Blackmores ISO Consultancy Service: The creators of isology®

It’s been a busy year for ISO Standards, with that set to ramp up in 2026 thanks to upcoming Standard transitions.

Before we dive into a new year, we’d like to take a step back and highlight some of the key ISO milestones from 2025. 

In this episode, Steph Churchman, Communications Manager at Blackmores, looks back at the major Standard updates from 2025, including changes to existing Standards, new ISO’s published and key upcoming changes you need to be aware of going into 2026.  

You’ll learn

• What ISO Standards have been updated in 2025?
• What new ISO Standards were published in 2025?
• What Standards are due to be published in 2026?
• What ISO transitions do you need to be aware of in 2026?

Resources

• Isologyhub

In this episode, we talk about:

[02:05] Episode Summary – Steph reviews major ISO Standard updates from 2025, including changes to existing ISO Standards, new Standards published and what you need to know going into 2026.  

[02:34] What ISO Standards have been updated in 2025?:

ISO 27701:2025: This is the Standard for Privacy Information Management and it recently received an update in October 2025. Key updates to this Standard include:

• This is now a stand-alone Standard and can be implemented without an existing ISO 27001 ISMS in place.
• The addition of further guidance for data processors and controllers.
• Provides greater clarity on managing personal data within AI and digital ecosystems
• More focus on organisational leadership involvement.
• The update now aligns ISO 27701 more closely with global regulations such as GDPR, CCPA and LGPD.

ISO 37001:2025, the Standard for Anti-bribery. This one was well overdue an update, with its last version being 2016! It’s update arrived on 2^nd Feb 2025, and included: –

• Text harmonisation with the other ISO 37000 family of Standards, such as ISO 37301 (compliance management systems), ISO 37000 (governance of organisations) and ISO 37008 (internal investigations of organisations) to ensure consistency and easier integration.
• The latest version now formally introduces the concept of anti-bribery culture and emphasises its importance for the effectiveness of the management system.
• A greater emphasis on the role of top management and their involvement in overseeing the management system.
• A new requirement has been added for awareness and training as fundamental asset for management system results.
• It also receives the added climate change amendment, which many ISO’s already embedded back in 2024 – learn more about that here.
• And lastly, there’s more comprehensive definitions of conflict-of-interest as well as procedures to raise awareness on reporting potential and actual conflicts.

ISO 50002, the standard for energy audits. This isn’t a certifiable standard, but rather a guidance document to support the energy management standard ISO 50001.

The recent update has now split this Standard into 3 parts:

• ISO 50002 part 1: General requirements with guidance for use.
• ISO 50002 part 2: Guidance for conducting an energy audit in buildings.
• ISO 50002 part 3: Guidance for conducting an energy audit in processes

Most of the revisions focused on strengthening and adding further clarification to energy auditing principles such as Competency, Confidentiality, Objectivity, access to equipment, resources and information, Evidence-based approach and Risk-based approach

Lastly, this update also clearly specifies the requirements for energy auditor competence.

[07:10] What new ISO Standards were published in 2025? ISO 42006 – Requirements for bodies providing audit and certification of artificial intelligence management systems. This is a guidance Standard that actually relates to certification bodies rather than businesses choosing to implement ISO 42001.

It builds on ISO 17021-1 and ensures that certification bodies operate with the competence and rigour necessary to assess organisations developing, deploying or offering AI systems.

While one that you as a business may not have to worry about, it’s a positive addition to the growing ISO 42000 family of Standards, which are currently the only global frameworks for best practice for AI Management.

ISO 17298 Biodiversity – Considering biodiversity in the strategy and operations of organizations. ISO 17298 ultimately aims to help organizations of all types and sizes understand how they depend on and impact nature – and take concrete action to address it. It includes guidance to help you:

• Understand your biodiversity impacts, dependencies and risks
• Identify opportunities for green growth and nature-positive finance
• And develop and implement a credible biodiversity action plan

[09:45] What new ISO Standards are due to be published in 2026? ISO 53001 management system requirements for the United Nations Sustainable Development Goals.

Many businesses have already done the hard work behind aligning their ESG activities with the UN SDG’s, and will soon be able to benefit from certification to an internationally recognised Standard to help manage and improve their performance against those SDG goals.

The Standard provides a framework for an SDG management system that will:

• Enhance the organization’s SDG performance.
• Fulfil compliance obligations.
• Achieve selected SDG objectives.
• Create trust and confidence to relevant existing and future stakeholders

If you wanted to get a head-start, the guidance document ISO 53002: Guidelines for contributing to the United Nations Sustainable Development Goals is available to download for free right now.

ISO 14060: Net Zero Aligned Organisations. This Standard details requirements for how any type of organization can demonstrate that their net zero strategy is achievable, and that they are making credible and verifiable progress towards contributing to global net zero in line with the Paris Agreement.

