Insights

It's been an extremely busy start to the year at Sampson ISO Audit & Consult Ltd — barely a moment to breathe. So I thought it sensible to take stock of what we've achieved, how we've delivered it, and where we want to go for the rest of the year.

Receiving notice of an upcoming ISO audit often triggers a wave of anxiety for organisations that haven't been through the process before. Quite commonly, ISO audit preparation involves a last-minute scramble to update documentation and review procedures, prompting an all-hands-on-deck approach.

The year 2026 marks a tipping point for risk assurance globally. With the EU AI Act in full effect and ISO/IEC 42001 set to become the global benchmark for trust, it’s quite telling that the traditional once a year internal audit has become obsolete and not fit for purpose in today’s ever changing world.

In my experience as a Lead Auditor, I’ve seen many organisations approach ISO 27001 risk assessment as a creative writing exercise. They’ll start by building a massive spreadsheet, filling it with ‘low, medium, high’ labels and hope I don't look too closely at the underlying detail. But in 2026, with cyber threats evolving at machine speed, auditors have had to change their approach to adjust to a much more threatening landscape. What we’re not looking for is a perfect list

For many organisations I’ve worked with, I’ve found that an ISO 27001 audit can be a source of anxiety and worries. But after years of working as a Lead Auditor, I’ve realized that most major Non Conformities don't actually stem from a lack of technology, but come from a lack of Risk Assurance culture.

As alluded to in earlier articles,, the "Brussels Effect" has now come into play and is dictating laws, standards and policies globally. Even though the UK is outside the EU, the NIS2 (Network and Information Security Directive 2) is directing terms for any British firm serving European markets or acting as a critical supplier. So if you thought ISO 27001 was enough to keep the regulators at bay, it's time for a reality check.

In the modern digital economy, data is the most valuable asset an organisation holds and the most targeted. For CISOs, CTOs and compliance leads, achieving ISO 27001 certification is a landmark achievement. However, the real challenge in 2026 isn't just getting certified, it’s ensuring that your security posture remains resilient against an ever evolving threat landscape.

Risk assurance is the structured process of providing confidence to stakeholders that risk controls are effective, proportionate and operating as intended. Unlike traditional audits, which assess compliance at a fixed point in time, risk assurance is forward-looking and ongoing.