Blackmores ISO Consultancy Service: The creators of isology®

isology® is a world-leading proven step by step roadmap. Work with our ISO consultants to achieve your certification.

Our ISO consultants have worked with over 600 organisations with a 100% success rate. We take you from the planning and creation of your bespoke ISO System though to certification with our 7 step ISO Consultancy process.

At Blackmores, we are ISO consultants for many ISO standards. We work with clients within the UK and internationally. We provide in-person and virtual training for all standards across all industries.

One of the reasons our clients choose to work with us is our unique ISO training material. We believe that education is key to your organisation’s success when it comes to ISO standards. That is why, as part of our ISO consultancy service, we also provide in-depth ISO training material that leaves no stone unturned.

We host all of our ISO training material in our online platform; our isologyhub. Here you will find various materials and mediums for you and your team to study and learn. No matter which ISO certification you are working towards, our isologyhub can provide what you need.

About Our isologyhub

Our isologyhub will revolutionise the way your organisation gathers information to understand ISO certifications.

Through our isologyhub, you can work through our ISO Roadmap, this is our step-by-step guide where you work through our proven path to go from initial concept to launching your ISO management system. We guide you through everything you need to know and implement for success.

Our isologyhub offers different Pathways to take you from Learner, to Practitioner, to Leader. You can enter your training at any of our three stages depending on your previous ISO experience and knowledge progression. Find out about our different Pathways on our isologyhub page.

Throughout each Pathway, there are several quizzes available to test what you have learnt. You also have the opportunity to earn certificates throughout your learning process.

Thanks to our ISO training materials, achieving ISO standards for your organisation has never been easier. Take your business to the next level with our ISO training plan—contact our team of isologists today.

What You Can Expect from Our ISO Training Material

We wanted to create a safe learning space with ISO training material that suits every learning type. Within our platform, we have a selection of:

Tools and templates – You can download our practical templates, which you can then adapt to your needs and your organisation. We also have a range of resources where you can learn about each standard.

Coffee Break Training – Some people work better in short, sharp bursts, which is why we provide 5 to 10 minute informative courses within our ISO training material.

Live Sessions – Sometimes, you need time with an expert to ask any questions that may have arisen during your training. We provide live sessions where you have time to ask questions and seek advice.

Game Plans – our ISO Training Material also includes Game Plans. These are action-focused guides to help you tackle common challenges that arise.

The Importance of Good ISO Training Material

Good ISO training material is so important when you are focusing on achieving your certification for your organisation.

Up-to-Date Information – Investing in good ISO training material is important for ensuring you and your company are working with and learning from up-to-date sources. The elements of the standard change periodically, and we ensure all of our ISO training materials remain as up-to-date as possible.

Increase Your Skill Set – The main goal of any training is to increase your skill set. Investing in good ISO training materials means you will actually learn about what is required for your organisation, not just read a checklist.

Bespoke Solution – With ISO solutions, there is not always a one-size-fits-all. Our ISO online training materials can help you create bespoke solutions to suit your organisation.

Learning Pace – When you embark on a learning journey, it is important to be able to work at your own pace. With our isologyhub, you can access materials as and when you need them in a timeline that suits you.

ISO Training Material from Blackmores

At Blackmores, we have created our isologyhub so that you have a dedicated platform to work through and keep track of your progress. We believe we have provided the most logical and easy to use ISO training platform.

Sign up today to gain unlimited access to ISO training materials and experience our learning journey.

Stitcher | Spotify | YouTube | iTunes | Soundcloud

AI has been integrated into almost every aspect of our lives, from everyday software we use at work, to the algorithms that determine what content is recommended to us at home.

While extraordinary in its capabilities, it isn’t infallible and will open up everyone to new and emerging risks. Legislation and regulations are finally catching up to the rapid adoption of this technology, such as the EU AI Act and new Best Practice Standards such as ISO 42001.

For those looking to integrate AI in a safe and ethical manner, ISO 42001 may be the answer.

Today Rachel Churchman, Technical Director at Blackmores, explains what ISO 42001 is, why you should conduct an ISO 42001 Gap analysis and what’s involved with taking the first step towards ISO 42001 Implementation.  

You’ll learn

  • What is ISO 42001?
  • What are the key principles of ISO 42001?
  • Why is ISO 42001 Important for companies either using or developing AI?
  • Why conduct an ISO 42001 Gap Analysis?
  • What should you be looking at in an ISO 42001 Gap Analysis?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Rachel Churchman joins Steph to discuss what ISO 42001 is, it’s key principles and the importance of implementing ISO 42001 regardless of if you’re developing AI or simply just utilising it.

Rachel will also explain the first step towards implementation – an ISO 42001 Gap Analysis.

[02:45] Upcoming ISO 42001 Workshop– We have an upcoming ISO 42001 workshop where you can learn how to complete an AI System Impact Assessment, which is a key tool to help you effectively assess the potential risks and benefits of utilising AI.

Rachel Churchman, our Technical Director, will be hosting that workshop on the 5th December at 2pm GMT, but places are limited so make sure you register your place sooner rather than later!

[03:20] The impact of AI – AI is everywhere, and has largely outpaced any sort of regulation or legislation up until very recently. These are both needed as AI is like any other technology, and will bring it’s own risks, which is why a best practice Standard for AI Management has been created.

If you’d like a more in-depth breakdown of ISO 42001, check out our previous episodes: 166 & 173

[04:30] A brief summary of ISO 42001 – ISO 42001 is an Internationally recognised Standard for developing an Artificial Intelligence Management System.  It provides a comprehensive framework for organisations to establish, implement, maintain, and continually improve how they implement and develop or consume AI in their business. It aims to ensure that AI risks are understood and mitigated and that AI systems are developed or deployed in an ethical, secure, and transparent manner, taking a fully risk-based approach to responsible use of AI.

Much like other ISO Standards, it follows the High-Level Structure and therefore can be integrated with existing ISO Management systems as many of the core requirements are very similar in nature. 

[05:45] Why is ISO 42001 important for companies both developing and using AI? – AI is now becoming commonplace in our world, and has been for some time.  A good example is the use or Alexa or Siri – both of these are Large Language AI Models that we all use routinely in our lives.  But AI is now being introduced in many technologies that we consume in our working lives – all designed to help make us more efficient and effective.  Some examples being:

  • Microsoft 365 Copilot
  • GitHub Copilot
  • Google Workspace
  • Adobe Photoshop
  • Search Engines i.e. Google

Organisations need to be aware of where they’re consuming AI in their business as it may have crept in without them being fully aware.  Awareness and governance of AI is crucial for several reasons: 

For companies using AI they need to ensure they have assessed the potential risks of the AI such as unintended consequences and negative societal impacts, or potential commercial data leakage.  They also need to ensure that if they are using AI to support decision making, that they have ensured that decisions made or supported by AI systems are fair and unbiased.   It’s not all about risk – organisations can also use AI to streamlining processes helping to become more efficient and effective, or it could support innovation in ways previously not considered.

For companies developing AI, the standard promotes the ethical development and deployment of AI systems, ensuring they are fair, transparent, and accountable.  It provides a structured approach to risk assessment and governance associated with AI, such as bias, data privacy breaches, and security vulnerabilities.

And for all, using ISO 42001 as the best practice framework, organisations can ensure that their AI initiatives are aligned with ethical principles, legal requirements, and industry best practices. This will ultimately lead to more trustworthy, reliable, and beneficial AI systems for all.

[10:00] Clause 7.4 Communication – The organisation shall determine the internal and external communications relevant to the system, and that includes what should be communicated when and to who.

[09:00] What are the key principles outlined in ISO 42001? –

  • Fairness and Non-Discrimination – ensuring AI systems treat all individuals and groups fairly and without bias.
  • Transparency and Explainability – Making AI systems understandable and accountable by providing clear explanations of their decision-making processes.
  • Privacy and Security – Protecting personal data and privacy while ensuring the security of AI systems.
  • Safety and Security – Prioritising the safety and well-being of individuals and the environment by mitigating potential risks associated with AI systems.
  • Environmental & Social – Considering the impact of AI on the environment and society, promoting sustainable and responsible practices.
  • Accountability and Human Oversight – Maintaining human control and responsibility for AI systems, ensuring they operate within ethical and legal boundaries.  You’ll often hear the term ‘Human in the loop’.  This is vital to ensure that AI is sanity checked by a human to ensure it hasn’t hallucinated or result ‘drifted’ in any way.

[11:10] Why conduct an ISO 42001 Gap Analysis? What is the main aim? – Any gap analysis is a strategic planning activity to help you understand where you are, where you want to be and how you’re going to get there.  The ISO 42001 gap analysis will identify gaps and pinpoint areas where your AI practices need to meet the ISO 42001 requirements. 

It aims to conduct a systematic review of how your organisation uses or develops AI to then assess your current AI management practices against the requirements of the ISO 42001 standard. This analysis will then help you to identify any “gaps” where your current practices do not fully meet the standard’s requirements.  It also helps organisations to understand ‘what good looks like’ in terms of responsible use of AI.  

It will help you to prioritise improvement areas that may require immediate attention, and those that can be addressed in a phased approach.

It will help you to understand and mitigate the risks associated with AI. 

It will also help you to develop a roadmap for compliance to include plans with clear actions identified that can then be project managed through to completion, and as with all ISO standards it will support and enhance AI Governance.

[13:15] Does an ISO 42001 gap analysis differ from gap analysis for other standards? – Ultimately, no. The ISO 42001 gap analysis doesn’t differ massively from other ISO standard gap analysis, so anyone who already has an ISO Standard and has been through the gap analysis process will be familiar with it.

In terms of likeness, ISO 42001 is similar in nature to ISO 27001 in as much as there is a supporting ‘Annex’ of controls and objectives that need to be considered by the organisation.  Therefore the questions being asked will extend beyond the standard High Level Structure format.

Now is probably a good time to note that the Standard itself is very informative and includes additional annex guidance information to include

  • implementation guidance for the specific AI controls,
  • an Annex for potential AI-related organisational objectives and risk sources,
  • and an Annex that provides guidance on use of the AI management system across domains and sectors and integration with other management system standards. 

[14:55] What should people be looking at in an ISO 42001 gap analysis? – The Gap Analysis will include areas such as looking at the ‘Context’ of your organisation to better understand what it is that you do, or the issues you are facing internally and externally in relation to AI – both now and in the reasonably foreseeable future, and also how you currently engage with AI in your business.  This will help to identify your role in terms of AI. 

It will also look at all the main areas typically captured within any ISO standard to include leadership and governance, policy, roles and responsibilities, AI Risks and your approach to risk assessment and treatment and AI system impact assessments.  It also looks at AI objectives, the support resources you have in place to manage requirements, awareness within your business for AI best practice and use, through to KPI’s, internal audit, management review and how you manage and track issues through to completion in your business.

The AI specific controls look more in-depth at Policies related to AI, your internal organisation in relation to key roles & responsibilities and reporting of concerns, The resources for AI Systems, how you assess the impacts of AI Systems, The AI system lifecycle (AI Development), Data for AI Systems, Information provided to interested parties of AI Systems, and the use of AI Systems and 3rd party and customer relationships.

[18:10] Who should be involved in an ISO 42001 Gap analysis? – An ISO 42001 gap analysis looks at AI from a number of different angles to include organisational governance that includes strategic plans, policies and risk management, through to training and awareness of AI for all staff, through to technical knowledge of how and where AI is either used or potentially developed within the organisation.  This means that it is likely that there will need to be multiple roles involved over the duration of a gap Analysis.

At Blackmores we always provide a Gap Analysis ‘Agenda’ that clearly defines what will be covered over the duration of the gap analysis, and who typically could be involved in the different sessions.  We find this is the best way to help organisations plan the support needed to answer all the questions required. 

It’s also important to treat the gap analysis as a ‘drains up’ review, to help get the  most benefit out of the gap analysis.  This will ensure that all gaps are identified so that a plan can then be devised to support the organisation to bridge these gaps, putting them on the path to AI best practice for their business.

If you’d find out more about ISO 42001 implementation, register for our upcoming Workshop on the 5th December 2024.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

If your company currently holds an ISO 27001 certification, you should be aware of the ISO 27001 transition. 

ISO 27001 is the international standard for information security. It is suitable for any organisation as it deals with security issues in relation to company sensitive information as well as personal information. 

What is an ISO 27001 Transition?

The transition moves ISO 27001 from 2013 version to the 2022 revision. If your organisation currently holds an ISO 27001:2013 certification, you will need to update your certification. 

The changes were first introduced in 2022, and the deadline to transition your certification is October 2025. 

If you currently hold an ISO 27001:2013 certificate and you are looking for a consultant to help you transition to ISO 27001:2022, contact Blackmores today. Our ISO 27001 consultants can discuss the transition with you and help you to adapt your management systems to achieve the newer revision. 

Analysis of an ISO 27001 Transition 

Many of our clients are asking about the differences between ISO 27001:2013 and ISO 27001:2022. We have a whole mini-series on our pod casts – The ISO Show all about the ISO 27001 Transition. 

There have been several changes which include 56 controls which can been combined into 24 newly titles controls with 11 new controls added. This leaves 58 controls unchanged.  

New Controls Added to ISO 27001:2022

To summarise, these are the 11 new controls that have been added to the ISO 27001 transition:

1. Control A.5.7 Threat Intelligence – ‘To provide awareness of the organisation’s threat environment so that the appropriate mitigation actions can be taken.’ – Threat Intelligence can come from many different sources. Some of the best places to look include the NCSC or local police websites, as well as tools that can be used to detect phishing attacks.  As well as digital threats, you also need to think about physical security. ISO 27001 is about much more than just protecting data! 