There are a lot of country specific legislation and regulations now in effect, or soon to be in effect, but there is a lack of clarity around what it actually means to be Net Zero. This is where ISO 14060 comes in, to create a globally accepted definition of what it means for an organisation to be net zero.

In addition, this Standard will also:

• Define what constitutes a credible net zero strategy at an organisational level
• Establish how targets should be set, measured and delivered
• Require organisations to align with the goals of the Paris Agreement
• Build on existing ISO standards such as ISO 14064 for GHG verification and ISO 14068-1 for Carbon Neutrality
• Have a focus on organisational claims, not product or event-level claims
• And lastly it will be globally applicable and adaptable across sectors.

[12:50] What ISO Standard updates do you need to be aware of for 2026?: The anticipated update to the leading environmental management system Standard, ISO 14001, is expected to be published in Q1 of 2026. It doesn’t appear to have many major changes, but rather just further guidance and clarification in a few areas, including:

• Modernised terminology and harmonised structure that aligns with other ISO Standards
• Stronger focus on environmental conditions
• Clearer EMS scope with life-cycle perspective
• Again, we see a greater focus on leadership accountability
• Refined risk-based planning
• Introduction of a new change-management clause
• Extended operational control to suppliers
• Restructured management review
• And an expanded Annex A for explanatory notes

ISO 9001 is also due a revision. It was expected out around a similar time as ISO 14001, but following its public comment round, it’s gone back under revision to make more changes after that feedback.

As a result, this has pushed the expected publication date to either Q3 or possibly even Q4 of 2026.

Now despite it going back into revision following feedback, the changes are still expected to be minor. Some of the expected changes include:

• Impact of digital transformation – such as AI
• Improved supply chain resilience
• Proactive risk management and risk-based thinking
• Quality culture and awareness of ethical behaviors
• And increased attention to customer satisfaction

Looking even further forward, ISO 45001 will also be up for revision soon, though that isn’t expected to be published until 2027. We’ll give you more details as soon as a draft version has been made available.

All of these transitions will include a 3-year grace period, so there’s no need to panic. Over the next year, we’ll cover these changes in more detail, and will provide a variety of ISO Support options to help you manage and complete your ISO transitions.

That’s it from us for 2025! We look forward to brining you more ISO knowledge in 2026 😊

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Nearly 60% of businesses that are impacted by a cyber incident go out of business within the 6 months following.

With our heavy reliance on technology to keep both businesses and services running, it’s imperative that everyone take cyber risk seriously.

However, incidents will inevitably happen and it’s up to you to ensure that your business is prepared to ride out the wave, and hopefully make a full recovery!

We invited Jack Morris, Account Director at Epiq, back onto the show to discuss the consequences of not being prepared for a cyber incident and the key steps businesses should take in the event of an incident.

You’ll learn

• Who are Epiq?
• What does the current cyber incident landscape look like? 
• What are the consequences if a business does not respond to a cyber incident effectively?
• How can a business detect if they’re being attacked?
• How should businesses respond in the event of a cyber incident?
• What role does a legal team play in incident response?

Resources

• Epiq
• Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Account Director at Epiq, to discuss how businesses should respond to a cyber incident.

[03:00] Who are Epiq?  – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.

[04:35] What constitutes a cyber incident and why is it so important to respond effectively? – A cyber incident refers to unathorised access or attempted access to an organisation’s IT systems. Types of incident include breaches, malicious attacks (e.g. Ransomware), and accidental events (e.g. Fire Damage). Responding effectively is crucial to minimize damage and protect sensitive data.

[05:40] What does the cyber incident landscape currently look like, and what challenges will organisations face in responding to an incident? : The cyber incident landscape is ever evolving, but here are some key trends we saw in 2023:

Attacks on the rise – the number of organisations posted on ransomware and data theft sites increased by over 70% year-on-year.

Business Email Compromise (BEC) incidents surged by 67% in 2023 – these events are where people within an organisation fall victim to phishing or similar – clicking on malicious links which ultimately compromise your mailbox.

For me, there are 3 main challenges that organisations face when responding to a cyber incident:

• Day-to-day management – balancing the technical aspects of the incident with broader business continuity, communications, financial and legal considerations. This can be hugely difficult for an organisation, during and already high stakes situation.
• Expertise and support – navigating the complex legal, technical and operational aspects of an incident
• Data-focused impact – understanding and assessing the risk to data after resolving an incident.

[10:00] What are the solutions to these challenges?  – Understanding the various external expertise and support available to a business, whether that be engaging with a law firm, a cyber incident response expert and cyber insurer will give you access to support with both the day-to-day management of an incident, as well as the legal, operational and commercial impact of said incident.

