Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
In October 2022, ISO 27001 introduced new changes. The internationally recognised standard on how to manage your information security was first launched in 2005 and underwent its last update in 2013. Since then, new technologies have emerged to dominate the business landscape, such as cloud computing, which has brought new security challenges. It’s estimated that global cybercrime is expected to grow by 15% per year, totaling a staggering $10.5 trillion by 2025. The latest revision to ISO 27001, called ISO 27001:2022, reflects the state of cyber security today, with a view to improving and managing your organisation's resilience to cyber threats and vulnerabilities.
In this blog, we tell you everything you need to know about ISO 27001’s newest improvements, including the key changes, what it means if your business is already certified to ISO 27001:2013, and what to do if you’ve already begun your ISO 27001 implementation.
Remember, preparation is key. If you think you’re approaching readiness to certify against the 2022 edition, invest in an ISO 27001 gap analysis. Clients are also coming to us who want to start their ISO projects relatively quickly, and they’re wondering if their certification body is going to be ready. This depends on the certification body as some are being fast tracked while others aren’t. Starting with a gap analysis will outline where you are, where you need to be, and give you a handy list of things you need to achieve to become ISO 27001:2022 ready.
Here’s a rundown of the key amendments to ISO 27001:
The first noticeable change to the standard is its name: ISO/IEC 27001:2022 Information Security, Cyber Security and Privacy Protection. The expansion of the name to include ‘cyber security and data protection’ better reflects the purpose of the standard, broadening its scope to include the more technical aspects of cyber security, cloud services, threat intelligence, and the human elements of privacy protection.
The biggest change to ISO 27001 sees the introduction of 11 new controls to Annex A. Annex A defines the controls that can be used to minimise information security risks that are identified during the risk assessment process. The new controls reflect the changes in technology, the evolution of cyber threats, and to address risks that the previous version does not. They include:
Bear in mind that not all controls are mandatory. Certification bodies will allow companies to exclude a control if you’ve identified no related risks, or there are no legal or regulatory requirements to implement a particular control.
The number of controls has reduced from 114 to 93. They are now split into four themed categories, instead of the previous 14. They are:
The reason for reducing the number of categories is to simplify the implementation of your Information Security Management System (ISMS) and to add clarity to the process. For example, businesses will have different people that are responsible for implementing different sets of controls. Reducing the number of controls, and introducing the four groups to which they belong, will make life easier for the implementation team to understand who inside the organisation is responsible for each set of controls. Though it may seem at first like a minor administrative change, it can have real impacts on the way the standard is implemented.
In broad strokes, ISO 27001:2022 is the same standard as before, with the same aims. However, there have been some minor editorial changes to clauses 4-10, with the revisions designed to offer greater clarity to businesses. This does mean that you do need to review both the application of the new controls in Annex A as well as the clauses, to make sure you have addressed everything. Some particular areas to look at include:
If your organisation is already certified to ISO 27001:2013, your certification will remain valid, and organisations have up to 3 years to transition to the new standard. However, it is worth checking with your certification body, as some may stop certifying to the 2013 version of the standard earlier than this.
Certification bodies themselves will naturally go through a transitional period to ensure a certification scheme exists that aligns with the new changes, while also getting auditors up to scratch with the revised scheme. The formal transition requirements are defined here, and they describe the steps required to transition to ISO 27001:2022.
There’s no need to panic if you’re mid-way through implementation, as you can still certify to the 2013 version until 2025 assuming your chosen certification body allows this. Depending on the timescale of your project, it will be more efficient to certify to ISO 27001:2013 and update to the newer version at a later date. Alternatively, if you are only at the beginning, you could use the new Annex A controls from 27001:2022 and compare these with the 2013 version of the controls in the Statement of Applicability.
This will depend on the length of your project. If you believe you can implement an ISMS within 3-6 months, it is likely that you will end up certifying to the old 2013 standard as the certification bodies may not be ready to certify to the new version of the standard. However, as mentioned above, you could implement the new 2022 Annex A controls and compare these to the 2013 version of the controls in your Statement of Applicability, so that you are part of the way to transitioning to the new standard. If implementation is likely to take longer, it’d be wise to prepare for ISO 27001:2022. Chat with your consultant to gauge the best option for certification.
As Managing Director of Bulletproof, Nicky’s responsible for innovating and evolving Bulletproof’s compliance services. With a varied and interesting career, Nicky shares amazing insight that directly helps businesses overcome their security and compliance challenges.
Become ISO 27001 certified with our step-by-step plan for achieving compliance. Book a 1-hour free ISO consultation & benefit from real security improvements.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.