2. Control A.5.23 Information security for use of cloud services – “To specify and manage information security for the use of cloud services.” – With the increase in cloud computing between 2013 and 2022, adding a control around this topic was incredibly important. The best place to start is to verify the security of your service provider to ensure it’s adequate by checking their valid Information Security credentials such as CSA Star, Cyber Essentialsand SOC. This also overlaps with principles of ISO 27017 (certification for cloud security), ISO 27018 (Protection of PII in the public cloud) and ISO 27701 (PII Security Standard).

3. Control A.5.30 ICT readiness for business continuity –’ To ensure the availability of the organisation’s information and other associated assets during disruption’ – There are a few other ISO standards that could assist with this, for example, ISO 27031 (ICT 

4. Control A.5.30 ICT readiness for business continuity – further considerations: Recovery Time Objectives and Recovery Point Objectives are a big focus of this control of the standard. Business Continuity is one of the most important elements of security as it determines how your business will cope in the event of an attack or a breach. If you’re looking to dig deeper into business recovery time, you may want to check out BS 25777 (ICT continuity), which is an older certification that should be helpful to you and your business. 

5. Control A.7.4 Physical security monitoring –’ To detect and deter unauthorised physical access.’ – Physical security monitoring can include elements like CCTV, access control, swipe cards, etc. Within the monitoring elements, you should also have a method for detecting and alerting anomalies. 

6. Control A.8.9 Configuration management – ‘To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorised or incorrect changes’ – This involves configuration for any software or hardware that is required. Things, including firewalls, software, any hardware devices, passwords, etc, should be documented, as well as explained and monitored on a regular basis. This will ensure nothing changes without notifying the relevant people. For further guidance, you could find helpful elements within  ISO 20000.  

7. Control A.8.10 Information deletion – ‘To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.’ – Information deletion is a control that already existed in the ISO 27001:2013 Standard, but it has simply been clarified further. You will now need to prove that data has been deleted as required; you may need to provide relevant certificates if you currently use a 3rd party for this. 

8. Control A.8.11 Data Masking – ‘To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.’ – There are three options when it comes to data masking. These three options are;Obfuscation, pseudonymisation and anonymisation. The data masking elements can also help your organisation to comply with GDPR requirements.

9. Control A.8.12 Data leakage prevention – ‘To detect and prevent the unauthorised disclosure and extraction of information by individuals or systems.’ – This control has been re-added from the previous 2005 version of ISO 27001. Organisations should have systems in place to monitor any particularly large data downloads – or even possibly large print batches. Secure email systems and regular security training are also a must for any organisation. 

10. Control A.8.16 Monitoring Activities  – ‘To detect anomalous behaviour and potential information security incidents.’ – within ISO 27001, there is an element where monitoring and detecting unusual activities is required. This can help with secrurity and data breech es or issues.   

11. Control A.8.23 Web Filtering  – ‘To protect systems from being compromised by malware and to prevent access to unauthorised web resources.’ –  Because we use the internty and cloud based systems, there has been a cause for including web filtering into ISO 27001. Your systems should ensure that people are unable to access unsecure sites. Some organisations choose to extend this to social media.

12. Control A.8.28 Secure Coding – ‘To ensure the software is written securely, thereby reducing the number of potential information security vulnerabilities in the software.’ – Software must be written securely. If you use a 3rdparty, this should be seen as standard. If you use a bespoke system, then you must evaluate it against industry professional standards. 

Working with Blackmores for your ISO 27001 Transition

At Blackmores, we are ISO consultants. We work with organisations in various industries to help them create and implement management systems that comply with ISO standards so that they can achieve various certifications. 

When it comes to completing an ISO 27001 transition, we have worked with many of our clients to help them make the required changes and ensure they are able to achieve certification to the 2022 version. 

You only have until October 2025 to transition to the 2022 version of ISO 27001. If you would like expert advice and support, contact our team or isologists today.

Stitcher | Spotify | YouTube | iTunes | Soundcloud

With the world becoming more reliant on digital technology, along with the recent surge in artificial intelligence for just about everything, there is a lot of talk around ISO artificial intelligence standards for businesses.

At Blackmores, we are ISO Consultants. We work with organisations to help them achieve various ISO standards, one of which is the Artificial Intelligence Management Standard.

To kick start your journey, we have put together this guide to give you the basics of ISO 42001 and tell you why the best way forward is to work with an ISO Consultant.

What is the Artificial Intelligence Management Standard?

ISO 42001 is the first Artificial Intelligence Management Standard which has been designed and develop to help businesses implement, maintain and improve AI management practices.

It is a very new standard, having just been published in December 2023 by the International Organisation for Standardisation and the International Electrotechnical Commission.

Why Should My Business Get Certified in Artificial Intelligence Standards?

There are several reasons why your business should invest in ISO Artificial Intelligence standards.

  • Having this standard demonstrates that your business is using AI in a responsible and ethical way.
  • It allows you to be transparent and reliable in your use of AI in your development
  • It supports compliance with legal and regulatory standards within your business
  • it will help you to implement a framework for managing risks and opportunities as a result of using AI
  • ISO 42001 will demonstrate that you are using AI as a strategic decision for your business
  • The use of AI shows that you are encouraging innovation within your business

If you are using AI in any of your daily activities, then you could run into the following risks;

Inaccurate Information – If you are using AI to create any company  information or internal and external communications, you need to be aware of the inaccuracies that you could be exposing yourself to. AI generators rarely fact-check; the information simply comes from resources on the web which could be

  • Inaccurate
  • Out of date
  • Bias
  • Come from a poisoned data source

If you are using information directly from AI in any company texts or literature, it’s extremely important that you fact check and ensure your information is correct, as AI can open you up to:

Plagiarism – Although many AI tools avoid copying directly from the source, there are still risks of plagiarism which could lead to law suits and potentially fines.

Security Risks – as with most external resources, there are security risks associated with the use of AI. This is something to be aware of when you are using AI for any business function.

Because of the above risks, we advise that if you are using AI in your organisation, you should invest in Artificial Intelligence Management Standards. At Blackmores, we can help you implement ISO 42001 into your existing systems to protect you from various risks.  

Working With An ISO 42001 Consultant

Although ISO 42001 is a new standard, we have been working as an ISO consultant for over 18 years. We have refined our process to ensure our clients pass their certifications and gain the standards they need to grow their business, satisfy customers, and achieve sleeker working standards.

Our process tends to follow the following steps:

Gap Analysis – All of our ISO Consultancy works begin with a gap analysis. We take a look at your current management systems and determine where the gaps are and how AI standards can be integrated.

Give You Access to Training Materials – our online platform: our isologyhub contains a wide portfolio of training and development materials. When you work with Blackmores we give you access to this platform for you and your employees so you can learn at your own pace. In our isology hub you will find all you need to know about ISO Artificial Intelligence standards and much more.

Appoint your AI Management Consultant – to help you implement you management system, we will appoint you a dedicated AI Management  consultant who will work alongside you and your team. Each of our consultants specialises in a different standard so they are up-to-date and well educated in the area you are looking for. We call our consultants our isologists – you can meet them here.

Internal Audits – Part of gaining your certification means conducting internal audits. This can be a daunting process whether you have already gained a certification or if this is your first one. Your ISO consultant can be onsite for these audits to ensure everything runs smoothly for you and your team.

External Audits – we can book your external audits on your behalf and ensure we are available to come and support you during this time.

Who Should Be Investing in Gaining an ISO Artificial Intelligence Standard?

Any business that uses AI for any task should consider investing in the ISO Artificial Intelligence standard. This is a growing area for businesses to consider to getting certified now could save you a lot of time and effort for the future.

If you are looking for an ISO consultant for ISO 42001 or any standard, contact our team today. We are looking forward to partnering with organisations all over the UK to help them achieve their ISO goals.

Stitcher | Spotify | YouTube | iTunes | Soundcloud

There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached.

It has become clear in recent years that information security isn’t just a ‘nice to have’, it’s a necessity to ensure you and your client’s data are protected. Which is especially the case for those processing personal and financial data, such as today’s guest, Mintago.

In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard.

You’ll learn

  • Who are Mintago?
  • Who is Tom Catnach?
  • What was the main driver behind achieving ISO 27001?
  • What was the biggest ‘gap’ identified in the Gap Analysis?
  • What have they learned from the experience?
  • What are the benefits of certification to ISO 27001?
  • What does the threat horizon for information security look like?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification.

[02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including:

  • Finding lost pension pots
  • Help to save money through finding discounts
  • Retirement planning
  • Offering various salary sacrifice products
  • Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings
  • Helping people to be more financially literate

[05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer.

Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001.

Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights.

[06:30] What was Mintago’s main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it’s security.

Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001.

ISO 27001 also offers the assessment of general business practice and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand.

[08:30] Aligning Standards with core values: Trust is one of Mintago’s core values and they want to give their clients the assurance that they can be trusted to protect their data.

ISO 27001 can be compared to the likes of Bcorp as it’s an on-going process. It doesn’t just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year.

[10:15] What was the scope of Mintago’s certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service.

This was because all of the sensitive data is handled in those departments and they don’t allow access to any other teams, so it made sense to start there with a view to expand the scope after certification.

That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they’re ready.

[11:50] How long was Mintago’s certification journey?: They started their journey in September 2023, in fact it was Tom’s first project with Mintago!

Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified.

Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it’s an advantage to implement ISO Standards early while your agile so that your management system grows with you.  

[14:25] What was the biggest ‘gap’ identified at the Gap Analysis?  Mintago are lucky in the fact that they are a new business so are using modern tech, and don’t have the burden a larger site or other physical elements such as rack mounted servers.

However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance.

There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place.

[16:35] Did Mintago experience any significant barriers in addressing identified gaps?  Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to.

One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place.

When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago’s size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software.

[18:45] Engagement is key –  Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security.

Mintago also has the advantage of being a smaller business, so getting communication out isn’t a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their ‘C-Suite’.

Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that’s something that people would want to engage in.  

It’s also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online.

[23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? –  The biggest thing was how their internal process could be improved. For example, looking at the scenario of ‘what if our back-ups don’t work?’, ISO 27001 drilled down to ask specifics such as:

  • How do we recover from that scenario?
  • Are we 100% confident in our back-ups?
  • Will they work near instantaneously?
  • What’s Mintago’s availability like in that scenario?
  • How do we prevent disruption to our clients during that scenario?

So, while they did have back-ups they weren’t necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system.

In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories.

[25:00] Internal Auditing – A beneficial tool –  Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average.

Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified.

Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification.

[27:20] Minor Non-conformities aren’t the end of the line – There’s a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can’t be certified, but that’s simply not true!

If an Assessor is comfortable that you are in a good position for certification, they will recommend you.

ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits.

[29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include:

Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it’s core qualities to the benefit of their own Information Security practices.

Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other’s commitment to information security.

Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow.

[31:10] Any concerns on the threat horizon?:  As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They’re going to be a lot more sophisticated and harder to spot and deal with.

Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident.

However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security.

[34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It’s not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place.

If you would like to learn more about Mintago and their financial services, check out their website.  

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

At Blackmores, we are ISO consultants. One of the aspects we help our clients with is ISO 27001 implementation.

What is ISO 27001

ISO 27001 is an internationally recognised standard for managing information security. It provides a framework for establishing, implementing, and maintaining an Information Security Management System (ISMS). The goal of ISO 27001 is to help your business protect its information by identifying risks and implementing appropriate controls to mitigate them. At Blackmores, we work with our clients to help them identify these risks and implement an ISMS that meets the ISO 27001 standard.

ISO 27001 covers various aspects of security, including:

  • Risk assessment
  • Security policies
  • Access controls
  • Incident management
  • Compliance with legal requirements.

When you achieve your ISO 27001 certification, your company has demonstrated their commitment to safeguarding sensitive data and reducing the risk of security breaches.

ISO 27001 Implementation with Blackmores

At Blackmores, we work with clients from all industries and all over the country. We work closely with each client and create a bespoke package for them to ensure that they get exactly what they need. We can provide online resources so that you or your team can work at your own pace when focusing on your ISO 27001 implementation.

When working with our clients, we can offer the following

Initial Audit – Before we can create an Information Security Management System, we first carry out a thorough audit of your current processes. This enables us to see where the gaps are and identify what we can do to help you with your ISO 27001 Implementation.

Provide Resources, Training, and Consultations – We then begin training you and your team on ISO 27001. We give you insight into what is required to pass the certification and how your business can work towards these processes. Our online training modules, provided through the isologyhub, are perfect for you and your team to work through independently.

Dedicated isologists – We appoint a dedicated ISO consultant from our team of isologists for each of our clients. Each of our isologists specialises in a specific ISO standard. Your isologist will be available for you to reach out to for questions, queries and advice throughout your ISO 27001 implementation process. We make sure we are onsite for your internal and external audits from awarding bodies to provide that extra support where required.  

Ongoing Support – Once your ISO 27001 certification has been achieved, we continue to support you. If you have further questions or want to discuss any aspect, you can contact your isologist, and they can help you.

Working with an ISO 27001 Consultant

When you choose to work with an ISO consultant for any standard, you give your business the best chance of successful implementation and long-term success.

At Blackmores, we have decades of experience in ISO implementation for all types of businesses. We know the industry inside out and understand exactly what it takes for successful implementation and achievement.

