever as attack surfaces expand with an explosion of IoT devices, AI agents, chatbots and LLMs – many of which are being used without the knowledge of IT. The IO (formerly ISMS.online) State of Information Security Report 2025 reveals that a third (34%) of respondents are concerned about shadow AI over the coming year, one of the most popular answers. What the Government Found True resilience demands layered defences. Unfortunately, the government’s latest breaches report reveals that many organisations are not putting the basics in place. Here are some of the headline findings: Staff training and awareness raising: Although the share of respondents engaging in these activities increased for the largest firms (from 76% last year to 84% this) overall it remained stuck at a disappointing 19%. Risk assessments: A very small annual increase in the number of respondents conducting cybersecurity risk assessments, among mid (57% to 62%) and large (70% to 72%) businesses. However, the overall figure remained virtually unchanged at 30%. Supply chain risk management: Less than a third (30%) medium-sized firms and half (48%) of large businesses review the cyber risks posed by immediate suppliers. That’s almost unchanged from last year’s 32% and 45% respectively. For the wider supply chain, the figures were even lower: 13% and 24% versus 15% and 25%. Overall, just 15% of businesses reviewed their immediate suppliers and 6% the wider supply chain – around the same as last year (14% and 7%). Insurance: Half (47%) of businesses say they are insured against cyber risk, rising for medium-sized firms (61%). This is broadly in line with last year (45% and 65%). However, more worryingly, just 10% say they have a specific cyber-insurance policy in place, and over a fifth (22%) don’t know at all. Both stats were similar to last year (7% and 20%). The board: Cybersecurity is considered a “high priority” for senior management in 72% of respondents. But is it really? Board-level responsibility for it increased just slightly, from 27% to 31%. Incident response: The share of respondents with a formal IR plan was virtually unchanged (25%), as were the figures for medium (53% to 57%) and large (75% to 76%) businesses. Awareness of government initiatives: More respondents than last year say they’ve heard of government schemes like Cyber Aware (24% to 30%), the 10 Steps guidance (12% to 17%) and Cyber Essentials (12% to 17%). But these figure, and those for the newer Software Security Code of Practice (22%) and Cyber Governance Code of Practice (16%) are still way too low. What’s more, the share of respondents holding Cyber Essentials has increased only slightly, from 3% to 5% overall, and from 21% to 35% for large businesses. AI: Around a fifth (21%) of respondents say they adopted some AI tools in the organisation. Yet nearly half (45%) claim AI is not relevant to their organisation. Moving Beyond Tick-Box Security Cybanetix CTO, Merlin Gillespie, tells IO that the report once again illustrates two realities: larger firms are broadly competent while their smaller peers are exposed. “The standard prescription is well rehearsed. Adopt an assume-breach posture, write a tested incident response plan with clear escalation paths, deploy a bunch of security controls, MDR, identity management, authentication hardening, and start formally reviewing your supply chain,” he explains. “All of which are the right answer for businesses with a formalised security function and resources capable of executing. The problem is that this prescription assumes a capacity that most UK businesses don’t have.” Richard Groome, OT cybersecurity specialist at e2e-assure, is concerned about poor incident response capability. “Most businesses can escalate internally, but only a third have clear external reporting processes. That’s not resilience, that’s reaction,” he tells IO. “Businesses need to move beyond tick-box security and focus on observability and operational resilience. This requires continuous monitoring, faster detection and incident response that’s actually been tested, not just documented. With 24-hour reporting requirements coming in you can’t respond to an incident you haven’t detected. Visibility and speed are critical.” Dan Lattimer, EMEA VP at Semperis, adds that identity must be a part of any incident response plan. “Investing in identity monitoring and recovery alongside prevention is essential to reducing downtime, repeat incidents, and long‑term business damage,” he says. “Incident response without identity recovery is incomplete response.” Formalising Best Practices Despite low awareness and take up of best practice standards and frameworks, these can be a useful ally in the push to improve cyber resilience, according to other experts IO spoke to. Graeme Stewart, head of public sector, UK&I, at Check Point, describes the report’s findings as a “wake-up call” for organisations of all sizes. “The magic triangle of people, process, and technology all need attention. Staff need to be informed and aware. Processes must be robust, covering both prevention and post-incident response, and technology needs to be properly patched, correctly used, and kept up to date,” he tells IO. “Frameworks like Cyber Essentials, ISO 27001, and NIST guidance provide vital guardrails, particularly for smaller organisations whose leadership are not cyber experts. These frameworks give businesses a structured path forward, and that's genuinely positive progress.” Huntress vCISO Muhammad Yahya Patel, agrees. “Frameworks such as Cyber Essentials and ISO standards are valuable because they provide a consistent, governed approach to managing controls, risks, and policies,” he tells IO. “Cyber Essentials in particular focuses heavily on foundational hygiene controls and the reality is that many of the attacks we see today succeed precisely because those basic controls are not in place.” In our report on last year’s survey we also noted how resilience efforts had stalled across UK PLC. Hopefully we won’t be saying the same thing yet again next year. Expand Your Knowledge Guide: The State of Information Security Report 2025 Blog: Closing the Resilience Gap: Where the Government Says UK PLC is Still Failing Blog: Meeting the Data Use and Access Act with Confidence: Why the ISO 27001, 27701 and 42001 Loop Delivers
Read More
ISO 27001

