Insights

It's been an extremely busy start to the year at Sampson ISO Audit & Consult Ltd — barely a moment to breathe. So I thought it sensible to take stock of what we've achieved, how we've delivered it, and where we want to go for the rest of the year.

For many organisations I’ve worked with, I’ve found that an ISO 27001 audit can be a source of anxiety and worries. But after years of working as a Lead Auditor, I’ve realized that most major Non Conformities don't actually stem from a lack of technology, but come from a lack of Risk Assurance culture.

In my experience as a Lead Auditor, I’ve seen many organisations approach ISO 27001 risk assessment as a creative writing exercise. They’ll start by building a massive spreadsheet, filling it with ‘low, medium, high’ labels and hope I don't look too closely at the underlying detail. But in 2026, with cyber threats evolving at machine speed, auditors have had to change their approach to adjust to a much more threatening landscape. What we’re not looking for is a perfect list