By achieving the ISO 27001 certification, your clients and customers will know that they are working with an organisation that is compliant in its information security management, highly credible and trustworthy, and committed to the industry to ensure it is doing the right thing.

It’s important not to underestimate the ISO standards. They are hard work to achieve and should be recognised as a true mark of skill and commitment to the company.

Contact Blackmores

For more information on ISO 27001 implementation or to discuss your requirements, make sure you contact our team today.

Stitcher | Spotify | YouTube | iTunes | Soundcloud

In July 2024, A logic error in an update for CrowdStrike’s Falcon software caused 8.5 million windows computers to crash. While a fix was pushed out shortly after, the nature of the error meant that a full recovery of all effected machines took weeks to complete.

Many businesses were caught up in the disruption, regardless of if this affected them directly or by proxy due to affected suppliers. So, what can businesses learn from this?

Today, Ian Battersby and Steve Mason discuss the aftermath of the CrowdStrike crash, the importance of good business continuity and what actions all businesses should take to ensure they are prepared in the event of an IT incident.

You’ll learn

  • What happened following the CrowdStrike crash?
  • How long did it take businesses to recover?
  • Which ISO management system standards would this impact?
  • How can you use your Management System to address the affects of an IT incident?
  • How would this change your understanding of the needs and expectations of interested parties?
  • How do risk assessments factor in where IT incidents are concerned?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Ian Battersby is joined by Steve Mason to discuss the recent CrowdStrike crash, the implications on your Management system and business continuity lessons learned that you can apply ahead of any potential future incidents.  

[03:00] What happened following the CrowdStrike crash?– In short, An update to CrowdStrike’s Falcon software brought down computer systems globally.

8.5 million windows systems, which in reality is less than 1% of windows systems, were affected as a result of this error.

Even still, the damage could still be felt from key pillars of our societal infrastructure, with a lot of hospitals and transportation like trains and airlines being the worst affected.

[04:45] How long did it take CrowdStrike to issue a fix? – CrowdStrike fixed the issue in about 30 minutes, but this didn’t mean that computers affected would be automatically fixed.

In many cases applying the fix meant that engineers had to go on site to many different locations which is both time consuming and costly. In some cases Microsoft said that some computers might need as many as 15 reboots to clear the problem.

So, a fix that many were hoping would solve the issue ended up taking a few weeks to fully resolve as not everyone has IT or tech support in the field to issue a manual reboot.

A lot of businesses were caught out as they don’t factor this into their recovery time, some assuming that an issue like this is guaranteed to be fixed within 48 hours, which is not something you can promise. You need to be realistic when filling out a Business Impact Assessment (BIA).

[07:55] How do you know in advance if an outage will need physical intervention to resolve? – There is a lesson to be learnt from this most recent issue. You need to take a look at your current business continuity plans and ask yourself:

  • What systems to you use?
  • How reliable are the third-party applications that you use?
  • If an issue like this to reoccur, how would it affect us?
  • Do we have the necessary resource to fix it? i.e. staff on site if needed?

Third-parties will have a lot of clients, some may even prioritise those that pay a more premium package, so you can’t always count on them for a quick fix.

[09:10] How does this impact out businesses in terms of our management standards? – When we begin to analyse how this has impacted our management systems, we can’t afford to say ‘We don’t use CrowdStrike therefore it did not impact us’ – it may have impacted your suppliers or your customers. Even if there was zero impact, lessons can be learned from this event for all companies.

Standards that were directly affected by the outage were:

  • ISO 22301 – Business Continuity: Recovery times RPO and RTO; BIA; Risk Assessments
  • ISO 27001 – Information Security: Risk Assessment; Likelihood; Severity; BCP; ICT readiness
  • ISO 20000-1 – IT Service Management; Risk Assessment of service delivery; Service continuity; Service Availability

Remember, our management systems should reflect reality and not aspiration

[11:30] How do we use our Management Systems to navigate a path of corrective action and continual improvement? – First and foremost an event like this must be raised as an Incident – in this case it would no doubt have been a Major Incident for some companies. This incident will typically be recorded in the company’s system for capturing non-conformities or continual improvement.

You could liken this to how ISO 45001 requires you to report accidents and incidents.

From the Incident a plan can be created which should include changes to be considered or made to the management system.

The Incident should lead us to conducting a lessons learned activity to determine where changes and improvements need to be made.

We are directed in all standards to Understanding the Organisation and its context

The key requirement here is to determine the internal and external issues that can impact your management system, and prevent it from being effective. Whatever method a company uses for this, perhaps a SWOT and PESTLE; the CrowdStrike/Microsoft Outage should be included in this analysis as a threat and/or Technical issue.

[15:15] What are the lessons learned from our supply chain? – In many ISO Standards, such as ISO 9001 and ISO 27001, there is a requirement to review your suppliers and the effectiveness of the service they’re delivering.

So you could send them an e-mail to ask how they have dealt with the issue, what actions did they take and how long did it take to fully restore services.

This is a collaborative process that you can factor into your own risk assessments, as you can make a better judgement on future risk level if you are privy to their recovery plans.

Many people still think of that requirement only in relation to goods and products. i.e. has my order been delivered ect. However, it relates to services such as IT infrastructure as well. You rely on that service, so evaluate how well it’s being delivered.

[17:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[19:50] Once you have established lessons learnt, what’s next?  – The Standards provide a logical path to work through.

One of the first steps is to conduct a SWOT and PESTLE, and doing so after a major incident is recommended, as your threats and weaknesses may have changed as a result.

Do not simply put the sole blame on a third-party who an incident may of originated from. This is about your response and recovery, your plans coming into effect to deal with the situation, not about who is at fault.

One such finding may be your lack of business continuity plans, in which case, looking at implementing aspects of ISO 22301 may be an action to consider.

It’s also important to note down any positives from the incident too. You may have dealt with something very fast, communicated the issue effectively and worked with clients to ensure that their level of service was minimally impacted.

If a team dealt with a situation particularly well, they should be recognised for that, as it really does go a long way.

[23:55] The importance of revisiting your SWOT and PESTLE: These exercises shouldn’t just be a one time thing. You should be addressing these after incidents and any major changes within the business.

Ideally, you should be looking at these in all your meetings, as many actions may need to be escalated to a strategic level.

If you’d like to learn about how one of our clients embraced SWOT and PESTLE, and used it to their advantage, check out episode 53.

[25:20] How has our understanding of the needs and expectations of Interested Parties been changed? – How has the Outage impacted the needs and expectations of interested parties? Understanding this might lead companies to ask questions about the robustness and effectiveness of different parts of the management system:

  • Risk Assessment
  • BIA for BCP
  • Recovery Plans
  • DR plans
  • Service Continuity

[27:50] What should you be considering with your risks assessments? – Risk Assessments, if they follow the traditional methodology, with have Likelihood and Impact/Severity scores an in the light of this outage, and any event, the likelihood and Impact scores should be updated.

If a company has set the likelihood as ‘once every 5 years’ it should seriously consider changing this to ‘once every 6 months’ or ‘once every year’ to understand if this poses any new risks to the business. The likelihood score would of course be updated every year until it has recovered to ‘once every 5 years’.

The impact is important to look at. If a company has been impacted by this outage, what has it cost the company to recover – talk to finance and other departments to understand the cost and change the scoring accordingly.

[33:20] Why should a business carry out a risks assessment as part of lessons learnt? – Our risk assessments are not a one-off, but should be living documents that reflect the status of threats to the business. In ISO 27001 there is a statement to identify the ‘Consequences of  unintended changes,’ and it could be argued that an Outage on the level of the CrowdStrike/Microsoft outage was an ‘unintended change that led to consequences in many businesses.

So, use your risk assessments as live tools to report on the reality facing the organisation.

Similarly, BIA assessments for BCP should be reviewed to determine if the assumed impact reflects the real impact; also look at the recovery plans to see if they are effective.

If a recovery plan has stated that this type of incident could be recovered in 48 hours, and in reality it has taken 2 weeks, it means that recovery times in terms of RPO and RTO should be reviewed.

Remember – your management system should reflect reality and not aspiration.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

As environmental consultants, we can help organisations to ready themselves for their Environmental ISO certifications. This includes a range of ISO certifications, compliances and solutions. 

In today’s business world, the ever-growing stigma to look after the environment around us means that more and more organisations are investing back into the earth to try and combat some of the issues we humans have caused. This can look different for different businesses.

Environmental Certifications and Standards for Businesses

There are several different environmental certifications that you can achieve for your business. As an environmental consultant, we can work with your organisation to ensure your management systems are in order to pass your certification.  

ISO 14001 – Environmental Management Certification – ISO 14001 focuses on what businesses can do in order to control the impact they have on the environment.

ISO 14064 – Carbon Verification – Specifies principles and requirements for designing, developing, managing, and reporting organisation or project-level greenhouse gas (GHG) inventories. It also includes requirements for GHG quantification, monitoring, reporting, and verification.

ISO 14068 – Carbon Neutrality – A pathway to achieve Net Zero. It includes requirements for quantification, reduction, and offsetting of greenhouse gas emissions and guides on the transparent declaration of carbon neutrality.

ISO 50001- Energy Management – Focuses on energy management systems and provides a framework for establishing energy management best practices. It helps organisations improve their energy efficiency, reduce costs, and improve energy performance.

ESOS Compliance – The Energy Savings Opportunity Scheme (ESOS) – This is a mandatory energy assessment scheme for large organisations in the UK. It requires organisations to conduct energy audits and identify energy-saving opportunities every four years.

ISO 20400 – Sustainable Procurement – Provides guidance to organisations on integrating sustainability within procurement processes. It offers a framework for sustainable procurement, considering economic, environmental, and social impacts.

ISO 20121- Event Sustainability Management – Specifies a management system for event sustainability. It is designed to help organisations improve the sustainability of their event-related activities, products, and services.

ISO 26000 – Social Accountability Certification – Offers guidance on social responsibility, helping organisations operate in a socially responsible manner. It covers various aspects such as human rights, labour practices, environment, fair operating practices, consumer issues, and community involvement.

ESG Solutions – Environmental, Social, and Governance (ESG) solutions refer to a set of standards for a company’s operations that socially conscious investors use to screen potential investments. ESG solutions encompass a range of practices that ensure a company’s impact on the environment, social justice, and governance policies are considered and addressed responsibly.

If you would like to explore any of the above certifications for your organisation and are looking for an environmental consultant partner to work with – contact us.

Working With an Environmental Consultant

When you choose to work with Blackmores as an environmental consultant, we can help you with any aspect of your certifications and assessment.

Online consultancy and support – we can provide you access to our online platform, which is home to a plethora of resources that you and your team can work through at your own pace. This is a great resource for any ISO certification, as you can access the materials when you need them most.

1-to-1 consultancy – our environmental ISO consultants are here to help you in person or over the phone. We call our consultants isologists because they are experts in all areas of ISO. After an initial meeting where we establish what certification you would like to achieve, you will be appointed an isologists who will work alongside you and create a support plan to ensure you are ready for your certification. We can also be onsite during your assessments. For more information on our environmental consultancy or to discuss an ISO certification, contact our team today.

Stitcher | Spotify | YouTube | iTunes | Soundcloud

If you are investigating ISO 9001 for your business, you might have considered using an ISO 9001 consultancy service. At Blackmores, we work closely with our clients to help them achieve their certifications in any way that we can.

Contact us today to discuss your ISO 9001 certification and how our consultancy services can help you.

Advantages of investing in ISO 9001 Consultancy

There are several advantages to investing in ISO 9001 consultancy for your business. Because we work with companies of all sizes and industries, we see these advantages first-hand. Here are some of the reasons why ISO consultancy is so important.

1. Expert Guidance and Knowledge Available at your Fingertips

Our ISO 9001 Consultants are experts in their field. We refer to our consultants as isologists, because they know everything there is to know about ISO standards and can provide precise guidance on how to interpret and apply changes to your management system to fulfil the requirements to pass your certification.  As well as ISO 9001 consultancy, our team of isologists cover consultancy for all ISO standards. If your business requires support, make sure you contact us.

2. 100% Success Rate

At Blackmores, we are proud to have a 100% success rate track record. This shows just how dedicated our ISO 9001 consultancy team are to helping our clients. If you are new to ISO 9001 or have tried to achieve the standard in the past but have been unsuccessful, then investing in a consultancy service will give you all the support you need to pass your assessment and achieve your certification.

3. Training and Development Opportunities

When you choose to work with Blackmores ISO Consultancy service, you gain access to our Isologyhub. This is an online platform packed with training and development resources. You and your team can train and learn online at your leisure in the comfort of your own home. This not only provides ongoing learning opportunities for your employees but also ensures that your team is knowledgeable and capable of maintaining compliance with ISO 9001 or any of the standards you are choosing to achieve.

4. Customised ISO 9001 Support  

Every business is unique; when we work with a new client, we start with a gap analysis to ensure we can tailor our support to suit your requirements. Our isologists specialise in different ISO standards and take into account your specific needs and context of your business. This ensures that when you work with Blackmores, our ISO consultancy team can provide the customised support that you require.

5. Ongoing Support

Our ISO 9001 consultancy service offers ongoing support after you have achieved your certification. Through offering this, we help businesses maintain their standards and continually improve their processes.

