Knowledge Base on Cyber Matters

ISO 27001 Overview: What It Is and What It Requires

Mon, 01 Jan 0001 00:00:00 +0000

What ISO 27001 Actually Is

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It specifies the requirements for establishing, implementing, maintaining, and continually improving a system for managing information security risk.

Certification means an accredited third-party auditor has verified that your ISMS meets the standard. It doesn’t mean you’re unbreachable — it means you have a documented, tested, and managed approach to security.

The Structure of the Standard

ISO 27001:2022 is organised into two main parts:

ISO 42001: The AI Management System Standard

Mon, 01 Jan 0001 00:00:00 +0000

What ISO 42001 Is

ISO 42001:2023 is the international standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for organisations to develop, provide, or use AI systems responsibly — covering governance, risk management, transparency, and accountability.

Think of it as ISO 27001, but for AI. It follows the same High Level Structure (Annex SL) as other ISO management system standards, making integration with an existing ISMS straightforward.

Who Needs It

ISO 42001 is relevant for three types of organisations:

Security Policies: What You Actually Need and How to Write Them

Mon, 01 Jan 0001 00:00:00 +0000

The Policy Problem

Most organisations have one of two problems: either they have no policies at all, or they have dozens of policies that nobody reads, nobody follows, and nobody updates.

Neither is compliant. Neither is useful.

Good security policies are short, clear, and connected to real controls. They tell people what is expected of them — and the organisation has mechanisms to verify compliance.

Which Policies Do You Actually Need?

For ISO 27001 or SOC 2, you don’t need a 200-page policy library. You need a coherent set of documents that covers your risk landscape. For most organisations, that’s around 15–20 policies:

SOC 2 Explained: Type I, Type II, and What Auditors Actually Look For

Mon, 01 Jan 0001 00:00:00 +0000

SOC 2 Is a Report, Not a Certification

The first thing to understand about SOC 2 is that it’s not a certification like ISO 27001. It’s an audit report — a document produced by a licensed CPA firm that describes your controls and attests to their design or effectiveness.

Your customers request this report as evidence that you take security seriously. It’s particularly common in North American enterprise procurement.

The Five Trust Services Criteria

SOC 2 audits are structured around Trust Services Criteria (TSC). You must include Security (the Common Criteria). Everything else is optional:

Third-Party Risk Management: A Practical Framework

Mon, 01 Jan 0001 00:00:00 +0000

Why Third-Party Risk Is Everybody’s Problem

Your security posture is only as strong as your weakest vendor. If a third party has access to your systems or data and they get breached, you get breached — regardless of how good your own controls are.

Third-party incidents account for a significant and growing proportion of data breaches. The attack surface isn’t just your perimeter; it’s every SaaS tool, every contractor, every API integration.

What is GRC and Why Does It Matter?

Mon, 01 Jan 0001 00:00:00 +0000

The Short Version

GRC stands for Governance, Risk, and Compliance. It’s the set of processes, policies, and controls an organisation puts in place to operate responsibly, manage uncertainty, and meet its obligations — to customers, regulators, and itself.

The term gets thrown around a lot, often by people selling software. This guide cuts through the noise.

Governance: Who Decides What

Governance is about accountability. It answers the question: who is responsible for what, and how are decisions made?