ISO 27001 Audits, Compliance and Certifications

In 2024, we saw a wave of new and updated information security regulatory and legal requirements. Regulations like the EU Artificial Intelligence (AI) Act, the updated Network and Information Security (NIS 2) Directive, and the upcoming Digital Operational Resilience Act (DORA) present organisations with brand-new compliance challenges. Additionally, AI technology continues to evolve, and new information security threats and opportunities are emerging at pace. In the current landscape, it’s vital for business leaders to stay ahead of the curve. To help you stay up to date on information security regulatory developments and make informed compliance decisions, ISMS.online publishes practical guides on high-profile topics, from regulatory updates to in-depth analyses of the global cybersecurity landscape. This festive season, we’ve put together our top six favourite guides – the definitive must-reads for business owners seeking to secure their organisations and align with regulatory requirements. Getting Started with NIS 2 Organisations that fall under the scope of NIS 2 are now legally required to comply with the directive, which came into effect in October. Our guide covers everything you need to know about the directive designed to strengthen the digital infrastructure across the EU, including NIS 2 core requirements, the business types that must comply, and, of course, how to comply with the regulation. You’ll discover: A detailed list of the NIS 2 enhanced obligations so you can determine the key areas of your business to review Seven core steps to manage your cybersecurity and align with the requirements of the directive Guidance on how to achieve NIS 2 compliance using ISO 27001 certification. Ensure your business complies with the NIS 2 directive and secure your vital systems and data – download the guide. Discover NIS 2 AI Management Made Easy: The No-Stress Guide to ISO 42001 The groundbreaking ISO 42001 standard was released in 2023; it provides a framework for how organisations build, maintain and continuously improve an artificial intelligence management system (AIMS). Many businesses are keen to realise the benefits of ISO 42001 compliance and prove to customers, prospects and regulators that their AI systems are responsibly and ethically managed. Our popular ISO 42001 guide provides a deep dive into the standard, helping readers learn who ISO 42001 applies to, how to build and maintain an AIMS, and how to achieve certification to the standard. You’ll discover: Key insights into the structure of the ISO 42001 standard, including clauses, core controls and sector-specific contextualisation The principles behind the ISO 42001 standard and how they can be applied to your business The ten building blocks for an effective, ISO 42001-compliant AIMS Download our guide to gain vital insights to help you achieve compliance with the ISO 42001 standard and learn how to proactively address AI-specific risks to your business. Get the ISO 42001 Guide The Proven Path to ISO 27001 Ready to set your business up for ISO 27001 success? Our handy “Proven Path to ISO 27001” guide walks you through everything from how to embed ISO 27001 in your organisation and build an information security management system (ISMS), right through to achieving ISO 27001 certification first time! Achieving ISO 27001 certification offers a real competitive advantage for your business, but the process can be daunting. Our simple, accessible guide will help you discover all you need to know to achieve success. The guide walks you through: What ISO 27001 is, and how compliance can support your overall business objectives What an ISMS is, and why your organisation needs one How to build and maintain an ISO 27001-certified ISMS You also learn how the ISMS.online platform provides: An 81% head start on your ISO 27001 policies and controls A step-by-step guided pathway through your implementation - no training required A dedicated team of experts to support you on your way to ISO 27001 success. Read Now The State of Information Security Report 2024 Our ISMS.online State of Information Security Report provided a range of insights into the world of information security this year, with responses from over 1,500 C-professionals across the globe. We looked at global trends, key challenges and how information security professionals strengthened their organisational defences against growing cyber threats. Independently researched by Censuswide and featuring data from professionals in ten key industry verticals and three geographies, this year’s report highlights how robust information security and data privacy practices are not just a nice to have – they’re crucial to business success. The report breaks down everything you need to know, including: The key cyber-attack types impacting organisations globally The top challenges identified by information security professionals and how they’re addressing them Trends across people, budgets, investment and regulations. Download the report to read more and gain the insight you need to stay ahead of the cyber risk landscape and ensure your organisation is set up for success! Read the Report Discover our State of Information Security Australia Snapshot and State of Information Security USA Snapshot for location-specific insights. From Complexity to Clarity: A Comprehensive Guide to Cybersecurity Compliance Navigating the world of cybersecurity regulations can seem like a daunting task, with organisations required to comply with an increasingly complex web of regulations and legal requirements. In the guide, we break down everything you need to know about major compliance regulations and how to strengthen your compliance posture. You’ll discover: An overview of key regulations like GDPR, CCPA, GLBA, HIPAA and more A guide to build an effective compliance programme using the four foundations of governance, risk assessment, training and vendor management Best practices for continuous compliance monitoring, reporting and auditing. Ready to elevate your compliance? Download our guide today. Clarify Your Compliance Everything You Need to Know About the ISO 27001:2022 Update As 2024 draws to a close, businesses certified to the 2013 version of ISO 27001 have just under a year left to migrate to the new 2022 version of the standard. The 2022 iteration features a new structure, 11 new controls and five new attributes. Ready to update your ISMS and get certified against ISO 27001:2022? We’ve broken down the updated standard into a comprehensive guide so you can ensure you’re addressing the latest requirements across your organisation. Discover: The core updates to the standard that will impact your approach to information security. The 11 new controls and how they help you safeguard your data. Seamless transition strategies to adopt the new standard quickly and easily. We’ve also created a helpful blog which includes: A video outlining all the ISO 27001:2022 updates A brief ’Summary of Changes’ guide including a roadmap to achieving compliance A demo opportunity to visualise how using ISMS.online could aid your compliance journey. Read the Blog Implementing information security best practices is crucial for any business. We’re here to help you easily action the necessary ISO 27001:2022 changes, maintain compliance, and stay ahead of potential cyber threats. Download Your Guide Unearth Your Information Security Compliance Advantage Whether you’re new to the world of information security or a seasoned infosec professional, our guides provide insight to help your organisation meet compliance requirements, align with stakeholder needs and support a company-wide culture of security awareness.