6. Save Your Time and Resources

It’s no secret that setting out to achieve an ISO 9001 certification involves a lot of time and effort. When you work with our ISO 9001 consultancy service, we do a lot of the leg work, so you don’t have to. We provide a comprehensive review of processes and documentation, which helps us to identify gaps and areas of focus. We then create a plan for going forward and assist with the implementation of the new quality management systems. Following this, we organise the assessment on your behalf, getting quotes and availability from different certification bodies to ensure we get the best deal for your business. Because we have the knowledge and industry information, we are highly efficient at this process, allowing your business to achieve certification faster than if you were to do it on your own.

What is an ISO 9001 Certification?

An ISO 9001 certification is a globally recognised standard centred around quality management. It is designed to help organisations ensure they meet the needs of customers and other stakeholders while meeting statutory and regulatory requirements related to a product or service.

Key Elements ISO 9001

An ISO 9001 certification is a complex standard; the key elements are:

Quality Management System – ISO 9001 provides a framework for establishing a quality management system, which encompasses all the processes, policies, procedures, and responsibilities for achieving organisational quality objectives.

Process-Oriented Approach – ISO 9001 promotes a process-oriented approach to documenting and reviewing the several areas of the business required to achieve effective quality management throughout.

Continuous Improvement – A core principle of ISO 9001 is to show an indication of continuous improvement of an organisation’s quality management system, which involves regular review and updating of processes and practices.

Customer or Client Focus – ISO 900 emphasises the importance of understanding customer needs and striving to exceed customer expectations, ensuring high levels of customer satisfaction achieved through quality.

Risk-Based Thinking – in all businesses there are risks. ISO 9001 encourages organisations to implement risk-based thinking to identify potential issues and implement preventive measures.

ISO 9001 Consultancy from Blackmores

At Blackmores, we provide various levels of support in our ISO 9001 Consultancy services. As well as online support, we also appoint you with a dedicated ISO consultant, one of our isologists. They will be there to support you every step of the way. If your organisation is considering investing in ISO 9001, then contact Blackmores today. We can talk you through the various options we offer and help you start your journey.

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Can you believe we’ve been publishing the ISO Show for 5 years now! We certainly can’t!

The ISO Show began back in 2019, following a trip to Cumbria by the host Mel Blackmore. She was, and still is, an avid fan of podcasts and while listening to a few of her favourites on the 4 hour trip, she got to wondering if there were any podcasts about ISO Standards.

As it happened, there wasn’t at the time, and so the idea for the ISO Show was born. Not more than a few months later the first episode went live, and the rest is history.

For the past 5 years, we’ve had the honour of sharing our team’s combined 18 years of knowledge, including amazing insights from our clients and industry experts along the way.

Today Mel Blackmore will reflect on the ISO Show so far and share it’s next evolution as we introduce a new host.  

You’ll learn

  • Why was the ISO Show created?
  • Why is Mel taking a step back?
  • What will be the focus for the future?
  • An introduction to the new host(s)

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: After 5 years of the ISO Show, it’s hitting a turning point as we introduce a new host.  

[02:25] An amazing journey – It’s been an amazing 5 years of digging deep into some of the most pressing issues we’ve faced, sharing tips and dispelling myths about ISO Standards.

We’ve explored a lot of topics over the years, including:

  • Sharing our ISO 22301 (Business Continuity) knowledge when COVID hit, to help people with future and current response plans.
  • Transitioning to new versions of Standards, such as ISO 27001:2022
  • Interviewing leaders within the ISO space, such as Kit Oung, who helped to develop the UK’s current energy and climate change regulations.

[04:05] Mel’s sustainability journey – why she’s taking a step back as host – Mel’s made it no secret that her passion lies with Sustainability Standards. This podcast has helped to amplify their importance within our space, but she wants to take this a step further.

Going forward, Mel will be dedicating herself full-time to researching the crucial role of carbon standards in achieving Net Zero emissions by 2050.

[05:00] An evolution for the ISO Show – All this to say, the ISO Show isn’t going anywhere, rather we are introducing a new main host – Ian Battersby!

[05:05] Who is Ian Battersby? – Ian is a senior Isologist here at Blackmores. Ian brings a wealth of knowledge, expertise and a passion for helping businesses raise their game with ISO standards.

He’s a bit of a digital nomad, splitting his time between working from Span and England, he works part-time at Blackmores.

So he is very much involved in the day-to-day understanding of challenges of ISO Management, This includes the frustrations that businesses face and also how ISO standards support the achievement of greater productivity and profitability.

Ian will be introducing himself fully on the next episode 😊

[06:25] Thank you for making the ISO Show such a success! – We’ve now got a few thousand subscribers, with a global reach, we honestly never expected to have so many listeners when we started.

So whether you’re a regular or occasional listener, thank you for being here with us, we truly hope that our knowledge has helped you on your own journey to continual improvement within your own organisation.

[07:25] A long journey – A lot has happened over the past 5 years. In addition to being the CEO of Blackmores, Mel has also developed the isologyhub – an on-line learning platform which helps to raise awareness and understanding of ISO Standards.

She has also founded Carbonology – a sister company that specialises in carbon related Standards, which will be where focuses her main efforts over the next few years.

[07:44] Stepping back – but not gone – While you will be hearing less from Mel, she won’t be completely absent. She will be joining us at least once a month to explore how ISO Standards are shaping the landscape of Net Zero.

She will be sharing her journey to achieve net zero based on academic research, including primary and secondary research on how the various carbon related standards support the Sustainable Development goals and achieving net zero.

This will primarily be diving into Standards such as ISO 14064 (Carbon Verification) and ISO 14068 (Net Zero), in relation to how they support the Sustainable Development Goals, help to create a level playing field, providing transparency, reliability, accountability and without a doubt, credibility.

[09:20] Why the focus on sustainability? – Mel will be studying a masters by researching the role of Carbon Standards Verification in contributing to achieving Net Zero.

This focus hasn’t appeared out of the blue. Mel founded Carbonology with the goal of tacking Net Zero, one business at a time. They’ve already had great success over the past few years’ but there’s still so much more to do when it comes to understanding Greenhouse Gas emission verification, carbon removals, reductions and offsetting.

[10:10] Another big thank you – The ISO Show has been running for the past years with the assistance of Blackmores Communication Manager – Steph Churchman.

Starting from humble beginnings of recording using a mic housed in a shoebox, to being stuffed in a cupboard to combat our offices’ terrible acoustics. We’ve thankfully since upgraded our set-up to something much more comfortable.

Along the way we’ve experienced our fair share of technical issues, as you can’t really go 5 years of recording without something going wrong. However, there wasn’t much we couldn’t work around in some way or another.

As Steph has helped in researching topics we’ve discussed over the years, she will also be joining Ian on hosting the ISO Show in future episodes.  

[12:45] On to the next chapter – It’s not goodbye from Mel, but rather see you later. We’ll be bringing you all along on this next chapter of the ISO Show, so make sure you subscribe to stay up-to-date with our latest episodes.  

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

What are the benefits of ISO certifications for your business?

As ISO consultants, we work with organisations in various industries to help them gain their certifications. We know the benefits they can bring and why investing time and effort into gaining these standards is essential. 

What is an ISO Certification? 

ISO certification is a seal of approval from the International Standards Organisation, that indicates you meet internationally recognised Best Practise standards. To achieve it, your organisation will undergo a rigorous assessment of its management system, practices, and procedures. 

Once the assessment has been passed, the organisation will have to prove they are meeting the requirements annually to ensure they keep their certification. 

There are several different types of ISO certification for different business standards. The most well-known certifications that you may have considered for your business are;

As well as the above certifications, there are several others. Information on all of these can be found on our website. 

Top 5 Benefits of ISO Certifications for Your Business

But what are the benefits of ISO to your business? Why should you sacrifice the time and financial investment to gain a certification? 

There are several benefits of gaining an ISO certification; the most popular reasons that organisations invest are;

1. Globally Recognised Certification – ISO certifications are globally recognised. They signal to clients, partners, and stakeholders the standard at which your business is working. This is important if you’re working with many overseas clients who may not recognise standards specific to your country. 

2. Improved Management—Whichever standard you achieve, your organisation will improve this area of management. Gaining an ISO 9001 means you will have improved quality management, an ISO 27001 means you will have improved security management, etc. This enables your organisation to work more efficiently and to an overall higher standard. 

3. Open New Markets—Because ISO standards are globally recognised, they can open doors for your business to work in new markets. Depending on your industry, you may have clients who insist their partners hold specific certifications to be able to work with them. Therefore, gaining your certifications can allow you to work in new markets and with new clients. 

4. Company Values—Gaining an ISO certification instantly shows your company values. Once you have gained your certification, you receive a badge that can be displayed on your website and other marketing materials, so anyone interacting with your business will instantly see your company values. This is particularly true for environmental standards.  

5. Competitive Advantages—In many industries, gaining your ISO certification may set you apart from the competition. 

How can Blackmores Help you Achieve your Certification? 

If you are considering working towards an ISO certification, Blackmores are here to help. We provide a full ISO consultancy service for any organisation in any industry. When you decide to work with Blackmores, there are several different ways in which we can provide support;

ISO Consultants – we have a team of ISO consultants who can work with your organisation. Our consultants specialise in different ISO standards, so you will always be working with an expert. Your ISO consultant will be with you every step of the way, helping you put management systems in place. 

Online ISO Training—The isologyhub offers an extensive portfolio of online training resources. Once we begin our journey together, you will have access to various resources that you and your team can work through at your own pace to give you a wider understanding of ISO and how your organisation can achieve its certifications. 

ISO Show—Have you heard of our ISO show? The ISO show is a weekly podcast that we release. We discuss a new topic every episode, from new standard requirements to market trends to deeper explanations of specific standards. If you’re just beginning your ISO journey and want to understand more, then the ISO show is a great place to start—see all of our previous episodes here.  

Work With an ISO Consultant Today

If you are considering working towards an ISO certification and want to speak to an ISO consultant, contact our team today

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Nearly 60% of businesses that are impacted by a cyber incident go out of business within the 6 months following.

With our heavy reliance on technology to keep both businesses and services running, it’s imperative that everyone take cyber risk seriously.

However, incidents will inevitably happen and it’s up to you to ensure that your business is prepared to ride out the wave, and hopefully make a full recovery!

We invited Jack Morris, Account Director at Epiq, back onto the show to discuss the consequences of not being prepared for a cyber incident and the key steps businesses should take in the event of an incident.

You’ll learn

  • Who are Epiq?
  • What does the current cyber incident landscape look like? 
  • What are the consequences if a business does not respond to a cyber incident effectively?
  • How can a business detect if they’re being attacked?
  • How should businesses respond in the event of a cyber incident?
  • What role does a legal team play in incident response?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Account Director at Epiq, to discuss how businesses should respond to a cyber incident.

[03:00] Who are Epiq?  – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.

[04:35] What constitutes a cyber incident and why is it so important to respond effectively? – A cyber incident refers to unathorised access or attempted access to an organisation’s IT systems. Types of incident include breaches, malicious attacks (e.g. Ransomware), and accidental events (e.g. Fire Damage). Responding effectively is crucial to minimize damage and protect sensitive data.

[05:40] What does the cyber incident landscape currently look like, and what challenges will organisations face in responding to an incident? : The cyber incident landscape is ever evolving, but here are some key trends we saw in 2023:

Attacks on the rise – the number of organisations posted on ransomware and data theft sites increased by over 70% year-on-year.

Business Email Compromise (BEC) incidents surged by 67% in 2023 – these events are where people within an organisation fall victim to phishing or similar – clicking on malicious links which ultimately compromise your mailbox.

For me, there are 3 main challenges that organisations face when responding to a cyber incident:

  • Day-to-day management – balancing the technical aspects of the incident with broader business continuity, communications, financial and legal considerations. This can be hugely difficult for an organisation, during and already high stakes situation.
  • Expertise and support – navigating the complex legal, technical and operational aspects of an incident
  • Data-focused impact – understanding and assessing the risk to data after resolving an incident.

[10:00] What are the solutions to these challenges?  – Understanding the various external expertise and support available to a business, whether that be engaging with a law firm, a cyber incident response expert and cyber insurer will give you access to support with both the day-to-day management of an incident, as well as the legal, operational and commercial impact of said incident.

 [12:10] What are the consequences for an organsiation that does not respond effectively to a cyber incident? – : Failing to respond effectively to a cyber incident often leads to a variety of sever complications for a business, such as;

  • Operational Issues: operational disruptions will occur due to prolonged exposure of sensitive information, and if Ransomware has infected systems, the organization will not have access to potentially crucial business information. Financial losses and higher costs to incident response can come as a result of poor planning.
  • Additional Data Breaches: if an organization doesn’t respond effectively to a cyber incident, taking steps to gain control over their systems, additional data breaches can occur from threat actors gaining further access to the organisation’s systems.
  • Financial losses: cyber incidents affect a business’ bottom line. Costs including incident investigations, recovery, legal fees and potential fines. Further, knock on effects such as lost business opportunities and damaged investor confidence come from poorly managed cyber incidents.
  • Damage to Reputation and Trust: Public perception matters for a business. A poorly handled cyber incident damages an organization’s reputation. Customers, partners and stakeholders lost trust, affecting long-term relationships and market position.
  • Legal Consequences: Regulatory fines and potential follow on litigation arise from non-compliance with data protection laws. Organisations failing to report breaches promptly face penalties. Legal battles can be costly and time consuming.

[16:25] How can organisations detect if they are being attacked? – signs will vary depending on the type of cyber incident, but organisations and end users could expect to experience; slow systems, locked accounts (no access to mailboxes etc), inability to access documents or shared drives, ransom demands and unusual emails from organisation domains are all tell-tale signs of a cyber incident. If an organisation has invested in Managed Detection and Response software for their end-points, this will proactively scan your environment and provide alerts to potential and actual cyber incidents.