 [12:10] What are the consequences for an organsiation that does not respond effectively to a cyber incident? – : Failing to respond effectively to a cyber incident often leads to a variety of sever complications for a business, such as;

• Operational Issues: operational disruptions will occur due to prolonged exposure of sensitive information, and if Ransomware has infected systems, the organization will not have access to potentially crucial business information. Financial losses and higher costs to incident response can come as a result of poor planning.
• Additional Data Breaches: if an organization doesn’t respond effectively to a cyber incident, taking steps to gain control over their systems, additional data breaches can occur from threat actors gaining further access to the organisation’s systems.
• Financial losses: cyber incidents affect a business’ bottom line. Costs including incident investigations, recovery, legal fees and potential fines. Further, knock on effects such as lost business opportunities and damaged investor confidence come from poorly managed cyber incidents.
• Damage to Reputation and Trust: Public perception matters for a business. A poorly handled cyber incident damages an organization’s reputation. Customers, partners and stakeholders lost trust, affecting long-term relationships and market position.
• Legal Consequences: Regulatory fines and potential follow on litigation arise from non-compliance with data protection laws. Organisations failing to report breaches promptly face penalties. Legal battles can be costly and time consuming.

[16:25] How can organisations detect if they are being attacked? – signs will vary depending on the type of cyber incident, but organisations and end users could expect to experience; slow systems, locked accounts (no access to mailboxes etc), inability to access documents or shared drives, ransom demands and unusual emails from organisation domains are all tell-tale signs of a cyber incident. If an organisation has invested in Managed Detection and Response software for their end-points, this will proactively scan your environment and provide alerts to potential and actual cyber incidents.

[17:40] What are the key steps an organization must take in responding to a cyber incident? – It’s a great question, and these key steps will be implemented during a cyber incident response plan – an impacted organization should:

• Triage: Assess the severity and impact of an incident (organisations can instruct a first response organization to shut the doors, and assess the damage)
• Identify: Understand what is happening to a business post incident? Things like locked accounts, no access to business systems etc.
• Resolve: take technical actions to mitigate the incident – shutting off access to accounts – closing the door
• Report: Notify relevant stakeholders, including legal obligations.
• Learn: analyse the incident to then take retrospective action to prevent further incidents.

[21:23] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub 

[23:48] How does Cyber Insurance play a pivotal role in Cyber Incident Response? – like with most walks of life, insurance plays a crucial role in supporting organisations in effectively responding to disasters.

• Response Funding: Insurers cover costs related to incident response, including professional services.
• Response Time: Insurers bring in experts promptly, improving incident resolution.
• Affordability: For small to medium businesses, insurance may be the only way to afford a response team.

[26:10] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.

Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.

Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.

Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.

[27:25] What are the legal obligations that exist after a cyber incident, especially in related to personal data breaches? – the legal obligations are clear – an organisation must report personal data breaches within 72 hours of awareness, unless the risk to individuals’ rights is unlikely. This quick turnaround is why it’s imperative that organisations have an established cyber incident response plan, and know who they should be talking to regarding the legal and operational implications.

[28:45] What support is there out there for organisations that are victim to a cyber incident? – On the previous episode, we discussed what organisations can do to be proactive in mitigating the risks associated to a cyber incident, we discussed the important of Cyber Incident Response plans, as they outline what external support an organisation should seek in the event.

Having playbooks and relationships with law firms, cyber providers like Epiq, and cyber insurance coverage are 3 key focuses for every business.

[30:35] What role does a legal team play in incident response? –  Legal support and advice is critical during an incident. As mentioned, they will help support with report the incident to the regulatory bodies required.

• Breach Notification – legal support ensures compliance with data breach disclosure laws and regulatory requirements.
• Breach Counsel – law firms act as a breach counsel for organisations, enabling them to support and advise on the legal implications of a cyber incident. Most law firm cyber practice groups will have relationships with external vendors, like Epiq, to support with the operational response. They can co-ordinate with these external vendors to ensure compliance.
• Privacy Law Compliance – they guide handling of personal data and privacy implications to ensure no further issues.

[32:30] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.

Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.

Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.

Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.

[36:00] What should an organisation do in future to prevent further incidents? – Benjamin Franklin’s famous quote is so true here – ‘by failing to prepare, you are preparing to fail’.

The key point here is to learn from your mistakes. There may have been numerous reasons that the organisation wasn’t ready for a cyber incident, but they should learn from what led to the incident previously, and proactively address this to prevent further incidents. 67% of organisations that get hit by a cyber incident are subject to further attacks within 1 year. It’s important to reduce your attack surface, and ensure you have cyber security themes running throughout the business.

