Trust our Experience-Get the Best Services
7 Steps to a Successful ISO 27001 Risk Assessment – Updated for 2025
risk management

7 Steps to a Successful ISO 27001 Risk Assessment – Updated for 2025

Risk assessments remain central to ISO 27001 compliance in 2025, ensuring your ISMS (information security management system) is robust and effective. ISO 27001:2022 and ISO 27002:2022 introduced several updates that organisations should incorporate into their risk assessment processes. Here are the seven essential steps for conducting a successful ISO 27001 risk assessment in line with current best practices. 1. Define your risk assessment methodology ISO 27001 does not prescribe a single methodology. Rather, organisations must tailor the approach to fit their needs. Your methodology should clearly define: Consistency and clarity in these definitions ensure reliable and comparable results across your
The post 7 Steps to a Successful ISO 27001 Risk Assessment – Updated for 2025 appeared first on IT Governance Blog.

Read More
Author of the Month: Bridget Kenyon
Cyber Security

Author of the Month: Bridget Kenyon

ISO 27001 Controls – A guide to implementing and auditing Bridget Kenyon is the CISO (chief information security officer) for SSCL. She’s also been on the ISO editing team for ISMS (information security management system) standards since 2006, and has served as lead editor for ISO/IEC 27001:2022 and ISO/IEC 27014:2020.   Bridget is also a member of the UK Advisory Council for (ISC)2, and a Fellow of the Chartered Institute of Information Security.  She’s also been a PCI DSS QSA (Payment Card Industry Data Security Standard Qualified Security Assessor), been head of information security for UCL, and held operational and consultancy roles in both industry
The post Author of the Month: Bridget Kenyon appeared first on IT Governance Blog.

Read More
Author of the Month: Richard Bingley
ISO 27001

Author of the Month: Richard Bingley

Combatting Cyber Terrorism – A guide to understanding the cyber threat landscape and incident response planning Richard has led and operated various vital security projects, including the London 2012 Olympics and Russia 2014 Winter Olympics. He’s also served as executive director of London First’s security and resilience division. In addition, Richard was a senior lecturer in security and resilience at Buckinghamshire New University, and director of the BNU Business School. Currently, he’s director of the business security briefing service CSARN.org and CEO at the Global Cyber Academy. Richard is also a frequent media commentator on AI, cyber security and future
The post Author of the Month: Richard Bingley appeared first on IT Governance Blog.

Read More
Author of the Month: Andrew Pattison
Cyber Security

Author of the Month: Andrew Pattison

This month, we are celebrating author Andrew Pattison! His book: NIST CSF 2.0 – Your essential introduction to managing cybersecurity risks was published in February 2025 and covers the latest updates to the NIST framework.   The NIST CSF (Cybersecurity Framework) 2.0 is designed to help organisations prevent and protect themselves from cyber attacks. This book will help you understand how to: About the author: Andrew Pattison is the global head of GRC and PCI consultancy at GRC International Group, a GRC Solutions company. He has been working in information security, risk management and business continuity since the mid-1990s, helping
The post Author of the Month: Andrew Pattison appeared first on IT Governance Blog.

Read More
Why You Need Cyber Resilience and Defence in Depth
Business Continuity

Why You Need Cyber Resilience and Defence in Depth

And how to become resilient with ISO 27001 and ISO 22301 Unfortunately, even the most secure organisation can suffer an incident. The odds are simply stacked against you: While you need to protect all your assets from all types of threat, an attacker needs only one exploitable weakness to get into your systems. Plus, any security measure you implement is only designed to stop, at most, a handful of threats – and that’s assuming it was both correctly implemented and still doing its job. Regardless of implementation, single measures aren’t enough – because no measure is foolproof. The consequences of
The post Why You Need Cyber Resilience and Defence in Depth appeared first on IT Governance UK Blog.

Read More
How to Select Effective Security Controls
risk management

How to Select Effective Security Controls

Risk–benefit analysis, defence in depth, information security objectives and proportionality Looking to mitigate your information security risks but not sure how to choose effective controls while staying on budget? Risk–benefit analysis is key, as is defence in depth. You also want to set information security objectives that are aligned to your business objectives, and be proportionate in your control selections. Our head of GRC (governance, risk and compliance) consultancy, Damian Garcia, explains further. In this interview Risk–benefit analysis How do you choose appropriate security controls? You need to be clear on two things: Then hopefully, the benefit outweighs the risk.
The post How to Select Effective Security Controls appeared first on IT Governance UK Blog.

Read More
How to Create a Strong Security Culture
ISO 27001

How to Create a Strong Security Culture

Getting a greater return on investment on your security measures We all have a responsibility for security. Regardless of role or rank, everyone has their part to play: Contrary to popular belief, cyber and information security aren’t just matters for IT. But to ensure that all staff truly take note of security and apply the knowledge gained from any staff awareness training, security should be embedded in your organisation’s culture. In other words, you should aim to build a ‘security culture’. In this blog What is a security culture? Security is about being free from danger or threat, while a
The post How to Create a Strong Security Culture appeared first on IT Governance UK Blog.

Read More
Strategies for Securing Your Supply Chain
Supply chain assurance

Strategies for Securing Your Supply Chain

What to do when your ‘supply chain’ is really a ‘supply loop’ When I asked Bridget Kenyon – CISO (chief information security officer) for SSCL, lead editor for ISO 27001:2022 and author of ISO 27001 Controls – what she’d like to cover in an interview, she suggested supply chain security. I asked her whether she was thinking about the CrowdStrike incident (which happened just a few weeks prior). Bridget responded: “Not specifically. To be honest, supply chain security has been a perennial problem.” I sat down with her to find out more. In this interview Challenges of supply chain security
The post Strategies for Securing Your Supply Chain appeared first on IT Governance UK Blog.

Read More
3 ISO 27001:2022 Controls That Help Secure Your Cloud Services
ISO 27001

3 ISO 27001:2022 Controls That Help Secure Your Cloud Services

Cloud computing is a key tool for business everywhere: In short, you gain access to technical services and functions you may not have internally. Particularly for smaller organisations, this brings huge benefits. For one, you can access your information from anywhere. The trouble is – how do you restrict that access to authorised users only? Plus, Cloud environments are increasingly complex. This increases your attack surface and makes vulnerabilities more likely. To protect data in the Cloud, you must take the same kinds of precautions as you would with information held elsewhere. That means implementing appropriate controls. Which controls, you ask?
The post 3 ISO 27001:2022 Controls That Help Secure Your Cloud Services appeared first on IT Governance UK Blog.

Read More
What Are ISO 27017 and ISO 27018, and What Are Their Controls?
supply chain security

What Are ISO 27017 and ISO 27018, and What Are Their Controls?

Extending your ISMS to address Cloud security risks ISO 27001 sets out the specification – the requirements – for an effective ISMS (information security management system). But did you know you can extend your ISO 27001 ISMS to cover specific aspects of Cloud security? Two ISO standards in particular stand out: Let’s take a closer look at both ISO 27017 and ISO 27018. Note: The current versions of ISO 27017 and ISO 27018, ISO/IEC 27017:2015 and ISO/IEC 27018:2019, are aligned to the previous (2013) edition of ISO 27002. The new (2022) control set has been completely reorganised, and 11 new
The post What Are ISO 27017 and ISO 27018, and What Are Their Controls? appeared first on IT Governance UK Blog.

Read More
X