Free Assessment

Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

Request a Demo

Home

  / ,

  / ISO 27001 Implementation Roadmap: A Step-by-Step Guide to Certification

ISO 27001 Implementation Roadmap: A Step-by-Step Guide to Certification

Picture of Pedro Dias
Copy Link

Most organisations that fail their first ISO 27001 certification audit don’t fail because their security is lacking. They fail because they lack a systemic approach to their IT systems. ISO 27001:2022 is not a technology exercise. It is a governance framework, and getting certified requires your entire organisation to demonstrate that it manages information security systematically, continuously, and with documented intent.

This guide provides a practical, phase-by-phase roadmap to ISO 27001 implementation, covering everything from initial scoping to certification audit preparation. Whether you are building an ISMS from scratch or modernizing a legacy system, the structure below reflects how implementation actually works in practice.

The ISO 27001 Implementation Roadmap at a Glance

An ISO 27001 implementation roadmap is a structured project plan that takes an organization from its current security posture to certified compliance with ISO/IEC 27001:2022. The roadmap defines phases, deliverables, roles, and timelines, giving your team a clear line of sight from day one through to the certification audit.

The standard itself has two components. Clauses 4 through 10 define the mandatory management system requirements: context, leadership, planning, support, operations, performance evaluation, and improvement. Annex A provides a reference catalogue of 93 security controls, organised into four themes: organisational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). A well-structured roadmap addresses both components in a logical sequence, with risk driving every decision.

Pro Tip: What Procurement Teams Actually Accept

In our experience at Axipro, most sophisticated procurement teams care about three things: (1) that an independent auditor tested your controls, (2) that the criteria used are recognised and rigorous, and (3) that the report covers a recent period (ideally the last 12 months). Whether the cover page says “SOC 2” or “ISAE 3000” matters less than you think, unless the policy explicitly mandates one or the other. Always ask.

Prerequisites and Planning Before You Start

Define the Scope of Your ISMS

Scope definition is the single most consequential decision in the entire implementation. The scope should reflect the business units, locations, processes, and information assets that are most critical to your organization and most relevant to your customers and stakeholders.

A well-defined scope document should identify the boundaries of the ISMS, the interfaces and dependencies with external parties, and any intentional exclusions, with justification for each. Auditors scrutinize scope boundaries carefully. Any exclusion that appears to cherry-pick convenient systems will attract challenge.

Form Your ISO 27001 Implementation Team

Three roles are non-negotiable: an executive sponsor with authority to allocate resources and enforce decisions; a project manager who owns the day-to-day implementation timeline; and an information security lead who understands both the technical controls and the documentation requirements. Larger organisations may also need departmental representatives from IT, HR, legal, and operations.

The most common implementation failure mode is assigning ISO 27001 entirely to the IT team. The standard requires evidence that security is embedded across the organisation. HR owns the people controls. Legal owns the contractual and regulatory requirements. Finance owns the asset valuation. If those functions are not engaged early, you will discover gaps at the worst possible time. If your organisation lacks in-house expertise, working with an experienced ISO 27001 consultant can bridge that gap efficiently.

ISO 27001 Implementation Roadmap: Phase-by-Phase Breakdown

Phase 1 (2 weeks): Foundation and Planning Phase

The first 14 days establish the governance foundation. Key deliverables include a documented ISMS scope; an approved information security policy signed by top management; a defined organisational context covering internal and external issues, interested parties, and legal requirements; and a completed gap assessment that maps your current state against the standard’s requirements.

From this list, the gap assessment is the most important document. It identifies which controls are already in place, which need to be built from scratch, and which exist informally but require documentation. Our gap analysis services are designed specifically for this phase, helping organisations cut through the ambiguity and get a clear remediation picture fast. 

Phase 2 (2 weeks): Implementation Phase

The second 14 days focus on risk and documentation. Your team completes the formal risk assessment, identifies and values assets, maps threats and vulnerabilities, and determines risk levels against your defined risk appetite. From this, you produce a Risk Treatment Plan that specifies which risks will be mitigated, accepted, transferred, or avoided, and which Annex A controls address each risk.