In October 2024, we attained recertification to ISO 27001, the information security standard, and ISO 27701, the data privacy standard. With our successful recertification, ISMS.online enters its fifth three-year certification cycle—we've held ISO 27001 for over a decade! We're pleased to share that we achieved both certifications with zero non-conformities and plenty of learning. How did we ensure we effectively managed and continued to improve our data privacy and information security? We used our integrated compliance solution – Single Point of Truth, or SPoT, to build our integrated management system (IMS). Our IMS combines our information security management system (ISMS) and privacy information management system (PIMS) into one seamless solution. In this blog, our team shares their thoughts on the process and experience and explains how we approached our ISO 27001 and ISO 27701 recertification audits. What is ISO 27701? ISO 27701 is a privacy extension to ISO 27001. The standard provides guidelines and requirements for implementing and maintaining a PIMS within an existing ISMS framework. Why Should Organisations Look to Implement ISO 27701? Organisations are responsible for storing and handling more sensitive information than ever before. Such a high - and increasing - volume of data offers a lucrative target for threat actors and presents a key concern for consumers and businesses to ensure it's kept safe. With the growth of global regulations, such as GDPR, CCPA, and HIPAA, organisations have a mounting legal responsibility to protect their customers' data. Globally, we're steadily moving towards a compliance landscape where information security can no longer exist without data privacy. The benefits of adopting ISO 27701 extend beyond helping organisations meet regulatory and compliance requirements. These include demonstrating accountability and transparency to stakeholders, improving customer trust and loyalty, reducing the risk of privacy breaches and associated costs, and unlocking a competitive advantage. Our ISO 27001 and ISO 27701 Recertification Audit Preparation As this ISO 27701 audit was a recertification, we knew that it was likely to be more in-depth and have a larger scope than a yearly surveillance audit. It was scheduled to last 9 days in total. Also, since our previous audit, ISMS.online has moved HQ, gained another office and had several personnel changes. We were prepared to address any non-compliances caused by these changes, should the auditor find any. IMS Review Before our audit, we reviewed our policies and controls to ensure that they still reflected our information security and privacy approach. Considering the big changes to our business in the past 12 months, it was necessary to ensure that we could demonstrate continual monitoring and improvement of our approach. This included ensuring that our internal audit programme was up to date and complete, we could evidence recording the outcomes of our ISMS Management meetings, and that our KPIs were up to date to show that we were measuring our infosec and privacy performance. Risk Management and Gap Analysis Risk management and gap analysis should be part of the continual improvement process when maintaining compliance with both ISO 27001 and ISO 27701. However, day-to-day business pressures may make this difficult. We used our own ISMS.online platform project management tools to schedule regular reviews of the critical elements of the ISMS, such as risk analysis, internal audit programme, KPIs, supplier assessments, and corrective actions. Using Our ISMS.online Platform All information relating to our policies and controls is held in our ISMS.online platform, which is accessible by the whole team. This platform enables collaborative updates to be reviewed and approved and also provides automatic versioning and a historical timeline of any changes. The platform also automatically schedules important review tasks, such as risk assessments and reviews, and allows users to create actions to ensure tasks are completed within the necessary timescales. Customisable frameworks provide a consistent approach to processes such as supplier assessments and recruitment, detailing the important infosec and privacy tasks that need to be performed for these activities. What to Expect During an ISO 27001 and ISO 27701 Audit During the audit, the auditor will want to review some key areas of your IMS, such as: Your organisation's policies, procedures, and processes for managing personal data or information security Evaluate your information security and privacy risks and