[Reading time: 17 seconds]

Information security is not about technology.

But don’t just take my word for it.

Look at ISO 27001, THE international standard for information security (and the only standard explicitly mentioned in the NIS2 directive, within Recital 79).

Included in the standard are the 93 security controls that every ISO27001-certified organisation must implement at a minimum, unless they can justify why a control doesn’t apply to their specific situation.


Of the 93 security controls, guess how many are technological?

80 out of 93? Wrong.

60 out of 93? Wrong..

40 out of 93? Wrong…

Of the 93 security controls, only 34 are technological controls.


So what?

Whoever is managing your information security, make sure they’re not ignoring the 63% of security controls that have very little to do with technology.

And if you assume your ‘IT people’ are covering all of this for you, you may find your assumption is wrong.

(PS I am currently helping a few businesses to align more closely to ISO27001, and guiding one towards certification. If you want to have a conversation about whether this standard is a good fit for you, you know where I am.)