[17:40] What are the key steps an organization must take in responding to a cyber incident? – It’s a great question, and these key steps will be implemented during a cyber incident response plan – an impacted organization should:

  • Triage: Assess the severity and impact of an incident (organisations can instruct a first response organization to shut the doors, and assess the damage)
  • Identify: Understand what is happening to a business post incident? Things like locked accounts, no access to business systems etc.
  • Resolve: take technical actions to mitigate the incident – shutting off access to accounts – closing the door
  • Report: Notify relevant stakeholders, including legal obligations.
  • Learn: analyse the incident to then take retrospective action to prevent further incidents.

[21:23] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub 

[23:48] How does Cyber Insurance play a pivotal role in Cyber Incident Response? – like with most walks of life, insurance plays a crucial role in supporting organisations in effectively responding to disasters.

  • Response Funding: Insurers cover costs related to incident response, including professional services.
  • Response Time: Insurers bring in experts promptly, improving incident resolution.
  • Affordability: For small to medium businesses, insurance may be the only way to afford a response team.

[26:10] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.

Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.

Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.

Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.

[27:25] What are the legal obligations that exist after a cyber incident, especially in related to personal data breaches? – the legal obligations are clear – an organisation must report personal data breaches within 72 hours of awareness, unless the risk to individuals’ rights is unlikely. This quick turnaround is why it’s imperative that organisations have an established cyber incident response plan, and know who they should be talking to regarding the legal and operational implications.

[28:45] What support is there out there for organisations that are victim to a cyber incident? – On the previous episode, we discussed what organisations can do to be proactive in mitigating the risks associated to a cyber incident, we discussed the important of Cyber Incident Response plans, as they outline what external support an organisation should seek in the event.

Having playbooks and relationships with law firms, cyber providers like Epiq, and cyber insurance coverage are 3 key focuses for every business.

[30:35] What role does a legal team play in incident response? –  Legal support and advice is critical during an incident. As mentioned, they will help support with report the incident to the regulatory bodies required.

  • Breach Notification – legal support ensures compliance with data breach disclosure laws and regulatory requirements.
  • Breach Counsel – law firms act as a breach counsel for organisations, enabling them to support and advise on the legal implications of a cyber incident. Most law firm cyber practice groups will have relationships with external vendors, like Epiq, to support with the operational response. They can co-ordinate with these external vendors to ensure compliance.
  • Privacy Law Compliance – they guide handling of personal data and privacy implications to ensure no further issues.

[32:30] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.

Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.

Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.

Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.

[36:00] What should an organisation do in future to prevent further incidents? – Benjamin Franklin’s famous quote is so true here – ‘by failing to prepare, you are preparing to fail’.

The key point here is to learn from your mistakes. There may have been numerous reasons that the organisation wasn’t ready for a cyber incident, but they should learn from what led to the incident previously, and proactively address this to prevent further incidents. 67% of organisations that get hit by a cyber incident are subject to further attacks within 1 year. It’s important to reduce your attack surface, and ensure you have cyber security themes running throughout the business.

[37:45] What are Jack’s top 3 tips to take away from this session to help them respond effectively to an incident? –

  • Establish an Incident Response Plan – we spoke through IR plans during the first episode, but creating a plan that outlines roles, responsibilities and communication channels during an incident is key. Once implemented, regularly testing the plan and simulating these incidents is key to ensuring effective response.
  • Engage external experts early – during this session we identified 3 critical external support pillars to an incident – having legal advice, operational and response support and insurance is key.
  • Prioritise business continuity – enabling the external experts to support you through the incident will free your bandwidth to ensure that you minimise damage and downtime to your business.

 If you’d like to learn more about Epiq and how they can help you, visit their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud | Mailing List

What is an ISO consultant? And why should you be working with one?

An ISO consultant or ISO consultancy service is an individual or organisation that works alongside businesses to help them achieve their ISO certifications.

At Blackmores, we offer ISO consultancy. We have been working in this industry for decades and have built a wealth of knowledge and experience in assisting businesses in achieving their ISO certifications efficiently.

If you are investigating ISO standards for your business and would like some advice and assistance, please contact us.

What Does an ISO Consultant Do? 

When you work with an ISO consultant, they can help you in many ways. At Blackmores, we follow these steps;

Conduct an ISO Gap Analysis Audit – the first thing we do when working with a new client is to conduct an ISO gap analysis audit. This will highlight to us and our client which areas are functioning well and where changes need to be made in order to pass the certification. Because we work with many clients in different industries and areas, we can conduct these audits quickly and efficiently, so we can start recommending changes as soon as possible.

Create an ISO System—Based on our analysis findings and industry knowledge, we create a bespoke ISO management system for your business that incorporates your company’s current systems and way of working.

Provide e-Learning Materials—When you work with Blackmores, you can access our ISO hub, an online platform full of training materials and resources. Here, you can master the basics of ISO, learn specific techniques for the certification you are working towards, and create your own management system to comply with regulations. You can work through the training at your own pace, making it a flexible option for busy business people.

Appoint an isologist – You may choose to stick with the isologyhub, or you might want to invest in an ISO consultant, or as we call them, an isologist. Our isologists are experts in their field and will guide your business through every step of your certification from start to finish. They can still be available after you have achieved your certification for advice and support where required.

Plan and Conduct Internal Audits – we will plan and conduct internal audits throughout the process to ensure you are on the track to success. We won’t put you forward for your certification until we are satisfied that the standards will be met.

Provide On-Site Support—We will be on-site when you need us. When an isologist has an appointment, they will communicate with you in detail and be there when you need them.

Request a quote for Certification on Your Behalf—When we know you are ready and you are happy with your progress, we will request a quote for certification on your behalf because we work in the industry regularly and know the best way to achieve accreditation quickly and at a reasonable price.

Blackmores ISO Consultants 

At Blackmores, our ISO consultants are very experienced in working alongside organisations in various industries to help them achieve their certifications. Our success rate is unmatched, which is why many of our clients return to us when embarking on another ISO journey.

We know the hardships that come with working in professional sectors. Sometimes, a long-standing client may suddenly demand an ISO certification from their partners, or you may want to open doors to new markets for your business. Whatever your reason for exploring ISO certifications, our ISO consultants are here to help—it’s what we do!

ISO Standards Explained 

An ISO standard is a globally recognised certification that indicates that your organisation is operating to the highest recognised standard.

You may be aware that there are multiple ISO standards. Depending on your work sector, you may be more interested in some than others.

The most popular ISO standards are;

ISO 9001 – Quality Management. The ISO 9001 certification is a global quality stamp for an organisation.

ISO 14001 – Environment Management. The ISO 14001 certification shows that your organisation meets environmental standards and reduces its carbon footprint.

ISO 27001 – Security Standard. The ISO 27001 covers security issues and shows that all risks are assessed and handled correctly to protect information and individuals.

ISO 22301 – Business Continuity. The ISO 22301 is all about business continuity and shows that you have a plan for the business.

Work With an ISO Consultant 

If you are considering ISO certifications for your organisations and want to work with an ISO consultant, contact the Blackmores team today.

Stitcher | Spotify | YouTube |iTunes | Soundcloud

For ISO training online, why not become a member of our Isologyhub and gain access to training materials to help you achieve your certification?

Our Isologyhub can help take your business to the next level with a vast array of ISO training materials you and your team can access at your convenience. For more information, visit our Isologyhub page or contact us today.

Our Isologyhub

Our Isologyhub is the perfect way to complete ISO training online. We have created a wealth of resources to help you to achieve various ISO standards.

At Blackmores, we are ISO Consultants who help organisations all over the UK to implement ISO Management Systems and gain certification. Our clients can benefit from our expertise in the field and our experience working in different industries. Our hard work has led us to have a 100% client success rate – so what are you waiting for? Sign up to an isologyhub membership that suits you today.  

How Our Isologyhub Can Help Your Business 

At Blackmores, we have used our expertise to build the UK’s number-one training and resource platform to help you gain the certifications you need. When you become a member, you will have access to ISO training online, which will allow you to;

  • Learn the specific techniques required to gain your ISO certification.
  • Understand the basics of ISO and what an accreditation would mean for your business.  
  • Use our online resources to go at your own pace, no set class times or deadlines
  • Keep up-to-date with any changes or updates in the world of ISO.
  • Gain confidence in your ISO knowledge and expertise.  
  • Use your newfound knowledge to create your own bespoke ISO management system for your organisation so that you can gain your accreditation.  

Why Invest in ISO Training Online? 

As ISO consultants, we know how frustrating it can be to try and navigate gaining a certification on your own. Aside from the stringent procedures and processes required to pass the certification, the online resources can vary in quality and usefulness, making it difficult to know where to put your trust and efforts.

There are several reasons why you may be looking into ISO training online;

You Need Help Understanding Requirements for An ISO Certification – Our ISO training platform offers resources to help you understand each certification and the requirements for each. We break it down into understandable elements so you can see where you need to implement changes and new systems. We’re also on hand to help if you need further clarification.

Your Current ISO Management System is Out-Dated – if you’ve held an ISO certification for some time and are now finding that your systems are outdated, then ISO training online would be a good investment for you. You already know the basics; our resources will guide you through the updated elements and allow you to update your current systems with ease.

You Want to Increase Your Number of ISO Certifications – If your organisation already holds an ISO certification and you want to look into other standards, then online training would be a good direction. By gaining multiple ISO standards, you can increase your company profile and improve sustainability.

You’re Struggling to Keep on Top of Your Current ISO Certifications – There are many tasks that need to be kept on top of for you to keep your certifications. With standards being updated and best practices altering, there can be changes that you need to comply with. By becoming a member of your Isologyhub and investing in ISO training online, you can keep up to date and improve the overall management of your ISO system.

ISO Certification May be a Requirement from a Client – you may have a client, supplier or partner who is demanding that you gain a particular ISO accreditation for them to continue working with you. If your resources are stretched or you need to understand particular ISO standards, becoming a member of our Isologyhub is a great place to start.

What Certifications Does Our ISO Training Online Cover 

When you sign up to our Isologyhub, you will have access to training and resources which can help you with thousands of ISO standards. The standards that we focus on in the most detail are;

Join Our Isologyhub Today 

For ISO training online and access to resources, you need to gain an ISO certification for your business, then join our Isologyhub today.

Depending on where you are with your ISO journey, you may want to invest in an ISO consultant to support you. If you would like to discuss your ISO certification with us, please contact us.

Stitcher | Spotify | YouTube |iTunes | Soundcloud

The deadline is looming over the horizon as October 2025 marks end of the validity of ISO 27001:2013 certificates.

Have you made a start on your transition journey? If not, you really should make a start in 2024 to ensure you’re all set well before that final deadline. The first step is to decide if you want to do it yourself or enlist the help of a professional consultant.

For those that want to tackle it yourselves, you’re in luck! As we have just the tool to help: The ISO 27001:2022 Transition Gameplan.

In this weeks’ episode, Steph Churchman, Communications Manager at Blackmores, explains why you need to transition to the 2022 version of the Standard and outlines the 7-step ISO 27001:2022 Transition Gameplan available on the isologyhub.

You’ll learn

  • Why do you need to transition to ISO 27001:2022?
  • What happens if you don’t transition?
  • What is the ISO 27001:2022 Transition Gameplan?
  • An overview of the 7-step Gameplan

Resources

In this episode, we talk about:

[00:25] A different host – Steph Churchman, Communications Manager at Blackmores, steps in to cover today’s episode. She’s heavily involved with the development and updating of the isologyhub, and will be explaining one of the latest Gameplan’s: The ISO 27001:2022 Transition Gameplan

[01:15] Why do you need to transition to ISO 27001:2022? The October 2025 deadline is fast approaching, so you really should be making a start in 2024 if you’ve not already.

[01:45] Who needs to transition to ISO 27001:2022? – Basically, anyone who is currently certified under ISO 27001:2013 will have to transition to the updated Standard.

One of the main reasons why we recommend getting a head start on this is , Certification Bodies will undoubtedly have a large demand for transition audits in 2025, when everyone’s rushing to get it done last minute. This results in a shortage of resources from the CB’s,  and you may end up struggling to get booked in time.

[02:35] What happens if you don’t transition in time? – The harsh truth is you will lose your ISO 27001 certification.

This then means you’ll be required to go through another Stage 1 and 2 Assessment against the latest version of ISO 27001, which can be costly.

Another key reason is the latest version of ISO 27001 also considers a lot of new technologies that weren’t around back when the last version was published. You can imagine now that there are a lot more cybersecurity risks to consider with all the latest technology that has been released in that time. Put simply, it’s for the benefit of your Information Security to ensure you are adhering to the most recent best practice Standards.

[03:40] What is the ISO 27001:2022 Transition Gameplan? This Gameplan will walk you through the stages of transition, which align to our proven isology® approach. Isology being our methodology for implementing any ISO Standard, based on our 18+ years of experience.

In this Gameplan we provide training videos on the changes to ISO 27001, along with specific training videos covering each of the new Annex A controls that you will need to be familiar with, along with templates and workbooks to take you through the process from beginning to end. 

[04:20] Step 1: Plan – Before you begin on your journey, it’s advised to understand the main changes to the standard. We’ve summarised the high-level changes in a previous podcast, and included a quick summary in the first step of the Gameplan.

In this first step, you’ll also find guidance on how to prepare for your Certification Body visit. You really do need to do this early on to help establish a realistic timeline to complete your transition work.

[04:55] Step 2: Discover  – At this stage, you need to get to grips with the changes to the Standard. There have been a number of controls changed, and 11 completely new ones added. We did cover a select few of these new controls in a few previous podcasts: #111, #112, #113, #114

In this Discover step we provide a number of awareness videos to explore these new controls and changes in detail, including how they may apply to your business.

We’ve also included a downloadable PDF guide to these changes, in case you’d like to share this information internally.

[05:40] Step 3: Expose – In this step we’ve included an ISO 27001:2022 transition workbook, which will act as a guide for all your transition activities. The first being the conducting of a Gap Analysis against the latest version of the Standard.

After completing this, you will have a much better idea of where your main gaps and vulnerabilities are, so you can start putting the necessary controls in place to ensure compliance with ISO 27001:2022.

We’ve also included a summary of the main Management System documentation that will need to be updated ahead of your transition visit.

[06:20] Step 4: Create – This is the step where you will be implementing those changes as a result of your Gap Analysis. This will also be guided by that workbook, and we have provided some additional templates and resources to aid you.

These include:

  • A Statement of Applicability Template
  • Annex A Control Mapping
  • ISO 27001 Management Review Template

[07:15] Step 5: Launch – It’s not just about updating your documentation, you will obviously need to communicate these changes to the wider business.

In this step we go over a few options for your launch plan – including guidance for both a soft launch and an all-in launch.

To help you decide which one would be the best fit for you, we’ve included a full summary of each method in addition to a pro’s and con’s list for each.

[08:30] Step 6: Engage – The last stages are all about gathering evidence of compliance against new and updated clauses and controls.

In this step we provide some insight into what’s required from your Internal Audits and Management Review ahead of your transition visit.

If you wanted to get some more tips on carrying out internal Audits within your business – we also offer a full Internal Auditor course on the hub that covers the core skills needed to complete those. If you become a member of the hub, you’ll get access to our whole library of resources – which includes a wealth of ISO related tools, templates and training videos.

[09:20] Step 7: Review – This last step will help you prepare for the transition visit with your certification body.

We touch on what you should expect from your Certification Body ahead of the transition visit, and include guidance on carrying out a final Document and evidence check to make sure you’re all good to go.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episode’s:

Stitcher | Spotify | YouTube | iTunes | Soundcloud | Mailing List

The use of AI within business is starting to become more common place. With major applications like Microsoft Teams and Word integrating many new features designed to make our lives easier.

However, we still need to exercise caution with this new technology and consider what we can put in place to mitigate any potential security risks while developing or utilizing it. Which is precisely what today’s guest, Monolith, has done.

Monolith provide a machine learning program that engineers can adopt to build highly accurate self-learning AI models that instantly predict the performance of systems in a wide variety of operating conditions.

In this weeks’ episode Mel is joined by Æsc George, Senior Software Engineer at Monolith, to discuss why they have adopted ISO 27001, explain their implementation journey and the benefits of having an Information Security Management System. 

You’ll learn

  • Who are Monolith?
  • What was their main driver behind obtaining ISO 27001?
  • What was the biggest Gap identified in the initial Gap Analysis?
  • What benefits did Monolith gain from implementing ISO 27001?

Resources

In this episode, we talk about:

[00:25] An introduction to Monolith and Æsc George – Monolith is all about empowering engineers to develop self-learning models from their engineering test data. With this they can develop machine learning models to really accelerate new product introductions and get these new products to market much more quickly, primarily by using these models to accelerate and streamline their testing.

They are currently recommended for ISO 27001 certification, and are eagerly awaiting the arrival of their physical certificate.

Æsc George is a Senior Software Engineer of this web browser based software. He is also the interim security officer, which is why he was tasked with obtaining ISO 27001.

Fun fact about Æsc: He was a proud owner of a colony of 8 rats! He currently takes care of 4 cats, which have access to a plethora of enrichment in his home 😊

[03:35] What was the main driver for Monolith to obtain ISO 27001? – There were a few drivers, the most obvious being that they want to display their commitment and credibility when it comes to Information Security.

Acquiring ISO 27001 makes it easier to show their clients and prospects that their engineering data is in safe hands.

Monolith also know that there’s a lot of buzz about artificial intelligence and machine learning at the moment, and that buzz covers both sides of the coin. What good it can do for the world and the harms it can do, so aligning with ISO 27001 shows that they’re trying to use AI in a responsible way.

[05:10] The start-up is getting a head start! – Monolith is a start-up company, only a year in and already leading the way for AI development by ensuring security is a priority from the start.

[05:40] How long did it take to implement ISO 27001? Nine months from the point of contacting Blackmores to assist to being recommended for certification.

Æsc recounts his experience: “My perception is that the effort was quite front loaded, so the amount of effort involved in the process almost wound down towards the end – even with the external audit happening towards the end.

I think once the information security management had been established and we’d worked it into our day-to-day, the perceived effort was lower. So I felt pretty confident going through our audit processes because I’ve experienced the system working already.”

[08:15] What was the biggest gap identified at the Gap Analysis?: There wasn’t a formal approach to information security risk and risk treatment.

There were already a number of existing systems and ad-hoc arrangements to mitigate information security risks – but they had been framed in terms of risk.

They hadn’t gone through a process where risks were quantified and weighed against each other.

So following the gap analysis, one of the many actions Monolith took was to make sure they were consistently and regularly assessing information security risk in various dimensions.

They now have the right framework in place to allocate the appropriate time and resources towards information security, and to prioritise the biggest risks.

[10:10] What difference has Implementing ISO 27001 made? –  It’s given Monolith more confidence in their understanding of Information Security risks, and assurance that there aren’t any massive, unidentified risks that may cause trouble later down the line.

It’s also made it easier to discuss information security risk and policy decisions. Monolith AI are a remote first company, allowing their staff the freedom to experiment with new technologies, and be in an environment where they feel comfortable. Having formal risk treatment in place means they can maintain this highly flexible, highly innovative and productive way of working – but with their eyes wide open.

[11:40] What has Æsc learned from the experience of Implementing ISO 27001? Æsc is not new to ISO Management Systems, having been involved with the maintenance and implementation of a few in the past.

However, he has gained an appreciation for the nuance in ISO 27001. For example, the knowledge that the standard uses words like ‘should’ and ‘shall’ that have particular intentions – ‘shall’ being mandatory and ‘should’ being recommended.

His previous experiences with Management systems had more available resource than at Monolith, so learning this nuance has been important in the prioritization of focus and resources in his current position.

[13:30] What have been the main benefits from Implementing ISO 27001? Having a holistic and formal approach to Information Security and risk management compared to the ad-hoc approach they had prior.

It’s brought the company together on a really important issue, and helped everyone to understand the role they play in Information Security.

Personally, Æsc has enjoyed reaching out to people he may not ordinarily get the chance to work with, as a result of this unifying issue that everyone at Monolith cares about. 

[17:00] Once Monolith formally receive their ISO 27001 certificate, what benefits will that bring? – Currently Monolith AI are recommended for Certification, and are simply waiting on the delivery of their physical certificate.

Once received, they will be able to present it to prospects and clients if they are questioned on information security credentials – to show that they are serious about their commitment to security.

It will also open doors to new prospects that may bother considering them as a supplier due to the lack of ISO 27001 certification.

They are also a leading example in the relatively new industry of AI, those with ISO 27001 certification at this stage stand out from other competitors.

[19:15] What tips does Æsc have for those starting out on their ISO jorney? –  Speaking from experience, Æsc recommends hiring a specialist in ISO to assist with your implementation.

In his case, Blackmores helped to organise the process, drive a lot of the early gap analysis and gave him confidence in going through internal and external audits.

Having someone with experience acting as a guiding hand makes the whole process go a lot more smoothly. This could be a consultant, or someone you train within your own business.

These projects are the sort of thing that turn passion into action. Whether that’s information security or environmental management ect, it’s better to have someone experienced or trained in the nuances of the Standard to ensure it’s implemented in a way that truly benefits your business.

 [21:20] Æsc’s book recommendation –  Nature’s Calendar: The British Year in 72 Seasons by Kiera Chapman, Rowan Jaines, Lulah Ellender and Rebecca Warren. It’s Inspired by a traditional Japanese calendar which divides the year into segments of four to five days, this book guides you through a year of 72 seasons as they manifest in the British Isles.

As Æsc describes: “Lots of the seasons will be very familiar to people who’ve lived in this country their whole life, but they may not have necessarily thought about the context of it.

So I think is really grounding. Time and the way we measure it can seem so arbitrary and abstract sometimes, and measuring minutes and hours is responsible for so much stress and anxiety, so taking a breath, thinking about how nature moves at a different, slower, more deliberate pace, and finding the time to synchronise with that move with nature can be a really rewarding experience”

[24:15] One of Æsc’s favorite quotes –  “I went to the woods because I wished to live deliberately, to front only the essential facts of life, and see if I could not learn what it had to teach, and not, when I came to die, discover that I had not lived” – Henry David Thoreau (from his book ‘Walden’)

[26:10] Need help with your ISO 27001 transition? – We have an ISO 27001 Transition Gameplan available on the isologyhub. This Gameplan provides a step by step guide for you to transition to the latest 2022 Standard.

If you’d like to learn more about Monolith, check out their website.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episode’s:

Stitcher | Spotify | YouTube | iTunes | Soundcloud |

With a growing number of threats and risks facing businesses every day, it’s never been more crucial to have a proper system in place to mitigate and manage issues when they crop up.

A variety of ISO Standards can help businesses to do just that! And we’re seeing an ever-increasing trend of requests for Integrated Management Systems, which combine multiple ISO certifications to cover every aspect of their business. Such is the case with today’s guest, Todd Research.

Todd Research have been in the business of designing, manufacturing and supplying X-ray scanners for 70 years. They have since expanded their product range to include other solutions, all designed to detect suspect devices.

We’re joined by Caroline Banks, Support Manager at Todd Research, to learn about why they decided to implement ISO 9001 (Quality Management) and ISO 27001 (Information Security), including an insight into their experience with our ISO 14001 coaching programme, hosted on the isologyhub.

You’ll learn

  • Who are Todd Research?
  • Why did they choose to Implement ISO 9001 and ISO 27001?
  • What challenges did they face?
  • The benefits of ISO 9001 and ISO 27001
  • Their experience with our ISO 14001 coaching Programme

Resources

In this episode, we talk about:

[00:37] An introduction to Todd Research and Caroline Banks’ role as Support Manager there.

[01:20] What is something not many people know about Caroline? She’s taken up running and started with the couch to 5K. She later completed a half-marathon in the same year, and has since gone on to finish 21 more half-marathons and 2 full ones!  

[02:27] Who are Todd Research? They were founded in 1950, designing, manufacturing and supplying X-ray scanning equipment. They also provide service and maintenance for their devices worldwide.

[03:11] What Standards are they certified to? ISO 9001 (Quality Management, inherited from a previous company) and ISO 27001 (Information Security Management)

[03:48] What was the main driver for achieving ISO 9001 and ISO 27001? – For ISO 9001 – As a manufacturing company, they want to ensure that they can provide the best quality in terms of product and service. For ISO 27001 – This was more sales driven and was being requested in a lot of tenders, particularly Government tenders.

[04:35] How did Caroline manage an inherited Quality Management System? – Caroline completely revamped the inherited Management System, making it their own and adapting it to suit how they currently run their business. It involved a lot of review and removal of unnecessary documentation, with the end result of streamlining the whole system. They also appreciated a 3rd party coming into review and assist with the process. After moving to a new premises, they are still continually Improving system year on year.

[06:25] How long did it take to achieve certification to ISO 27001? – They started in April 2021 with a Gap Analysis and gained certification in September 2021 (6 months in total). As they already held ISO 9001, they made the decision early on to integrate the two Standards into a Business Management System.

[07:50] What was the biggest gap found after the initial ISO 27001 Gap Analysis? – The biggest challenge for Todd Research was carrying out the Risks Assessments. Getting Directors involved in the review of Standards and agreeing what risks applied to them took the most time in the early stages.

[09:00] Caroline’s experience with ISO 27001 – While she had experience with ISO 9001, ISO 27001 was a whole new ball game. There are a lot of risks associated with Information Security including, phishing, malware, risks to hardware ect. This was all new territory for Caroline, but she adapted and learned a lot along the way.

[09:50] What difference has the Management System made to the business? – It’s unique to them and their way of working, especially as a result of integrating the two Standards into a single Management System. The whole process gave them a chance to look at the business with a new perspective, which in turn helped them to streamline a lot of processes.

[10:20] What lessons have they learned from Implementing ISO 9001 and ISO 27001? – Caroline now has a better understanding of how the business works from all angles, from manufacturing to finance. Her experience with having Blackmore assist with Internal Audits highlighted the need and importance of impartiality.

[11:20] What are the main benefits? – For them, it’s having an Integrated Management System, as a lot of aspects of various ISO Standards share similarities, and it just makes sense to combine them to save on doubling up on documented information. Caroline also highlights the Corrective Actions Log as her key tool for managing actions following on from Internal Audits, allowing for a proactive approach for business improvement on a weekly basis. 

[12:50] What is the ENE / ISO 14001 Coaching programme? – Blackmores secured some European funding to support 7 businesses in the East of England to raise awareness of environmental issues and implement some practical tools for Environmental Management. We opted for an ISO 14001 focus and utilized our online membership portal, the isologyhub, as the host with additional coaching from one of our experienced consultants.

[13:25] What was Caroline’s experience with the isologyhub and the ISO 14001 coaching programme – Todd Research made the decision early on not to go for ISO 14001 certification. The experience gave Caroline a good insight into what the requirements are for the Environmental Management Standard in preparation for potentially certifying in future.

Caroline highlights the wealth of information available in the hub, including documentation which supplemented the coaching sessions. Her 1-2-1 coaching sessions resulted in deeper analysis of what their business can act on to improve their impact, for example putting in place a scrap metal policy for X-ray scanners and equipment that needs to be disposed of. They have also streamlined their Engineer’s service visits, by making the most of them while in any given area to reduce the carbon impact of travel.

[17:00] What was the most useful resource in the isologyhub? – The training provided for carrying out Risk Assessments, with a focus on their environmental risks.

[18:05] What was the main benefit of achieving certification to ISO 9001 and ISO 27001? – Having both standards sets them aside from their competitors, as many have ISO 9001 but not many have ISO 27001. It also brings a sense of continuity to the business.

[18:55] Caroline’s top tips – Use an independent company (such as Blackmores) to assist with Implementation. Having a helping experienced hand will make the journey run a lot more smoothly and will give you piece of mind, especially as you have your own day job to worry about!

[19:30] A reminder that the ISO 27001 Transition Gameplan is available on the isologyhub – ISO 27001 recently updated, and those certified with need to update to the latest 2022 version of the Standard. Our Transition Gameplan will guide you through the changes and what needs to be done to update your Management System. 

[21:17] Caroline’s book recommendation – ‘Menopausing’ by Davina McCall

[22:17] Caroline’s favorite quote – ‘It’s not so much that I began to run, it’s that I continued’

You can find out more about Todd Research via their website!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

Anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline.

Over the past few weeks, our mini-series has covered the fundamental changes to the Standard, along with tips on how to plan and Implement the required updates.

Join Mel this week as she explains the final few stages of an ISO 27001 transition, including the Internal Auditing and final preparation ahead of a Certification Body visit.

You’ll learn

  • What needs to be audited?
  • What do I need to do to prepare for the Certification Body visit?
  • How can you get a free copy of ISO 27001:2022?

Resources

In this episode, we talk about:

[00:44] Catch up on the last two episodes before listening to this one: What you need to know to transition to ISO 27001:2022 / What changes need to be Implemented to transition to ISO 27001:2022

[01:00] The last stages are all about gathering evidence of compliance against new and updated clauses and controls

[01:28] Make sure you plan your transition visit well in advance – If you leave it too late you may incur additional fees for more days or possibly even for a full certification if you miss the deadline.

[02:15] This process for transition is fairly consistent among Certification Bodies. It typically includes a Readiness Review and a transition visit where they will review evidence of compliance against the new controls.

[02:45] You can get a free copy if you sign up to our Transition Programme by April 1st 2023)

[02:55] The last stage ahead of the transition visit is Internal Auditing. For those still planning their 2023 Internal Audits, you may wish to Implement the changes earlier in the year with a view to audit the changes in the later half of 2023. Ensure that you allow time to build evidence of compliance ahead of a transition visit. 

[03:45] If you need a bit of extra help, we include Internal Auditing within our transition programme – this will typically take 1 day.

[04:30] We can also support you during your transition visit – this could be on-line or on-site, which would depend on your Certification Bodies preference.

[05:20] Currently many Certification Bodies are suggesting a half day for the Readiness Review and another day for the transition. Some may choose to include this transition as a part of their annual Surveillance visit to help save on costs. If you have a Surveillance coming up, it’s worth getting in contact with them to see what they would recommend regarding your transition.  

[05:43] We advise that you also ask your Certification Body, when they will be UKAS accredited for ISO 27001:2022 – they may not be ready complete a transition visit until the later half of 2023.

[06:35] For our global listeners, your Certification Body will have an Accreditation Body that needs to verify their ability to conduct transition visits. For the UK this is UKAS, but it may differ for other countries.

[07:15] Don’t leave this until last minute! Based on previous experience with transitions, we’ve found companies that leave it until a few months before the deadline often can’t transition in time, and end up having to pay up for a full Stage 1 and 2 Assessment in order to keep their certification.

Grab a copy of our ISO 27001:2022 Guideline to the changes here:

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The updated ISO 27001:2022 has had several changes, including the addition of 11 completely new controls and the merging of 56 other controls into 24 newly titled controls.  

These changes mean that anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline.

Join Mel this week as she explains the changes that need to be made, including what key documentation requires updating to align with ISO 27001:2022.

You’ll learn

  • What changes need to be made to your existing Information Security Management System?
  • What key documents need to be updated?
  • How can you get a free copy of ISO 27001:2022?

Resources

In this episode, we talk about:

[00:44] In the last episode we covered the planning stages for your transition – catch up here

[01:02] We have a free ‘Guide to the ISO 27001 Changes’ available – simply fill out the form at the end of the Show Notes to download your copy

[01:29] You should have a copy of ISO 27001:2022 ahead of Implementing the changes (you can get a free copy if you sign up to our Transition Programme by April 1st 2023)

[01:35] Before you move onto Implementation, ensure that you have: planned back from your transition date, have an understanding of the new controls and had a Discovery session / Gap Analysis to see where the gaps in your current system are

[02:11] This is also a good opportunity to revamp your Management System! We have a few older episodes to help you with this: #102, #103, #104

[02:50] What needs updating? This will include:

  • Your Statement of Applicability
  • Risk Assessment
  • Objectives
  • Action Plans
  • Monitoring and measurement (reviewing what you are monitoring / measuring and how it’s recorded)
  • Internal Audit Schedule / Programme – To include the new controls

[03:45] At this stage you need to look at what controls you have in place – there may be some you can now merge together to reduce any paperwork involved.

[04:25] We have some tools available to tackle the new controls (i.e Threat Intelligence, data masking, physical security monitoring ect) if you need some extra help

[04:50] It’s not just about updating documentation, you will need to fully implement and communication these new controls to the wider business. You may find that you already have some controls covered, but not yet formalised.

[05:30] The main aspect of the Implementation phase is to address the gaps found during the Gap Analysis. For example, new controls such as data masking, threat intelligence and web filtering, which you may not have considered seriously before, now need to put formal documented measures in place to address it.

[06:26] Communication and evidence should be at the forefront of your mind when updating your Info Sec Management System.

[06:39] Don’t just implement controls for the sake of it – considering how they are going to reduce risk and how they’re going to make a difference to improve your Risk Register and Statement of Applicability.

[07:00] The Implementation phase of our Transition Programme is 1-3 days depending on your level of required support

[07:54] You should also consider creating a Communication Plan to share knowledge of these changes to the wider business. Make sure you also compile any evidence of training on new elements of your Management System too. We will have Coffee Break Training available on the isologyhub which could help with this.  

Grab a copy of our ISO 27001:2022 Guideline to the changes here:

Keep an eye out for next weeks episode where we explain how to complete your ISO 27001:2022 transition.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO 27001 2022 is here, which means it’s time to start thinking about starting the transition process. While the deadline is set at December 2025, it’s never too early to start!

If this is all news to you, check out our previous three episodes, where we reviewed all the major changes to ISO 27001, including clause updates and the 11 completely new controls added.

Join Mel this week as she explains what you need to know before embarking on your ISO 27001 transition journey, in addition to a summary of our transition programme.

You’ll learn

  • How to plan for your ISO 27001 transition
  • How can Blackmores help you?
  • How can you get a free copy of ISO 27001:2022?

Resources

In this episode, we talk about:

[00:44] Businesses have until October 2025 to transition to the updated version of ISO 27001:2022 – but don’t wait until the last minute! Certification Bodies get really booked up in the last year, and you could risk losing your certification and paying for another Stage 1 and 2 Assessment.  

 [01:30] We recommend that you start thinking about your transition in 2023 so you have everything in place to start the process in 2024.  

[02:28] As a recap – the major changes to ISO 27001:2022 are: 56 controls have been merged into 24 newly titled controls, the addition of 11 completely new controls and controls are now categorised into just 4 groups instead of the 14 from the previous version.

[03:00] ISO 27001:2022 Guide to the changes available – Simply fill out the form available at the end of the show notes to grab a copy!

[04:25] Over the next few episodes, Mel will talk through the process of planning, implementing and preparation for the Certification Body transition visit.

[05:51] All steps of the transition process are laid out in our Transition Programme, which includes: an awareness video, a transition action plan, Implementation of changes, Internal auditing of the changes and some optional support during the Certification Body visit.  

[08:45] The Planning Phase: We recommend trying to combine your transition visit with your next Surveillance visit – you can have a chat with your CB to see if that’s possible. This may not be possible if your Surveillance is coming up very soon, as you need time to implement the changes needed. Those that have it in say 6 or more months’ time would be in a good position to make the request.   

[09:30] Certification Bodies are recommending an extra half day for transition –  some may require a desktop review ahead of the actual visit. Combining this visit with your Surveillance is a good way to reduce costs.

[10:30] When planning out your timescales for transition, don’t forget to inform Leadership and key personnel involved in the running of the Management System about the expected changes to come – and plan in time for them to help with the implementation.

[11:10] Understanding the changes: We gave a high-level overview of the 11 new controls in our last episode. We will also have 11 Coffee Break Training courses covering the controls in more detail, available from March 31st 2023 on the isologyhub.

[12:11] Offer: We’re including a free copy of ISO 27001:2022 for those that sign up to our Transition Programme before April 1st 2023.

[12:34] You may get asked for a copy of the Standard at your transition visit – as having a copy can come under ‘other’ legal requirements.  

[13:10] Discovery Phase: We have a transition checklist which can help you identify where the gaps are in terms of compliance with the new controls. You may already have some of it in place!

Grab a copy of our ISO 27001:2022 Guide to the changes here:

Keep an eye out for next weeks episode where we dive into how to Implement the changes…

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO 27001, The Information Security Standard, was updated in October 2022. While there is a 2-year grace period for transition, we would urge everyone to make a start on implementing the changes to ensure you are compliant with latest best practice standards.

Over the last two episodes, we’ve gone over the key changes and explored the specific clause updates in more detail. As mentioned in the first episode of this mini-series, there have been 11 new controls added to ISO 27001:2022.

Mel is once again joined by Steve Mason, Managing Consultant here at Blackmores, to discuss the 11 new controls added to ISO 27001:2022 and their purpose.  

You’ll learn

  • What are the 11 new controls in ISO 27001:2022?
  • Why have these been added?
  • What is their purpose?

Resources

In this episode, we talk about:

[01:00] A quick overview of the key changes –  56 Controls combined into 24 newly titled controls, 11 new controls added and 58 existing controls remained unchanged.

 [02:30] We have been over a few of the new controls in ISO 27002:2022 in more detail in a few previous episodes: #111, #112, #113, #114

[02:50] These new controls are nothing to worry about – they are simply aligning the Standard with more modern security considerations. You may already be complying with them!

[03:32] Control A.5.7 Threat intelligence‘To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken.’ This can come from many different sources, such as the NCSC or local police websites. There are also additional tools you can add to detect possible phishing attacks. This also includes consideration to external threats – Information Security is about much more than just protecting data! It also includes physical security.

[05:33] Control A.5.23 Information security for use of cloud services “To specify and manage information security for the use of cloud services.” – More and more businesses reply on cloud-based computing. It’s important to verify the security of your service provider to ensure it’s adequate. You can check to see if they have any valid Information Security related credentials such as CSA Star, Cyber Essentials, SOC. You could also adopt principles of ISO 27017 (certification for cloud security), ISO 27018 (Protection of PII in the public cloud) and ISO 27701 (PII security Standard).

[08:30] Control A.5.30 ICT readiness for business continuity –‘ To ensure the availability of the organization’s information and other associated assets during disruption’ – There a few standards that could assist with this, including ISO 27031 (ICT readiness for Business Continuity). Those that have ISO 22301 may want to look at how ISO 27001 elements can be integrated and improved in any disaster recovery plans. ISO 27001 needs to be an integral part of any business continuity plans – not just a bolt on. Small business may not want to conduct a full business impact analysis, but should carry out a risk assessment around business continuity at the very least.

[11:30] Control A.5.30 ICT readiness for business continuity – further considerations: A key focus of this part of the Standard is Recovery Time Objectives and Recovery Point Objectives. Overall, the whole business continuity aspect of the updated ISO 27001:2022 may take a bit of work to implement, but you will ultimately be much better off in the event of a disaster or security incident. For further guidance, you may want to check out an older non-certifiable standard, BS 25777 (ICT continuity).

[13:20] Control A.7.4 Physical security monitoring To detect and deter unauthorized physical access.’ This can include things like CCTV, access control, swipe cards ect. This also includes the ability and regular practice of monitoring these access methods, for the purpose of detecting any anomalies.

[18:56] Control A.8.9 Configuration management‘To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes’ – Configuration for things like a firewall, software, any hardware devices, passwords ect should be documented, explained and monitored on a regular basis to ensure nothing has been changed without notifying the relevant people. ISO 20000 includes a helpful section around configuration if you require further guidance.  

[21:41] Control A.8.10 Information deletion‘To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.’ – This already existed in the Standard, it has simply been clarified further. You will now need to prove that data has been deleted as required, if you use a 3rd party for this, they will need to provide the relevant certificates.  

[22:05] Control A.8.11 Data Masking‘To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.’ – You have 3 options for data masking: Obfuscation, pseudonymisation and annoymisation. This also helps to comply with GDPR requirements.

