Insights

Receiving notice of an upcoming ISO audit often triggers a wave of anxiety for organisations that haven't been through the process before. Quite commonly, ISO audit preparation involves a last-minute scramble to update documentation and review procedures, prompting an all-hands-on-deck approach.

The year 2026 marks a tipping point for risk assurance globally. With the EU AI Act in full effect and ISO/IEC 42001 set to become the global benchmark for trust, it’s quite telling that the traditional once a year internal audit has become obsolete and not fit for purpose in today’s ever changing world.

In my experience as a Lead Auditor, I’ve seen many organisations approach ISO 27001 risk assessment as a creative writing exercise. They’ll start by building a massive spreadsheet, filling it with ‘low, medium, high’ labels and hope I don't look too closely at the underlying detail. But in 2026, with cyber threats evolving at machine speed, auditors have had to change their approach to adjust to a much more threatening landscape. What we’re not looking for is a perfect list

For many organisations I’ve worked with, I’ve found that an ISO 27001 audit can be a source of anxiety and worries. But after years of working as a Lead Auditor, I’ve realized that most major Non Conformities don't actually stem from a lack of technology, but come from a lack of Risk Assurance culture.