When The Help Desk Is The Threat

Old social engineering attackers never die; they just evolve and get better. Here's a story of an attack group audacious enough to keep compromising infrastructure in plain sight, and advice on what to do about it. In late May 2024, Microsoft watched a financially motivated cybercriminal group it tracks as Storm-1811 do something that traditional perimeter controls were not built to see- it logged into Teams, said hello, and asked for help. The cloud and software giant's threat intelligence team had already documented the same operators abusing the Quick Assist remote support tool since mid-April that year, but the pivot to Teams gave them a new front door. Storm-1811, Microsoft's analysts wrote, "is a financially motivated cybercriminal group known to deploy BlackBasta ransomware", and the tenants they registered for the operation carried display names so generic that they passed unnoticed: 'Help Desk', 'Help Desk IT', 'Help Desk Support', 'IT Support'. Since then, the pattern has continued. On 4 November last year, an external user signed into a customer environment under the display name "IT Support", using the account mostafa.s@dhic.edu.eg. Within twenty-eight minutes they had opened a Quick Assist screen-share session against a target who believed he was speaking to colleagues. Five months later in March this year, BlueVoyant published the forensics on a related campaign that drops a previously undocumented payload called A0Backdoor and judged it "an evolution of tactics, techniques and procedures associated with the BlackBasta ransomware gang, which has dissolved after the internal chat logs of the operation were leaked". The crew has changed; the playbook has not. This is an ongoing problem. Teams has a four-year history of letting impersonators bend the trust model from the inside. Check Point Research, in a disclosure that ran from March 2024 until the final patch landed at the end of October 2025, documented that attackers could silently overwrite chats by reusing a clientmessageid, spoof notification senders, alter display names in private chats, and forge caller identities in audio and video calls. Legitimate Tools In Criminal Hands The reason this works at scale is architectural, not behavioral. Almost every component is sanctioned. Quick Assist ships by default on Windows 11 and is activated by a six-digit code; the MSI installers are digitally signed and hosted in personal Microsoft cloud storage; the malicious hostfxr.dll sideloads itself into a legitimate process and decrypts A0Backdoor only once it is resident in memory, where most endpoint inspection has already finished its work. Even command-and-control hides in plain sight: rather than the TXT-record DNS tunnels that mature security operations centers have learned to flag, A0Backdoor encodes its instructions in DNS MX queries. Time For Joined-Up Governance So, what does governance look like when attackers weaponize your own workflows against you, using features turned on by default? Higher scrutiny of these features is the starting point, along with disabling features that might be set by default. Security teams might deny B2B chat invitations by flipping the default in Set-CsTeamsMessagingPolicy. They could baseline Quick Assist to a known support workflow, while treating Teams ChatCreated events as a first-class signal alongside endpoint and identity telemetry. But these aren't decisions that should be made independently. These attacks work precisely because no single owner sees enough to act. The identity team has no signal in a ChatCreated event it does not consume, while the SOC has no rule for an MX query it never scoped. A unified governance approach involves a unified end-to-end view of the company workflows that use them. An integrated management system (IMS) is the organizing principle for an end-to-end governance workflow. Under ISO 27001, for example, security and governance teams can review external chat policy under the A.5.15 access rules. Organizations can shine a light on the DNS MX channel by deciding to monitor MX rather than just TXT under A.8.16 (monitoring activities). That kind of joined-up thinking can land ChatCreated and MX telemetry on the same analyst's screen. Similarly, the Quick Assist screen-share belongs to desktop engineering under A.8.2 (privileged access rights, including remote desktop tools). The MFA prompt it sidesteps falls under A.5.15 (IAM), while the MSI installations can be monitored systematically under A.8.19 (software installation). A joined-up understanding of these risks also paves the way for better incident response. If you've baked this kind of risk into your control framework, it's easier to treat a compromise via collaboration software as a recognized scenario and produce a playbook for this under section A.5.24 (incident management planning and preparation). ISO 27001 is the logical home for work like this because it forces identity, access and incident response to sit inside one continuously audited system rather than three sets of disconnected control owners. That's exactly the gap that Storm-1811 and its successors keep walking through. Expand Your Knowledge Podcast: Phishing for Trouble Episode #8: Safer Software, Safer Business Blog: How Can Security Teams Prepare for a Post-Mythos Future? Blog: How Agentic AI is Creating a New Class of Risk for Cybersecurity Teams
Read More
ISO 27001