[24:10] Control A.8.12 Data leakage prevention‘To detect and prevent the unauthorized disclosure and extraction of information by individuals or systems.’ – This control has made a return from the 2005 version of ISO 27001. Businesses should have systems in place to monitor any particularly large data downloads – or even possibly large print batches. You should also ensure that you have a secure email system in place as well as VPN’s and regular security training to sure up your security to prevent any potential leaks.

[27:00] Control A.8.16 Monitoring Activities  – ‘To detect anomalous behaviour and potential information security incidents.– Appropriate monitoring should be in place to detect any potentially dangerous or malicious behavior.  

[28:00] Control A.8.23 Web Filtering  – ‘To protect systems from being compromised by malware and to prevent access to unauthorized web resources.’ – Your systems should be set up in a way to prevent people from accessing unsecure or unsavory sites. This could include Social Media sites – but be mindful that there may have to be exceptions for marketing or communications personnel for those particular sites.

[28:00] Control A.8.28 Secure Coding‘To ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software.’ – If you have created your own secure coding, be sure to evaluate it against industry professional standards such as OWASP and NIST.  

As a reminder, we’ll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version.

Keep an eye out for next weeks episode where we dive into the clause clarifications and control changes of ISO 27001:2022…

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

As many of you are aware, an updated version of ISO 27001 was published in October 2022. While there is a 2-year grace period for transition, we would urge everyone to make a start on implementing the changes to ensure you are compliant with latest best practice standards. But where do you start?

In the last episode, Mel and Steve gave an overview of the updated ISO 27001:2022, including a high-level look at some of the key changes.

In addition to the control changes, there have been several changes made to specific clauses within the Standard.

Mel is once again joined by Steve Mason, Managing Consultant here at Blackmores, to discuss the ISO 27001:2022 clause updates and their purpose.

You’ll learn

  • What clauses have been updated from the 2013 version of ISO 27001?
  • Why have these clauses been updated?

Resources

In this episode, we talk about:

[01:06] The changes to these clauses appear to align your Management System with the business more so than in the previous iteration of ISO 27001 – a key focus is integration.

 [01:20] First change: Clause 4.2 Understanding the needs and expectations of Interested parties‘c) which of these requirements will be addressed through the information security management system.’ This seeks to align the Management System with interested parties and identify where it may or may not be able to meet their needs and expectations.

[03:30] Clause 4.4 Information Security Management System‘The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.’ There will be more focus on process flows and not Policies and Procedures. This can be further used to align the Management System with your business, by clearly identifying where it fits in with your business activities. 

[06:14] Clause 5.1. Leadership ‘Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.’ – This acts more as a reminder to top management to ensure they include the Management System as part of the business and not just a bolt-on. It should be a part of the strategy and part of the business (part of the ship, part of the crew)

[07:42] Clause 6.1.3  Information Security Risk Treatment ‘ Note 2 in sub-clause ‘c’ now states ‘Annex A contains a list of possible information security controls.’ (it had previously read Annex A contains a comprehensive list of control objectives and controls.) – This simply means that you can add references to other controls outside of the list provided within Annex A i.e. NIST or Cyber Essentials. Though, do be careful to avoid doing this at minutia level, as that just increases Management System maintenance.

[09:15] Clause 6.2  Information security objectives and planning to achieve them‘ A couple of extra points have been added to this clause: d) be monitored g) be available as documented information’  – The monitoring was previously a given, but not really specified. So now, you’ll have to demonstrate how you’re monitoring objective planning and achievements.

[10:24] Clause 6.3 Planning of Changes‘When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.’ – This has now been aligned more with ISO 9001’s approach to changes. All changes should be planned before implementation, and this now includes information security consideration. Fun fact – they forgot to include this clause in the Standard table of contents! (as of January 2023, this will probably be added later!)

[11:55] Clause 9.3.2  Management Review Inputs‘ c) changes in needs and expectations of interested parties that are relevant to the information security management system’ – This just ensures that the needs and expectations of your Interested Parties are reviewed and not just left stagnant.

[13:20] To help you revamp your Management Review, check out episodes #99 and #100

As a reminder, we’ll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version.

Keep an eye out for next weeks episode where we dive into the clause clarifications and control changes of ISO 27001:2022…

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

The long-awaited update of ISO 27001 arrived in October 2022, having gone 9 years since its previous 2013 iteration. Needless to say, it was much overdue.

The new 2022 version of the Standard includes 11 new controls and sees around 56 other controls combined into 24 newly titled controls.

In order to cover every aspect of the new Standard, we’ll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version.

Starting off the series strong, Mel is joined once again by Steve Mason, our very own Information Security guru, to broadly discuss the changes to ISO 27001:2022.

You’ll learn

  • Who is ISO 27001:2022 applicable to?
  • An overview of the changes to ISO 27001:2022
  • What is Steve’s favorite change to ISO 27001:2022?
  • What are the challenges involved with updating to the 2022 version?

Resources

In this episode, we talk about:

[01:50] Steve Gives an overview of what’s new in ISO 27001:2022 – The updated version of ISO 27001 was released on the 26th Oct 2022. The new version included 24 changes and clarifications within the main clauses.

 [02:50] The controls for the new standard are now categorised into 4 groups: Organisation, People, Physical and Technology  

[05:50] We covered some of the new controls in more detail in previous episodes: #109, #110, #111, #112, #113 and #114

[06:17] The 24 changes and clarifications to Clauses include older existing clauses which have been tidied up to be more transparent. We recommend reviewing to ensure that you are complying in a way that aligns with the Standard.

[06:35] There are 11 new Controls. 56 controls from the 2013 version have been reduced to 24 with 58 remaining unchanged. So, in short, Annex A has been simplified with less duplication of controls.

[07:44] Steve highlights section A.9 for Access Control as one of the much-improved controls – due to the lack of repetition and simplified requirements for compliance.

[08:35] Steve’s favourite update to the Standard: The whole Standard now collectively encourages incorporation into your business. Your ISMS should not feel like a bolt on, it should be a part of your businesses DNA.

[10:36] Steve’s favourite update to the Standard #2: It’s not a static Standard, it encourages development and continual improvement.  

[13:45] For those completely new to ISO 27001 – check out our 3-part Steps to Success series which explains the Implementation process from start to finish.

[14:38] Listen to some of our client interviews to hear the challenges others faced when Implementing ISO 27001 in addition to the benefits gained as a result of adopting the Standard:   

[14:50] Why would the business continuity elements of ISO 27001:2022 pose a challenge?  There used to be a clause in the 2005 version of the standard which documented the need for a business impact analysis – this was removed in the 2013 version. The new ‘ICT readiness for business continuity’ control will require at the very least, a risk assessment.   

[16:48] Steve recommends checking out the Plan, Do, Act, Check diagram in ISO 27031 (Guidelines for information and communication technology readiness for business continuity). It also includes some great guidance on business impact analysis.

[18:40] The ICT readiness control is not designed to be an all encompassing business continuity strategy – it’s designed to work in tandem with as existing one (you may already be certified to ISO 22301 Business Continuity Management).

 [19:50] It’s highly recommended that if you don’t have a Business Continuity Plan or strategy – at least have a framework in place. Disasters by their nature are unpredictable, as is the resulting damage to an extent. You will not know the full extent until you’ve lived it – so don’t write an exhaustive 80+ page manual that no-one will read, document the what, who and how of getting yourself back up and running again.

[21:11] There has also been an update to ISO 27005 (Risk assessment in relation to info sec). It includes a new set of threat categories: physical threats, natural threats, infrastructure failures, technical failures, human actions, compromised services or functions and organisational threats. These may help you when putting a business continuity framework in place.

[22:05] Above all else – ISO 27001:2022 has modernised and aligned itself more with the likes of cyber essentials and NIST.

Keep an eye out for next weeks episode where we dive into the clause updates…

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

Happy New Year! We at Blackmores hope you all managed to have a break over the holiday season and are gearing up for many challenges and successes in 2023.

As a reminder, we signed off last year by highlighting the top 5 podcasts as dictated by you, the listeners.

Before we dive into a brand-new year full of top tips, expert advice with industry leaders and client interviews, we’d like to take a step back and let the host share her reflections on 2022.

Join Mel as she shares her personal top 5 ISO Show episodes from last year.   

You’ll learn

  • What are Mel’s top 5 episodes of 2022?

Resources

In this episode, we talk about:

[00:30] A reminder to listen to our last podcast, covering the top 5 podcasts as dictated by the listeners.

[01:21] #1 Episode 102 – What’s in a name? This episode features our Senior Isologist, Sarah Ball, as she explains the importance of giving a meaningful name to your Management System. 

[03:40] What’s in a Name snippet – Full episode available in the ISO Show Archive   

[08:01] #2 Episode 94 – The 7 Steps of Carbonology_ Reduce – Part 4 of the 7 Steps of Carbonology series, featuring our Carbonologist, David Algar. This episode delves into the creation and communication of a carbon reduction plan, and the benefits of reducing your footprint rather then relying on offsetting alone.

[10:14] The 7 Steps of Carbonology – Reduce snippet – Full episode available in the ISO Show Archive   

[16:48] #3: Episode 117 PMC’s journey and ongoing success with ISO 27001– This is an interview with Philip Bailey, the Managed Services Director at PMC Retail, talking about their ISO 27001 journey. Philip shares his lessons learned and gives some top tips for anyone considering implementing the Information Security Standard  

[17:58] PMC’s journey and ongoing success with ISO 27001 snippet – Full episode available in the ISO Show Archive 

[24:00] #4: Episode 100 How to get the most out of your Management Review – Featuring Rachel Churchman, Managing Consultant here at Blackmores, this episode explores how added value can be gained from doing a Management Review. Mel and Rachel discuss various ways you can conduct a Management Review and what should be your key inputs and outputs.   

[26:14] How to get the most out of your Management Review snippet – Full episode available in the ISO Show Archive   

[30:41] #5: Episode 108 How to align your Management System with the Sustainable Development Goals– Following on from the Sustainable Development Goals summary episodes, Mel shares how you can align your Management System right now without the need for any ISO certification.  

[32:37] How to align your Management System with the Sustainable Development Goals snippet – Full episode available in the ISO Show Archive 

We look forward to bringing you even more amazing content in 2023, so stay tuned! 😊

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episode’s

Stitcher | Spotify | YouTube | iTunes | Soundcloud

ISOlogist logo

ISO Consultancy Service

Work with our ISO Consultants
Let Our isologists guide you through your certification.

ISOlogy hub logo

Online Membership

DIY with our isologyhub
Our ISO consultants can still be on hand for support where needed.

About Blackmores ISO Consultants

Our 7 Steps to Success

The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.

Whether you choose to work with one of our ISO Consultants, our isologists, or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!

We have a proven step by step process that our ISO Consultants implement as soon as our working relationship begins. We use our specialist skills and industry knowledge to determine what is already on track and where improvements can be made. We live and breathe ISO standards, we know the standards inside out so you don’t have to.

Our ISO Consultants can help you implement systems for any ISO Standard. See the full list for specialised standards here.

What our clients have to say

We engaged Blackmores to develop our ISO 9001, 14001, and 45001 management system from scratch. Throughout the creation and development stages of our ISO journey, Anju Punetha demonstrated remarkable patience, knowledge, and understanding as our dedicated consultant.

During our internal audit preparations, Ian Battersby’s meticulous attention to detail and thorough approach ensured we were well-prepared for our external audit, which we passed with flying colours. His guidance during the external audit was invaluable.

Based on our engagement and experience, I highly recommend the entire Blackmores team. If you’re considering pursuing ISO accreditations, Blackmores should be your first choice.

Graeme Adam

The support and advise I get from our assigned auditors is immense. Forward planning for the following year is great and they are flexible and always willing to help.

Kalil Vandi

“Blackmores have assisted us almost since the start of our adoption of the ISO 9001 quality standard. Their input has improved our processes since the start, and enabled our goal of continuous improvement to be achieved. The people are also extremely easy to get on with, and they really understand our business, giving us a great deal of confidence in their advice.”

David Gibson

Photon Lines Ltd

“Blackmores are the perfect bridge between working on your ISO as an individual or company, to being audited each year.  We find that any queries we have are covered and we feel sure that we have everything as needs be before going into an external audit.”

Mandy Welsby

Jaama Ltd

“We have been extremely impressed with the service and support provided by Blackmores.  There knowledge and assistance through out our ISO journey has been amazing!”

Philip Hannabuss

Dome Consulting

“Blackmores have really kept us on our toes with the broad scope and level of detail they apply to our internal audit schedule. They always stay abreast of ISO standard changes and help us to adapt our processes and documents to embrace these changes accordingly. Having Blackmores shadow our external audits provides invaluable confidence and peace of mind – would highly recommend their services!”

Phil Geens

Kingsley Napley

“Our ISO 27001 certification project has gone so well, that there was no doubt in who we were going to ask to help us with our aspirations of becoming ISO 14001 certified. It’s been an absolute pleasure working with Blackmores, and we are really looking forward to working with them for the foreseeable future.”

dotdigital

Trusted by leading organisations across all sectors, we support companies of all sizes in any location.

Are you ready to start your ISO journey?

     
ISO Show

Listen to our Podcast

Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.

Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.

     

Carbonology logo

Ready to go carbon neutral... And achieve ISO Standards?

Welcome to Carbonology®

The proven method for achieving your carbon goals, aligned with ISO 14064 (carbon verification) and PAS 2060 (carbon neutrality)

Blackmores Carbon Neutral       Blackmores Carbon Footprint