The Statement of Applicability (SoA) is produced during this phase. It documents all 93 Annex A controls, the justification for including or excluding each one, and the current implementation status. The SoA is typically the first document an auditor requests. It connects your risk assessment to your control selection and demonstrates that your ISMS is risk-driven rather than checklist-driven.

Phase 3 (1 to 3 weeks): Audit and Approval

The final phase focuses on executing the controls, training staff, and preparing for audit. Technical controls from the risk treatment plan are deployed. Operational procedures are finalised and approved. Security awareness training is delivered to all staff. An ISO 27001 internal audit is conducted to identify nonconformities before the certification body arrives. A management review is completed to demonstrate leadership engagement.

This 6-week timeline is achievable for most organizations with existing security foundations and dedicated implementation resources. Rushing the process to meet an arbitrary deadline is the leading cause of audit failures and certification theatre, a situation where documented controls exist only on paper and fall apart under auditor questioning. For a detailed breakdown of where implementations go wrong, see our guide on common pitfalls in ISO 27001.

6-Week Detailed Implementation Timeline

Week 1: Project Initiation

Secure executive sponsorship in writing. Establish the project team and define roles. Brief key stakeholders on the standard’s requirements and business case. Set up project governance, including a steering committee and regular status reporting.

Week 2: Define ISMS Scope and Context and Conduct Gap Assessment

Document the organisational context using Clause 4 requirements. Identify interested parties and their requirements. Define and document the ISMS scope boundary. Obtain approval from top management.

Assess current security controls against ISO 27001 requirements and all 93 Annex A controls. A thorough ISO 27001 gap analysis produces a gap report that quantifies the remediation work required, prioritises gaps by risk impact and implementation effort, and forms the foundation of a credible project plan and budget.

Week 3: Policy Development and Leadership Alignment

Draft the overarching information security policy. Develop supporting topic-specific policies covering areas such as access control, acceptable use, incident management, and supplier relationships. Obtain formal approval from top management.

Week 4: Risk Assessment Framework and Assessment

Define the risk assessment methodology, including criteria for likelihood, impact, and risk acceptance thresholds. Create the asset inventory. Establish the risk register structure and tooling. Agree the risk appetite with the executive sponsor.

Identify and assess information security risks across all assets and processes within scope. Assign risk owners. Evaluate each risk against the defined criteria. Produce the initial risk register with risk scores and preliminary treatment decisions.

Develop the Risk Treatment Plan with control selections, owners, timelines, and residual risk levels. Produce the Statement of Applicability, documenting justifications for all 93 Annex A controls. Obtain formal approval from management.

Week 5: Develop Operational Procedures and Control Implementation

Document operational procedures for the selected controls. These are the how-to instructions that evidence the controls are actually being operated, not just defined. Procedures should be concise, practical, and version-controlled.

Deploy technical controls from the risk treatment plan. This typically includes access controls, network security configurations, logging and monitoring, backup and recovery systems, and physical security measures. Capture evidence of implementation as you go. For organisations with significant technical exposure, this is also the right point to schedule vulnerability assessment and penetration testing to validate that controls are functioning as intended.

Week 6: Employee Security Awareness and Training, Internal Audit, and Audit Preparation

Deliver security awareness training to all staff within scope. Cover key policies, reporting obligations, phishing and social engineering awareness, and incident escalation procedures. Record completion. Auditors routinely test staff awareness during the Stage 2 audit — this is not a box-tick exercise.

Conduct the internal audit against all applicable clauses and Annex A controls. The internal auditor must be independent of the processes being audited. Document findings, classify nonconformities and observations, and issue corrective actions. Verify that corrective actions are implemented before the certification audit.

Conduct the management review, covering ISMS performance, audit results, risk status, and improvement opportunities. Produce formal management review minutes. Assemble the certification audit evidence pack. Confirm Stage 1 and Stage 2 audit logistics with the certification body.