Healthcare AI Is Moving Fast, But Data Governance Is Struggling To Keep Up

How can healthcare organisations resolve gaps in trust and data governance to realise the full benefits of AI?  By Kate O’Flaherty The healthcare sector is innovating using AI, with huge potential for the technology across areas including diagnostics, triage and administration. In the UK, the NHS is already embracing AI beyond basic tasks. NHS England has started pilots for AI lung cancer screenings, where the technology can identify smaller issues than the human eye can see. Meanwhile, the US Food and Drug Administration (FDA) has authorised over 1,000 AI-incorporating devices, the majority of which are used in radiology. Over the past two years, healthcare leaders have shifted from questioning whether AI is relevant to focusing on how it can be used responsibly and at scale, according to a recent McKinsey report. The figures show that half of US healthcare organisations have already implemented generative AI, while more than 80% had deployed their first use cases to end users. The next stage, according to McKinsey, is seeing organisations move from using generative AI to create content and support individual tasks towards agentic AI to take action and coordinate more complex processes. Yet significant barriers are delaying healthcare AI innovation, including security risks and compliance issues from the vast amounts of sensitive data needed to train systems. How can healthcare organisations resolve gaps in trust and data governance to realise the full benefits of AI? Highly-Sensitive Data Healthcare data is among the most sensitive and multifaceted of any sector, combining medical records, personal identity data and financial information from multiple providers and systems. “A patient's information can sit across hospitals, GP practices, specialists, laboratories, pharmacies, insurers and technology platforms — often in incompatible formats with no unified record tying it together,” Craig Gravina, CTO of Semarchy explains. The result is that no single system holds a complete picture of a patient. “Building that picture — the longitudinal patient record — is what is required to make AI work safely and effectively in a clinical setting,” Gravina tells IO. “Without it, AI is working from an incomplete and unreliable picture. In healthcare, this goes beyond being a data problem and it becomes a patient safety issue.” As AI becomes embedded in clinical workflows, organisations face increasing pressure to answer fundamental questions: Where did this data originate, has it been validated, who can access it, and can AI-assisted decisions be audited? “When systems begin to influence clinical decisions at scale, weak data foundations expose serious gaps in trust and accountability,” says Gravina. The introduction of AI technology creates issues in three areas: Accountability, explainability, and consent, says Mike Macauley, general manager at Liferay. “No one knows who to blame when AI gives medical advice. If a system makes a recommendation, the law cannot say who is responsible for the outcome.” Many AI models are effectively “black boxes” that do not explain how they reach a conclusion, according to Macauley. It creates a legal problem under the UK’s General Data Protection Regulation (GDPR), because patients have a right to know why a computer made a specific decision about their health, says Macauley. Meanwhile, companies train their AI using data they collected for one particular purpose, but it is often also used for other reasons. “This means they cannot prove they have the legal right to use the original data that taught the system,” Macauley tells IO. The Hidden Issue As AI is introduced into healthcare, an often-overlooked risk is what happens as data passes through a complex chain of third parties such as legacy platforms and external partners. “Responsibility gets diluted at every handoff,” according to Semarchy’s Gravina. “It is not always clear who owns the data at each stage, who is accountable for its quality, or who is responsible when something goes wrong. When no single party has a complete, end-to-end view of the data lifecycle, governance breaks down.” Adding to complexity, traditional healthcare governance frameworks were designed for static systems with relatively stable data flows and fixed rules. For example, Cyber Essentials and NHS Information Governance, only work for rigid systems. “AI breaks these rules because it constantly evolves,” says Liferay’s Macauley. At the same time, a standard Data Protection Impact Assessment as outlined by the GDPR only looks at a system once. However, an AI that learns as it goes can change its behaviour without anyone checking if it is still safe or legal, according to Macauley. Innovation Bottlenecks A lack of governance confidence undermines the progress of AI in healthcare by increasing the risk of innovation bottlenecks. When organisations lack confidence in their data foundations, AI adoption stalls. “Leaders will hesitate to deploy AI in clinical settings if they cannot guarantee data quality and lineage, or demonstrate auditability to regulators,” says Semarchy’s Gravina. “The irony is that the governance infrastructure needed to scale AI safely is the same that delivers the longitudinal patient data view that makes AI more effective in the first place.” Good governance is the enabler for effective healthcare AI, he explains. “Critically, exposing data to AI does not have to mean losing the governance value built around it — lineage, access controls, and data quality should travel with the data, not be left behind when it enters an AI pipeline.” International Standards Two international standards provide the framework for managing AI. ISO 27001 provides the foundation for strong information security and governance, helping to establish structured approaches to risk management, access control, incident response, asset management and accountability. This helps build “more defensible governance”, says Gravina. ISO 42001 builds on this by introducing governance specifically designed for AI systems. It focuses on oversight, AI-specific risk management, transparency, and the responsible development and use of AI. Together, these standards enable healthcare organisations to “move beyond ad hoc AI adoption towards a more structured governance model”, explains Gravina. It’s clear AI offers huge potential in healthcare, if governance structures can be adapted to fit this innovative new era. Patient trust should underpin everything, according to experts. Dr Lohyd Terrier, associate professor of organisational behaviour at EHL Hospitality Business School, advocates treating AI as an explicit service for the patient. “It should be traceable, explainable and can be declined – rather than an invisible back-office function.” The starting point must be the data itself. Leaders need to understand whether their organisation has the foundations in place to build “a unified, longitudinal view of patient data across all systems and providers”, says Semarchy’s Gravina. “Without that, AI governance is built on sand.” He recommends mapping where AI is already in use, identifying critical data flows and third-party dependencies, clarifying ownership and stewardship, and strengthening access controls, audit trails, and data quality end-to-end. “Privacy, security and AI governance must be aligned into a single cohesive approach, rather than managed in isolation.” Expand Your Knowledge Blog: DXS International Breach: Lessons Learned for Healthcare Blog: State of Information Security Report: 11 Key Statistics and Trends for the Healthcare Industry Webinar: ISO 42001 in Action: Lessons from One of the World's First ISO 42001 Certifications
Read More
ISO 27001

Why the UK’s NIS Update May Mean Extra Work for In-Scope Organisations

The Cyber Security and Resilience Bill (CSRB) continues to make its way through parliament. But the end of a lengthy legislative process is slowly coming into view. When it finally becomes law, the bill will deliver a long-overdue refresh of the NIS Regulations 2018. But what of UK organisations already complying with the EU’s overhaul of the same rules, known as NIS2? While there are some attempts to align the two, there are also plenty of points at which they diverge. From the number of sectors considered in scope to the size of potential fines, compliance teams must start now to understand the impact of these changes. And plan for a potentially great deal of extra work. How the CSRB Differs from NIS2 To understand just how far the CSRB diverges from NIS2, take a look at the summary of the bill on the government website. It doesn’t mention its European counterpart at all. Nor does the word “alignment” appear. In practical terms, there are several areas for compliance teams to look at: Regulated entities: scope The UK focuses on Operators of Essential Services (OES), Relevant Digital Service Providers (RDSPs) – which are cloud, search and marketplace providers – and a new category of Relevant Managed Service Providers (RMSPs). Its approach is to designate specific OESs, whereas NIS2 automatically drags in all medium and large entities in 18 sectors. The result is some organisations in-scope under CSRB will escape NIS2 regulation and vice versa. Regulated entities: new categories The CSRB introduces just one new OES category of “data centre services”, whereas NIS2 includes several: public administration, space, wastewater, food, manufacturing, postal services, waste management, and digital providers. That makes it more likely that UK organisations not regulated by CSRB will fall under NIS2. MSPs: RMSPs are introduced as a new category in CSRB, and they are regarded as Essential Entities or Important Entities by NIS2. But there may be different compliance requirements for each regime. Supply chain oversight: In the UK, “critical suppliers” to OESs, RDSPs and RMSPs can be designated by competent authorities and the Information Commissioner’s Office (ICO) and are subject to direct oversight. In NIS2 there is no direct regulatory oversight, but all in-scope entities must assess supply chain risks. Incident definitions and reporting: The CSRB’s definition of a regulated incident has been expanded to include events “capable of having a significant impact on the provision of an essential or digital service” as well as “incidents that significantly affect the confidentiality, availability, and integrity of a system”. Significance will be assessed industry by industry. In NIS2 incidents are those which cause operational disruption, financial loss, or material/non-material damage to others. This means the threshold for reporting may be different in the UK/EU. However, reporting timelines – initial reporting within 24 hours of becoming aware of an incident, then full notification within 72 hours – are broadly the same in UK/EU. Customer notification: This is required for data centre service providers, RDSPs, and RMSPs in the UK. But there may be additional requirements under NIS2, depending on the member state interpretation of the directive. Personal liability: This isn’t covered in the CSRB, but NIS2 introduces significant personal accountability for senior management. This includes mandatory training for managers and personal liability for non-compliance. UK organisations complying with NIS2 will need to understand the more detailed governance requirements in the EU regime. Penalties: In the CSRB, standard penalties are the greater of £10m or 2% of worldwide annual turnover, but rise to £17m/4% for maximum penalties. NIS2 gives latitude to member states to decide on these, as long as they are “effective, proportionate and dissuasive”. Registration: Under the CSRB, RMSPs and data centre providers designated as OESs must register. In NIS2 Essential and Important Entities must register with competent authorities, but