appropriate controls to determine whether your controls effectively mitigate the identified risks. Assess yourincident management. Is your ability to detect, report, investigate, and respond to incidents sufficient? Examine your third-party management to ensure adequate controls are in place to manage third-party risks. Check your training programmes adequately educate your staff on privacy and information security matters. Review your organisation's performance metrics to confirm they meet your outlined privacy and information security objectives. The External Audit Process Before your audit begins, the external auditor will provide a schedule detailing the scope they want to cover and if they would like to talk to specific departments or personnel or visit particular locations. The first day starts with an opening meeting. Members of the executive team, in our case, the CEO and CPO, are present to satisfy the auditor that they manage, actively support, and are engaged in the information security and privacy programme for the whole organisation. This focuses on a review of ISO 27001 and ISO 27701 management clause policies and controls. For our latest audit, after the opening meeting ended, our IMS Manager liaised directly with the auditor to review the ISMS and PIMS policies and controls as per the schedule. The IMS Manager also facilitated engagement between the auditor and wider ISMS.online teams and personnel to discuss our approach to the various information security and privacy policies and controls and obtain evidence that we follow them in day-to-day operations. On the final day, there is a closing meeting where the auditor formally presents their findings from the audit and provides an opportunity to discuss and clarify any related issues. We were pleased to find that, although our auditor raised some observations, he did not discover any non-compliance. People, Processes and Technology: A Three-Pronged Approach to an IMS Part of the ISMS.online ethos is that effective, sustainable information security and data privacy are achieved through people, processes and technology. A technology-only approach will never be successful. A technology-only approach focuses on meeting the standard's minimum requirements rather than effectively managing data privacy risks in the long term. However, your people and processes, alongside a robust technology setup, will set you ahead of the pack and significantly improve your information security and data privacy effectiveness. As part of our audit preparation, for example, we ensured our people and processes were aligned by using the ISMS.online policy pack feature to distribute all the policies and controls relevant to each department. This feature enables tracking of each individual's reading of the policies and controls, ensures individuals are aware of information security and privacy processes relevant to their role, and ensures records compliance. A less effective tick-box approach will often: Involve a superficial risk assessment, which may overlook significant risks Ignore key stakeholders' privacy concerns. Deliver generic training not tailored to the organisation's specific needs. Execute limited monitoring and review of your controls, which may result in undetected incidents. All of these open organisations up to potentially damaging breaches, financial penalties and reputational damage. Mike Jennings, ISMS.online's IMS Manager advises: "Don't just use the standards as a checklist to gain certification; 'live and breathe' your policies and controls. They will make your organisation more secure and help you sleep a little easier at night!" ISO 27701 Roadmap – Download Now We've created a practical one-page roadmap, broken down into five key focus areas, for approaching and achieving ISO 27701 in your business. Download the PDF today for a simple kickstart on your journey to more effective data privacy. Download Now Unlock Your Compliance Advantage Attaining recertification to ISO 27001 and ISO 27001 was a significant achievement for us at ISMS.online, and we used our own platform to do so quickly, effectively and with zero non-conformities. ISMS.online provides an 81% head start, the Assured Results Method, a catalogue of documentation that can be adopted, adapted, or added to, and our Virtual Coach's always-on support. Easily ensure your organisation is actively securing your information and data privacy, continuously improving its approach to security, and complying with standards like ISO 27001 and ISO 27701. Discover the benefits first-hand - request a call with one of our experts today.