Key Stages of the ISO 27001 Certification Process

ISO 27001 Readiness Assessment

Before engaging a certification body, organisations typically conduct an internal readiness assessment to evaluate whether the ISMS is mature enough for external audit. This is distinct from the gap assessment conducted at the start of implementation. The readiness assessment asks whether documented controls are operating effectively, whether evidence is available and current, and whether staff can demonstrate awareness of their security responsibilities.

Gap Assessment

The formal ISO 27001 gap analysis maps your current security posture against the standard’s requirements. It identifies missing documentation, absent controls, and areas where informal practices need to be formalised. A well-executed gap assessment produces a prioritised remediation list that forms the foundation of the implementation plan.

Stage 1 Audit

The Stage 1 audit is a documentation review. The auditor evaluates whether your ISMS is designed correctly: whether the scope is defined, whether the information security policy is in place, whether the risk assessment has been completed, and whether the Statement of Applicability is present and coherent. Stage 1 typically lasts one to two days. Any major nonconformities identified at Stage 1 must be resolved before Stage 2 can proceed.

Stage 2 Audit

The Stage 2 audit is the certification audit. The auditor conducts an on-site or remote assessment of whether the controls documented in your ISMS are actually operating effectively. Auditors interview staff, review evidence records, inspect systems, and test whether the processes described in your documentation match what is happening in practice. A Stage 2 audit typically takes three to seven days depending on organisation size.

Experienced auditors ask questions that reveal whether controls are understood or just documented. They ask staff: what would happen if a server went down, how they would report a phishing email, who is responsible for approving access to sensitive data. Your answers must be consistent with your documented procedures. Zero incidents reported is a red flag, not a sign of excellence.

Surveillance Audit

ISO 27001 certificates are valid for three years. Annual surveillance audits — typically shorter than the initial certification audit — verify that the ISMS continues to operate effectively and that improvements are being made. Surveillance audits focus on areas where nonconformities were previously identified, as well as any significant changes to the organisation, its risk environment, or its technology landscape.

Recertification

At the end of the three-year cycle, a full recertification audit reassesses the entire ISMS. This resembles the original Stage 2 audit in scope and depth. Organisations that have maintained their ISMS diligently through annual surveillance cycles typically find recertification straightforward. Those that have allowed the ISMS to drift often face significant remediation work before they are ready to re-engage the certification body.

Core Components of ISO 27001 Implementation- Checklist

Build Your Information Security Management System (ISMS) 

The ISMS is the governance framework above all individual controls,  defining how your organisation identifies risks, operates controls, and improves. It requires active leadership and clear accountability, not just a folder of policies.

Create and Publish ISMS Policies, Procedures, and Documentation 

Policies set direction, procedures describe execution, and records prove compliance. All three are mandatory and all three are assessed at audit.

Conduct Risk Assessment and Risk Treatment 

Every control decision flows from the risk assessment,  identifying assets, mapping threats, estimating likelihood and impact, and documenting treatment decisions. Aim for 40 to 80 well-scoped risks rather than hundreds of near-identical entries.

Prepare the Statement of Applicability (SoA) 

The SoA lists all 93 Annex A controls and justifies every inclusion and exclusion. You do not need to implement every control, but unjustified exclusions are a leading cause of Stage 1 failures.

Implement Access Control and Authentication Processes 

Access must be granted on a need-to-know basis, reviewed regularly, and revoked promptly when staff leave. MFA is required as a minimum for all remote and privileged access.

Protect Against Network and Web-Based Threats 

Network segmentation, intrusion detection, vulnerability management, and the 2022 additions of web filtering (A.8.23) and data leakage prevention (A.8.12) are baseline expectations,  auditors want to see them operating with documented evidence.

Ensure Data Backup and Recovery 

Backups must be tested and proven restorable. Auditors ask for evidence of recovery tests, not just confirmation that backups are being taken.

Implement Physical Security Measures 

Entry controls, visitor management, clean desk policies, and secure media disposal are all in scope. These controls are routinely underestimated in planning,  budget time for them early.

Monitor and Review Your ISMS 

Define what you measure, how often, and what triggers action. Monitoring outputs must feed into management reviews, which produce documented improvement decisions.

Continuously Improve Your ISMS 

Nonconformities from audits, incidents, or reviews must be root-cause analysed, resolved, and verified closed. This cycle is what separates a functioning ISMS from one that exists only on paper.

Mandatory Documents Required for ISO 27001 Implementatio

ISO 27001:2022 mandates a specific set of documented information. Auditors request these as a baseline during Stage 1:

  • ISMS Scope (Clause 4.3) — defines the boundaries and applicability of the management system
  • Information Security Policy (Clause 5.2) — top management’s formal commitment to information security
  • Risk Assessment Process (Clause 6.1.2) — your methodology for identifying, analysing, and evaluating risks
  • Risk Treatment Plan (Clause 6.1.3) — documented decisions on how each identified risk will be treated
  • Statement of Applicability (Clause 6.1.3d) — the definitive reference for all 93 Annex A control decisions
  • Information Security Objectives (Clause 6.2) — measurable targets linked to the policy and risk assessment
  • Evidence of Competence (Clause 7.2) — training and qualification records for ISMS-related roles
  • Operational Planning Results (Clause 8.1) — evidence that security operations are carried out as planned
  • Risk Assessment Results (Clause 8.2) — the documented output of the risk assessment process
  • Internal Audit Programme and Results (Clause 9.2) — confirmation that internal audits have been planned and conducted
  • Management Review Records (Clause 9.3) — minutes and decisions from management reviews
  • Nonconformity and Corrective Action Records (Clause 10.1) — documentation of identified nonconformities and their resolution

How to Accelerate Your ISO 27001 Implementation

Common Delays to Avoid

Scope creep. Expanding scope mid-project forces rework across the risk assessment, SoA, and documentation set. Define boundaries precisely at the start and hold them.

Weak executive engagement. Implementations stall at policy approvals and resource decisions when sponsors delegate and disengage. The sponsor should attend steering meetings and have weekly visibility during active phases.

Late-stage documentation. Deferring documentation until after controls are implemented produces thin, retrospective evidence. Write documentation in parallel with implementation, not after.

Accelerators That Speed Up the Process

Templates. ISO 27001-aligned policy and procedure templates can compress the documentation phase by several weeks. Adapt them to your context rather than treating them as off-the-shelf compliance.

GRC tools. Purpose-built platforms provide structure for risk registers, the SoA, and audit evidence management — replacing spreadsheets that become unmanageable at scale. Our compliance tools comparison covers the leading platforms in depth.

External consultants. Their value is pattern recognition: they know what auditors scrutinise, which documentation gaps attract nonconformities, and what a credible risk assessment looks like. For organisations without in-house expertise, consultant engagement typically pays for itself in avoided rework. Our Compliance Accelerator Program offers a structured, supported path to certification through software automation with a free 30-day trial.

Pro Tip: What Procurement Teams Actually Accept

In our experience at Axipro, most sophisticated procurement teams care about three things: (1) that an independent auditor tested your controls, (2) that the criteria used are recognised and rigorous, and (3) that the report covers a recent period (ideally the last 12 months). Whether the cover page says “SOC 2” or “ISAE 3000” matters less than you think, unless the policy explicitly mandates one or the other. Always ask.

What tools can help accelerate compliance?

Once certified, maintaining your ISMS requires continuous monitoring, evidence collection, and audit readiness. GRC and compliance automation tools take much of that manual burden off your team. Our Drata vs Thoropass vs Vanta comparison is a good starting point for evaluating your options.

The most consistently cited challenges are: securing sustained top management engagement beyond the initial sponsorship conversation; maintaining momentum through the documentation-heavy middle phases of implementation; achieving cross-functional participation from HR, legal, and operations teams that may not see information security as their responsibility; and building a risk assessment that is genuinely risk-driven rather than a mechanical exercise designed to justify a predetermined control set.