member states decide how this works. The bottom line is that UK organisations will need to assess their obligations for both separately. General approach: The CSRB introduces significant new information-gathering powers for competent authorities and the ICO, no matter what type of regulated organisation. NIS2 enables Important Entities to benefit from a lighter touch approach. However, overall, the CSRB is designed to be more flexible than its European equivalent, says James Wong, a senior associate in the Tech & Digital team at global law firm Clifford Chance. “The government will be able to issue strategic priorities and targeted directions, and regulators will be able to designate entities as ‘critical suppliers’ bringing them directly in scope of the regime,” he tells IO (formerly ISMS.online). “The bill also provides a mechanism for codes of practice, allowing for nuance tailored to context.” The Compliance Burden Grows Wong argues that the complexity of “local implementing laws”, secondary legislation and the potential need to engage with multiple regulators are making compliance more challenging for organisations in-scope for both NIS2 and the CSRB. Rhiannon Webster, UK head of cybersecurity at global law firm Ashurst, adds that Brexit is starting to have a real impact on the compliance burden of UK firms operating in Europe, with this bill and the Data Use and Access Act. “It's taken a while to come, with privacy and cyber laws in the UK to date, being a copy and paste of their EU predecessors. However, we have some small but meaningful changes developing,” she tells IO. “Although companies can look to comply with both regimes in a uniform way by applying the highest standard across UK and Europe, this is unlikely to be a commercial approach to compliance and companies will need to consider the differences in the regimes when adopting compliance programmes and assessing risks.” Getting Started Webster urges organisations to first understand whether they’re in scope for NIS2 and its UK equivalent. “You may be surprised to hear that in the event of security incidents and meeting timescales for reporting, we often have clients who have been unsure whether they were caught by NIS2 and are trying to figure it out in the situation of a breach, which is far from ideal,” she explains. “Compliance with standards such as ISO 27001 could be used to ensure that your information security requirements are proportionate.” Clifford Chance’s Wong explains that a “unified cyber-readiness programme mapped to all relevant legal and regulatory requirements”, should be the main goal for compliance teams. “Using established frameworks such as ISO 27001 can streamline compliance and make it easier to demonstrate core practices across multiple jurisdictions. Such frameworks provide a structure to build from, but are only a base and must be adapted to local obligations,” he adds. “Regular reviews ensure the programme remains fit for purpose as requirements change over time.” For complex business operations that span multiple jurisdictions, best practices become even more important, Wong says. He points to “proactive leadership”, prioritising risks and controls, regular tabletop exercises, strong supply-chain relationships and putting the right tooling in place. Whichever way you look at it, the price of operating across the UK and EU is set to increase. Expand Your Knowledge Webinar: Mastering NIS 2 Compliance with ISO 27001 Blog: From NIS2 to the Cyber Resilience Act: The "Product" Side of Governance Blog: Build Once, Comply Everywhere: The Multi-Framework Compliance Playbook
Read More
ISO 14001

How Blue Services Achieved Triple ISO Certification Success

Compliance is no longer a burden — it has become an integrated part of how we run the business.
Read More

ISO 27001:2022 Requirements

ISO 27001:2022 Annex A Controls

Organisational Controls

People Controls

Physical Controls

Technological Controls

About ISO 27001

Watch a platform demo

See how 1,000+ teams run their compliance frameworks in a 3-minute platform tour

Watch now
platform dashboard full on mint

Ready to get started?

Book a demo