Ransomware is the cybersecurity story of the past decade. But over that time, adversary tactics, techniques, and procedures (TTPs) have continued to shift according to the continuously evolving arms race between attackers and network defenders. With historically low numbers of victim companies electing to pay their extortionists, ransomware affiliates are focusing on speed, timing, and camouflage. The question is: with most attacks now coming at weekends and in the early hours of the morning, do network defenders still have the right tools and processes in place to mitigate the threat? Financial services organisations, in particular will need an urgent answer to such questions ahead of compliance with the EU's Digital Operational Resilience Act (DORA). From Strength to Strength By one measure, ransomware continues to thrive. This year is set to be the highest-grossing ever, according to analysis of crypto payments to addresses linked to criminality. According to an August report from blockchain investigator Chainalysis, ransomware "inflows" year-to-date (YTD) stand at $460m, up around 2% from the same time last year ($449m). The firm claims this increase is largely due to "big-game hunting" – the tactic of going after fewer large corporate victims that may be more capable and willing to pay larger ransoms. The theory is borne out in one payment of $75m by an unnamed company, to the Dark Angels ransomware group earlier this year – the largest ever recorded. Overall, the median ransom payment to the most common ransomware strains has also surged—from just under $200,000 in early 2023 to $1.5m in mid-June 2024. Chainalysis claims this suggests "that these strains are prioritising targeting larger businesses and critical infrastructure providers that may be more likely to pay high ransoms due to their deep pockets and systemic importance. " The apparent strength of the ransomware ecosystem is more impressive given the law enforcement wins of earlier this year, which seemed to disrupt two major groups: LockBit and ALPHV/BlackCat. Chainalysis claims these efforts have fragmented the cybercrime underground somewhat, with affiliates moving to "less effective strains" or launching their own. This chimes with a Q2 2024 analysis by ransomware specialist Coveware, which claims to have observed an increase in the number of "lone wolf" groups not affiliated with any major ransomware "brand". Many have taken this decision "due to the increasing threat of exposure, interruption, and profit loss associated with 'toxic' ransomware brands," it says. However, the bottom line is that these threat actors are still active. And with payment rates declining from a high of around 85% of victims in 2019 to roughly a third of that today, they are always looking for ways to make their efforts more effective. Timing Is Everything A new report from Malwarebytes' ThreatDown group reveals exactly how they hope to do so. It claims that, over the past year, more ransomware groups have attacked victims on weekends and in the early hours of the morning. The threat team dealt with most attacks between 1 and 5 a.m. local time. The reason is obvious: the threat actors hope to catch an organisation when its IT team is fast asleep or recharging its batteries at the weekend. Further, the report claims that attacks are getting faster. Back in 2022, a Splunk study tested 10 top ransomware variants and found the median speed for encrypting 100,000 files was just 43 minutes, with LockBit the quickest of all at just four minutes. But what Malwarebytes is seeing is an acceleration of the entire attack chain – from initial access to lateral movement, data exfiltration and finally, encryption. That gives bleary-eyed network defenders even less time to respond and contain a threat before it's too late. The report also claims that more malicious actors use Living Off the Land (LOTL) techniques, which use legitimate tools and processes to stay hidden inside networks while achieving these ends. "Recent customer incidents from top gangs such as LockBit, Akira and Medusa reveal that most of the modern ransomware attack chain is now composed of LOTL techniques," it says. How to Mitigate Ransomware Risk in 2024 Big-game hunting attacks may garner most of the headlines, but the truth is that most ransomware victims are technically SMBs. Coveware claims that the median size in Q2 2024 was just 200 employees. So how can these organisations hope to defend against stealthy attacks at night and on weekends? "The only solution is to ensure that those assets are monitored with the same diligence at 1am as they are at 1pm," Malwarebytes senior threat intelligence researcher Mark Stockley tells ISMS.online. "That can be achieved by staffing an in-house Security Operations Centre (SOC) that operates 24/7. But for most organisations, it's more practical and cost-effective to use a third-party service, like Managed Detection and Response (MDR), or to have a Managed Service Provider (MSP) do it." As the DORA era looms, such measures will be increasingly necessary for financial services organisations and their suppliers. Continuous monitoring, 24/7 incident response readiness, robust business continuity planning, and regular testing will all be required to satisfy regulators that resilience is at an appropriate level. Stockley believes best practice standards and frameworks like ISO 27001 can help to get organisations to this point. "Like any standard or framework, ISO 27001 is a means to an end. Organisations can arrive at the level of information security they need without it, but standards and frameworks can act as useful maps to help them get there and stay there," he adds. "The right choice of framework depends on the organisation's level of security maturity. Ultimately, cyber-criminals don't care what certifications you have; they only care if they get stopped."

Audits are commonly used to ensure that an activity meets a set of defined criteria. For all ISO management system standards, audits are used to ensure that the management system meets the requirements of the relevant standard, the organisation’s own requirements and objectives, and remains efficient and effective. It will be necessary to conduct a programme of audits to confirm this.

Achieving ISO 27001 Certification acts as a business differentiator, affirming to suppliers, stakeholders and clients that your business takes information security management seriously. Here we will explain what it means to be ISO 27001 certified, the benefits, and what might be involved.

Manage them all in one secure cloud software solution to minimise duplication and repetition

Utonomy was created to solve a specific problem: helping gas network operators reduce methane leakage through pressure management. The company has developed innovative technology that automatically optimises the pressure in gas distribution networks, taking into account seasonal and daily variations in demand to deliver a significant reduction in leakage.

The business supplies customers critical to national infrastructure who face stringent regulatory requirements. As such, the Utonomy team knew that achieving ISO 27001 certification was a must to demonstrate the company’s proactive information security stance to customers, stakeholders, and prospects when tendering.

Utonomy already had a basic information security management system (ISMS) in place due to the work the team had done to achieve Cyber Essentials certification. However, they knew that the business needed a more comprehensive ISMS to achieve ISO 27001 certification successfully. The company needed a platform to make ISO 27001 implementation and ongoing compliance as easy as possible.

“We recognised that we were going to need ISO 27001 in terms of our relationships with our customers; the industry was becoming more security aware. We’d done a fair bit of work around Cyber Essentials, but we thought, ‘we’re going to need to step up our game.’”

Steve Lewis, Chief Technology Officer and Chief Information Security Officer at Utonomy

“We’ve got lots of stuff in the trackers because they’re easy to use. It means that the people who need to be [tracking security incidents] aren’t likely to do it somewhere else, like a note in a book or in one of our other systems. And that makes it easier to manage and easier to audit.”

Steve Lewis, Chief Technology Officer and Chief Information Security Officer at Utonomy

Utonomy chose the ISMS.online platform for ISO 27001 compliance and certification, building out all its ISO 27001 policies, trackers and evidence under one roof. Using the platform’s pre-built policy templates as a starting point, Steve and his team expanded on the templates to suit Utonomy’s specific security objectives and ensured they had comprehensive knowledge of the policies and controls making up the organisation’s ISMS.

“The templates gave us a structure, and it was an educational way to look at an acceptable description of a process because when you’re coming in cold, it’s always difficult to know how far you have to go with documentation.”

Steve Lewis, Chief Technology Officer and Chief Information Security Officer at Utonomy

The business migrated product risk documentation into ISMS.online to proactively manage product threats and controls within the platform using the risk register and risk tracking. With the linked work feature, Utonomy mapped over 60 risks and associated controls and can now easily monitor and manage product risks rather than updating documentation manually. 

“In this new form, it will be much easier to update when we launch new product features or product changes. It’ll be a less onerous, daunting task to try and work through the things we need to change.”

Steve Lewis, Chief Technology Officer and Chief Information Security Officer at Utonomy

Healthcare RM is a leading integrated healthcare company that provides a framework for managing employee health. With a range of departments, including occupational health, mental health care, functional health, and more, the business tailors its offering to individual clients to provide a fully integrated service and proactively support employee well-being.

The team at Healthcare RM knew that robust quality management, information security, and cybersecurity were paramount to establishing the company as a trusted healthcare solution. As such, the business had successfully achieved UKAS certification to ISO 27001, ISO 9001, and ISO 22301 but was seeking a simpler way to manage its compliance. 

Before using the ISMS.online platform, the company maintained compliance by recording evidence using spreadsheets and a document management system and setting manual reminders for essential risk and policy reviews. This approach worked for maintaining certifications, but it made for a time-consuming and unnecessarily intensive process for the team.

“People panicked when the word audit was mentioned. You just think, “OK, this is not the right way to do it.” When we went through the UKAS process and had our first audit to get the certificates, I asked, “Is there anything we can use that will make this whole process better?”

Adam Hamilton, Director of Operations at Healthcare RM

Healthcare RM needed a solution that would allow Adam and his team to easily manage multiple ISO standards, allowing them oversight of overall progress, task assignments and completion status. Ease of use for external auditors was also vital.

Healthcare RM implemented the ISMS.online platform for simplified compliance, transferring the management of all three of its existing UKAS-accredited certifications: ISO 27001, ISO 9001 and ISO 22301. The platform allows the team to easily view and manage its certifications under one roof, centralising compliance efforts with a live dashboard that provides an overview of progress and outstanding tasks.

“We were using spreadsheets and the document management system, which was messy. Now we have the ISMS.online platform, we use it as that strategic view – a helicopter view of everything that’s going on with our three certifications.”

Adam Hamilton, Director of Operations at Healthcare RM

Using ISMS.online alongside their existing document management system, Healthcare RM have been able to simplify policy, process and evidence management while leveraging the platform’s automated reminders to address actions and achieve continuous improvement.

“When you log into the platform you can see everything: whether we’re up to date on everything and what’s up and coming. That, to me, was the biggest difference, saving me so much time.”

Adam Hamilton, Director of Operations at Healthcare RM

Tribeca Technology Group operates in highly regulated industry where cybersecurity threats are prevalent, and the importance of protecting customer data is critical.

Tribeca is naturally risk-aware, so information security was instinctively high on their agenda. They decided to get ISO 27001 certified to meet client needs and comply with a globally recognised regulation.

“We had existing and potential clients who were also asking for the firm to be ISO certified – so we decided to start a project to gain certification.”
Ian Rimmer Operations Director, Tribeca Technology Limited

Despite Tribeca’s strong IT security background, their team faced the challenge of meeting ISO 27001 requirements with limited resources and expertise. The logical next step was to look for a management platform that could speed up ISO 27001 implementation and help embed strong infosec practices within the organisation. 

“Nobody within our business had implemented ISO 27001 in the past. We didn’t want to go down the route of hiring a consultant to run the project as we felt it is important that as a business, we owned the process and were able to truly embed it within the business.”
Ian Rimmer Operations Director, Tribeca Technology Limited

Tribeca also wanted to work with a reputable UKAS accredited certification body, to draw on their extensive knowledge and experience of the certification process to help them achieve their highest potential.

Tribeca chose ISMS.online as their trusted management platform, renowned for its simplicity and effectiveness in achieving ISO 27001, and Alcumus ISOQAR, one of the most recognised and respected UKAS accredited certification bodies.

Tribeca discovered that the ISMS.online platform simplifies certification by providing a clear ISMS framework with content, risks, controls, and trackers—all easily linked and mapped within the system.

“ISMS.online was recommended to us, and when we looked at the product offering, we felt it was the perfect fit. It helped us understand the ISO 27001 framework whilst being able to run the project ourselves.”
Ian Rimmer Operations Director, Tribeca Technology Limited

To meet their certification goals, Tribeca approached several UKAS accredited certification bodies based on recommendations from other firms. After careful consideration, Tribeca turned to Alcumus ISOQAR for their expertise in ISO 27001.

Tribeca appreciated the support and personalised attention from Alcumus ISOQAR’s team, the transparency throughout the audit and what to expect at each stage, resulting in a stress-free but thorough audit.