Yes. Organisations with experienced information security professionals and strong project management capability routinely achieve certification without external consultants. The standard’s requirements are publicly available, and the approach is logical once understood. The risk of a DIY implementation is not that it cannot be done, but that it takes longer and is more susceptible to documentation gaps and scoping errors. For organisations without in-house expertise, engaging a consultant on the gap assessment and SoA phases alone, with internal teams handling implementation, often provides the best balance of cost and quality.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.
Copy Link

Blog Highlights

Explore More Articles

Read More Blogs

How to Become a CMMC Registered Practitioner

The CMMC program turned from advisory framework to binding contract requirement on November 10, 2025, when the DoD’s Title 48 acquisition rule took effect.  That single date changed the market for CMMC advisory services overnight, and the Cyber AB Registered Practitioner credential moved from a useful business card to a genuine signal of competence.  Over 80,000 companies in the Defense Industrial Base now need help interpreting the rule, and the RP is the formal entry-level role in the ecosystem authorized to provide it. This guide explains what a CMMC Registered Practitioner is, how the role fits alongside CCPs, CCAs, RPOs, and C3PAOs, what it takes to earn the designation, and how Organizations Seeking Certification (OSCs) should think about engaging one. What Is a CMMC Registered Practitioner (RP)? A CMMC Registered Practitioner is an individual authorized by the Cyber AB, the official accreditation body for the CMMC ecosystem, to provide non-certified advisory and consulting services to Organizations Seeking Certification.  RPs help defense contractors interpret the CMMC model, scope their environments, build documentation, remediate gaps against NIST SP 800-171, and prepare for the formal assessment they will eventually undergo. The credential exists because the CMMC framework is genuinely dense. CMMC Level 2 maps to all 110 controls in NIST SP 800-171, and Level 3 layers on 24 selected requirements from NIST SP 800-172. Most contractors do not have the in-house expertise to implement these controls cleanly, and the Cyber AB needed a way to identify advisors who had at least demonstrated baseline knowledge of the program. An RP does not perform official assessments. That work is reserved for Certified CMMC Assessors (CCAs) operating under a C3PAO. The RP role is strictly advisory, and the Code of Professional Conduct that every RP must sign makes the boundary explicit. How RPs Fit Into the Broader CMMC Ecosystem The Cyber AB structures the ecosystem into two distinct lanes: consulting and implementation on one side, assessment and certification on the other. RPs sit on the consulting side. CCPs, CCAs, and C3PAOs sit on the assessment side. The two are kept deliberately separate so that no firm can audit work it helped configure, a separation that preserves the integrity of the certification process. Registered Practitioners vs. Certified CMMC Professionals (CCPs) The CCP is a more rigorous credential. CCP candidates must complete formal Cyber AB training delivered by a Licensed Training Provider, pass a commercial background check, and sit a proctored exam administered by CAICO. CCPs can participate in actual assessments as part of a C3PAO assessment team, though they cannot lead them. RPs cannot participate in assessments at all. In practical terms, the RP credential is the right starting point for consultants, MSPs, and internal compliance staff who want to demonstrate baseline CMMC fluency. The CCP is the right credential for professionals planning a career in CMMC assessment work. Registered Practitioners vs. C3PAOs A C3PAO (Certified Third-Party Assessment Organization) is the entity authorized to conduct official Level 2 certification assessments and issue formal CMMC status determinations. Fewer than 100 firms held C3PAO authorization as of early 2026, serving an ecosystem of more than 80,000 contractors. C3PAOs are companies. RPs are individuals. They do completely different jobs: the RP prepares the contractor, the C3PAO certifies them. Important: A C3PAO that helps a client implement controls is barred from later assessing that same client. This is a hard line in the Code of Professional Conduct. If you engage a firm for both readiness and certification work, you will end up paying two different organizations regardless, so plan accordingly from the start. What Does a CMMC Registered Practitioner Do? The work of an RP is the work of getting an organization to the starting line of a formal assessment without surprises. That includes interpreting which CMMC level applies to a given contract, scoping the CUI and FCI environments, identifying gaps against NIST SP 800-171, drafting the System Security Plan (SSP) and Plan of Action and Milestones (POA&M), advising on technical remediation, and coaching the OSC through mock assessments before the real one. Who Can a CMMC RP Help? RPs serve any organization in the Defense Industrial Base that needs to achieve a CMMC status. That includes prime contractors, subcontractors at any tier, MSPs, and MSSPs that handle CUI on behalf of defense clients, manufacturers, research universities, and civilian agency contractors whose departments have adopted CMMC-aligned clauses. The flow-down requirements in 32 CFR §170.23 mean that even small subcontractors who process Federal Contract Information (FCI) must hit Level 1, which keeps RP work relevant well past the first wave of large primes. What Services Does a CMMC RP Provide? The core service menu looks consistent across the market: gap assessments against NIST SP 800-171, scope definition, SSP and POA&M drafting, policy and procedure development, technical advisory on encryption, access control and incident response, and pre-assessment readiness reviews. Strong RPs also help clients interpret recent guidance changes, manage their SPRS score, and prepare evidence packages that will survive scrutiny from a C3PAO assessment team. Pro Tip: Evaluating a Registered Practitioner When evaluating an RP, ask whether they have walked a client through a full C3PAO assessment cycle, not just a gap assessment. There is a significant difference between consultants who write SSPs and consultants who have watched assessors actually challenge one. How to Become a CMMC Registered Practitioner The path is straightforward but not trivial. The Cyber AB controls the registration process end-to-end, and every step must be completed in order. Step 1: Complete the Required CMMC Registered Practitioner Training The RP training is delivered online through the Cyber AB’s learning management system. It covers the CMMC model document, the structure of the ecosystem, scoping methodology, FCI and CUI definitions, prime and subcontractor information flow, the assessment process, and the relationship between CMMC and existing DFARS clauses. The course typically takes around eight hours. Candidates should plan for roughly $500 to $600 in combined training and annual registration costs. Step 2: Register with the Cyber AB After training, candidates submit a

Read more

GitHub Breach May 2026: All You Need to Know

A single VS Code extension installed by a single GitHub employee has cost the world’s largest code host roughly 3,800 of its internal repositories. GitHub confirmed the breach in a five-post thread on X on May 20, 2026, attributing the compromise to a poisoned extension that ran on the employee’s machine and gave attackers a foothold inside Microsoft’s flagship developer platform. The threat group TeamPCP, already infamous for a string of supply chain attacks across npm, PyPI, and PHP packages earlier this year, has claimed responsibility on underground forums and is reportedly asking more than $50,000 for the stolen dataset. GitHub’s own assessment is that the attacker’s claim of around 3,800 exfiltrated repositories is directionally consistent with what investigators have found so far. The company says no customer data was touched. What GitHub Disclosed GitHub broke the news in a numbered thread of five short posts on X, with no entry on the official github.blog or githubstatus.com at the time of disclosure. The company said it detected the compromise of an employee device the previous day, removed the malicious extension version from the marketplace, isolated the affected endpoint, and rotated critical secrets overnight, prioritizing the highest-impact credentials first. “Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” GitHub wrote, adding that it would continue to monitor logs for follow-on activity and publish a fuller report once the investigation is complete. The phrasing is careful. Saying GitHub-internal repositories only rules out customer repos, enterprise tenants, and organization data hosted on the public platform, but it leaves open what was inside those 3,800 repos: deployment scripts, infrastructure configuration, API documentation, staging credentials, and the architectural blueprints of GitHub itself. Important Note “No customer data” does not mean “no customer risk.” Internal repositories at a platform like GitHub typically contain deployment topology, secret rotation logic, CI workflows, and references to third-party integrations. Even if no customer secrets are inside, the architectural knowledge alone meaningfully reduces the cost of attacking customers downstream. The Attack: A Trojanized Extension Inside a Trusted Marketplace GitHub has not yet named the specific extension. Security researchers tracking TeamPCP’s tradecraft note that the group has spent 2026 weaponizing exactly this surface, planting trojanized code in package registries and development tools that developers trust by default. The mechanism is brutally simple. A developer browses the VS Code Marketplace, installs an extension that looks legitimate, and grants it the same execution privileges as any other process running under their account. From there, the malware can read source files, exfiltrate Git credentials, harvest tokens from ~/.aws, ~/.kube, and password managers, and clone every repository the developer has access to. There is no permission model meaningfully limiting what an extension can do once it executes. A theme can do anything a debugger can do. Browser extensions get treated as a security boundary. IDE extensions, which see your source code, your credentials, and your terminal, do not. That asymmetry is the single largest unaddressed risk in the modern developer toolchain, and the GitHub incident is the most expensive demonstration of it to date. What GitHub Has Done, and What Comes Next The containment steps GitHub described are textbook: detect, isolate, rotate, monitor. The company says it removed the malicious extension version, took the developer’s machine off the network, and rotated the credentials most likely to provide further pivots. The investigation continues, and GitHub has committed to publishing a fuller report later. Where the response is less defensible is in disclosure. Announcing a breach of this scale exclusively on X, a platform that requires a login to view most posts, drew sharp criticism. As of publication, there is no entry on the GitHub Blog and no advisory on the official status page. Customers governed by frameworks such as DORA or NIS2, both of which have hard supplier-incident notification timelines, will be looking for something more substantive than a Twitter thread. Pro Tip: IDE plugins and Cyber Security Treat any IDE plugin like a piece of production software. Pin to specific versions, disable auto-updates on critical machines, restrict the allowed publisher list (in VS Code via the extensions.allowed setting), and ensure that any project containing credentials cannot be opened by an editor that auto-runs .vscode/tasks.json without confirmation. If you maintain CI/CD secrets, assume that any developer machine with both source access and an unverified extension installed is already in the threat model. For organizations downstream of GitHub itself, the immediate hygiene items are clear. Rotate any GitHub personal access tokens or OIDC credentials that were used in conjunction with packages from the TanStack, UiPath, Mistral AI, OpenSearch, or Guardrails AI namespaces during the early May window. Audit .vscode/ and .claude/ directories for files such as router_runtime.js or setup.mjs. Search for the gh-token-monitor daemon, which acts as a dead-man switch and triggers a destructive rm -rf on token revocation if not removed first. An Incident or a Pattern? GitHub has had a rough quarter on availability, with multiple outages drawing public complaints. A confirmed source-code breach by the most prolific supply chain threat actor of 2026 lands at the worst possible moment for that narrative. Independent agencies such as the Cybersecurity and Infrastructure Security Agency and NIST, through its Secure Software Development Framework, have been warning for years that developer tooling and build pipelines are the soft underbelly of every modern company, and the Wikipedia entry for supply chain attack now reads like a chronological list of escalating incidents. The deeper lesson from the GitHub breach is not that one employee made a mistake. It is that the security model of the modern developer workstation has not kept pace with the value of what sits on it. Until IDE extensions are sandboxed with explicit capability grants, until source code repositories are treated as sensitive assets rather than collaboration surfaces, and until the disclosure norms for breaches at platform-level vendors are tightened, the Mini Shai-Hulud playbook will continue to work. GitHub will not be the last victim of this campaign. It is simply, for

Read more

ISO 27001 & GDPR: Why Certification Isn’t Compliance

Plenty of companies treat an ISO 27001 certificate as proof of GDPR compliance. It is not. The two frameworks overlap heavily, but they answer different questions, and the gap between them is exactly where regulators tend to look. ISO 27001 tells you how to build a defensible security program. GDPR tells you what the law expects when that program touches personal data. Run one without understanding the other, and you will either over-engineer security you do not strictly need, or miss privacy obligations that carry real financial exposure. This article maps where ISO 27001 and GDPR meet, where they part ways, and how to run them as a single coordinated effort rather than two competing projects. What Is ISO 27001? ISO/IEC 27001 is the international standard for an Information Security Management System, or ISMS. The current edition is ISO 27001:2022. It is not a checklist of technical fixes. It is a management framework: a structured, repeatable way to identify information security risks, decide how to treat them, document those decisions, and improve over time. Clauses 4 to 10 of the standard define the mandatory ISMS requirements, covering leadership, risk assessment, internal audit, and management review. Annex A then lists 93 controls grouped into four themes: organisational, people, physical, and technological. You do not implement all 93 by default. You select the controls that address your assessed risks and justify your choices in a document called the Statement of Applicability. Certification against ISO 27001 is voluntary and is granted by an accredited third-party body after an audit. What Is GDPR? The General Data Protection Regulation is European Union law. It has been applied since 25 May 2018, and it applies to any organisation that processes the personal data of people in the EU, wherever that organisation is based. GDPR is fundamentally about the rights of individuals, not just the security of data. It grants people rights over their personal data, including access, correction, erasure and portability. It places obligations on the organisations that decide how data is used (controllers) and those that process it on their behalf (processors). It requires a lawful basis for every processing activity, mandates breach notification, and demands transparency about what happens to people’s information. You do not implement GDPR and receive a certificate. You obey it, and a regulator decides whether you have. Key Differences Between ISO 27001 and GDPR Scope and Purpose ISO 27001 protects all information assets an organisation holds: intellectual property, financial records, operational data, source code and, yes, personal data. Its purpose is the confidentiality, integrity and availability of information in general. GDPR is narrower in one sense and broader in another. It covers only personal data of individuals in the EU, but it protects the person behind the data, not merely the data itself. A system can be flawlessly secure and still violate GDPR. Legal Obligation vs. Voluntary Certification This is the difference that catches people out. GDPR is binding law. If you process EU personal data, compliance is not optional, and there is no opting out. ISO 27001 is a voluntary standard. Organisations pursue it for assurance, for competitive advantage, and because customers increasingly demand it. Crucially, there is no such thing as a GDPR certificate. Regulators assess compliance through investigation and enforcement, not through a badge you can display. Penalties for Non-Compliance GDPR fines run on two tiers under Article 83. Less severe infringements — such as failures around records of processing or breach notification — can reach €10 million or 2% of global annual turnover, whichever is higher. The more serious tier, covering breaches of the core processing principles and data subject rights, can reach €20 million or 4% of global annual turnover. Failing an ISO 27001 audit carries no legal fine at all. The consequence is commercial: you do not get the certificate, or you lose it, and that can cost you contracts. How ISO 27001 and GDPR Align Despite their different purposes, the two frameworks were built on compatible logic, which is why running them together works. Both treat information security as central. GDPR Article 32 requires “appropriate technical and organisational measures” to secure personal data. That phrasing is almost a direct description of what an ISO 27001 ISMS produces. The controls an organisation selects for confidentiality and access already serve the regulation’s security expectations. Both are risk-based. ISO 27001 starts every control decision from a risk assessment. GDPR expects the same proportionality: the measures you apply should match the sensitivity of the data and the likelihood and severity of harm. One risk methodology can serve both, provided you assess personal data processing risks alongside broader security risks. Both demand incident response. ISO 27001’s incident management controls require organisations to detect, assess and respond to security events. GDPR Article 33 requires notifying the supervisory authority of a personal data breach within 72 hours of becoming aware of it. The ISO process is the engine that makes the GDPR deadline achievable. How ISO 27001 Can Help You Comply With GDPR Four areas of an ISMS do direct, practical work toward GDPR compliance. Asset management. ISO 27001 requires an inventory of information and associated assets, with owners assigned. You cannot protect personal data, respond to access requests, or maintain records of processing if you do not know where that data lives. The asset inventory is the foundation for both frameworks. Access control. Identity management, privileged access controls and the principle of least privilege limit who can see personal data. That directly supports the GDPR requirement to ensure confidentiality and to prevent unauthorised access. Operational security. Logging, malware protection, backup and secure configuration keep personal data accurate, available and resistant to compromise. These map cleanly onto the integrity and availability expectations in Article 32. Techniques such as data masking for GDPR and ISO 27001 also sit within this space, reducing exposure without sacrificing operational utility. Incident management. A defined process for detecting and handling security events gives you the evidence trail and the response capability you need to

Read more