[37:45] What are Jack’s top 3 tips to take away from this session to help them respond effectively to an incident? –

• Establish an Incident Response Plan – we spoke through IR plans during the first episode, but creating a plan that outlines roles, responsibilities and communication channels during an incident is key. Once implemented, regularly testing the plan and simulating these incidents is key to ensuring effective response.
• Engage external experts early – during this session we identified 3 critical external support pillars to an incident – having legal advice, operational and response support and insurance is key.
• Prioritise business continuity – enabling the external experts to support you through the incident will free your bandwidth to ensure that you minimise damage and downtime to your business.

 If you’d like to learn more about Epiq and how they can help you, visit their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud | Mailing List

Steve Mason is a Senior Consultant at Blackmores (UK) Ltd, and has a 100% success rate of supporting clients in achieving their ISO 9001 & ISO 27001 certifications on their first time.

With over 38 years of experience working with standards, Steve is incredibly knowledgeable about how to ensure companies get the best benefits when implementing new standards. Steve has never stopped advancing himself and continues to broaden his knowledge of new standards as they come into existence.

Today, Steve is back to discuss the new ISO 27017 (Information Security Controls for Cloud Services Standard), and why it is needed in addition to ISO 27001.

The current publication of ISO 27001 was released back in 2013 before cloud security was as big of a concern. Due to this, it does not adequately cover cloud security and hence the new standard ISO 27017 was released.

It is wise not to assume that the cloud is secure on its own, you need a provider that can demonstrate protection from hacking and guarantee you security.

There are 7 new controls that the standard brings –

• 6.3.1 Shared roles and responsibilities within a cloud computing environment
• 8.1.5 Removal of cloud service customer assets
• 9.5.1 Segregation in virtual computing environments
• 9.5.2 Virtual machine hardening
• 12.1.5 Administrator’s operational security
• 12.4.5 Monitoring of cloud services
• 13.1.4 Alignment of security management for virtual and physical networks

In this episode, Steve talks through some of these new controls, explains why they’re so important, and describes who can benefit from implementing this new standard.

You’ll learn

• How the standard works for both customers and providers.
• How ISO 27017 works as a unique selling point for businesses.
• The new controls and how it demonstrates security within the cloud.
• The benefits of adopting ISO 27017.
• How doing a gap analysis can help you to understand what cloud controls you already have in place.

Resources

• Blackmores

In this episode, we talk about:

[01:30] Why it’s important to have a standard for cloud security when we already have ISO 27001.

[02:46] The type of new controls and how they make the standard ‘cloud effective’.

[05:37] Some examples of the new controls.

[07:20] The prerequisites you need before implementing ISO 27017.

[08:37] The type of certificate you get with ISO 27017.

[10:22] How ISO 27017 can set companies apart from their competitors.

[11:03] What the future for ISO 27001 and ISO 27017 looks like.

[13:03] Advice for anyone thinking of implementing the standard.

[14:20] The main benefits there are from implementing ISO 27017.

If you need assistance with implementing ISO 27017 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Steve Mason is a Senior Consultant at Blackmores (UK) Ltd, and has a 100% success rate of supporting clients in achieving their ISO9001 & ISO27001 certifications on their first time.

With over 38 years of experience working with standards, Steve is incredibly knowledgeable about how to ensure companies get the best benefits when implementing new standards. Steve has never stopped advancing himself and continues to broaden his knowledge of new standards as they come into existence.

Today, Steve is here to discuss ISO 27701 (Data Privacy), and why it’s so important to have so that you can prove you are GDPR compliant.

Since the new European Data Privacy Laws were introduced in May 2018 there have been over 150,000 personal data breaches within Europe, and the estimated total of GDPR fines total a little over 220 million euros.

Steve explains why GDPR is so important, how companies can avoid having data breaches, and what makes ISO 27701 different from previous standards.

You’ll learn

• How ISO 27701 can help companies demonstrate compliance with the requirements of GDPR.
• The ways ISO 27701 is different from ISO 27001 and why you need both standards.
• Who you can share PII with while still maintaining GDPR compliance.
• The correlations ISO 27701 has with ISO 27002.
• The potential impact implementing ISO 27702 can have.

Resources

• Blackmores

In this episode, we talk about:

[00:29] The big personal data breaches that have happened in the last 2 years, and the fines the companies received for not being compliant with the data protection laws.

[04:11] Why we have General Data Protection Regulations and what they are there to protect.

[06:36] What ISO 27701 is and how it helps companies be GDPR compliant.

[09:26] What PII (Personally Identifiable Information) is.

[11:41] An overview of ISO 27701 and what its main clauses are.

[14:04] What the two control sets of the standard are and what the difference between a data controller and a data processor is.

[17:20] How this standard helps companies know what needs to be put in place to be GDPR compliant.

[18:51] What makes ISO 27701 better than BS 10012 and why it will eventually completely replace it.

[22:14] What you already need in place to get ISO 27701 certified.

[24:10] The main benefits for companies implementing this standard has.

If you need assistance with implementing ISO 27701 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud