ISO 27001: The Shield Capita Didn’t Use

In April 2025, the Information Commissioner’s Office (ICO) concluded its investigation into the major cyberattack suffered by outsourcing and IT services giant Capita, confirming significant failings in the company’s information security practices. This breach, which first came to light in March 2023, affected hundreds of organisations across the UK, including the Teachers’ Pensions Scheme, multiple NHS trusts, local authorities, and private companies.

Although Capita initially downplayed the breach, it was later revealed that sensitive personal and commercial data had been exposed, including payroll details, addresses, and financial information. The ICO’s findings in 2025 were damning: Capita had failed to take appropriate technical and organisational measures to safeguard personal data, breaching the UK GDPR.

The breach, its aftermath, and the reputational damage serve as a stark warning for any UK business that handles personal or sensitive information - and reinforce the critical role of ISO 27001:2022, the global standard for information security management systems (ISMS), in preventing similar failures.

What Happened at Capita?

Capita was the victim of a Black Basta ransomware attack, believed to have originated from an unpatched Microsoft Exchange server. The attackers gained access to internal systems, exfiltrated data, and eventually published some of the stolen files on the dark web.

Crucially, Capita had failed to identify and address vulnerabilities in its infrastructure. The server in question had not been patched since 2017. Basic cyber hygiene practices - such as asset inventory management, patching policies, and clear internal responsibilities - were found to be insufficient or completely lacking.

In its April 2025 statement, the ICO noted that Capita's failure to adhere to "widely recognised security measures" exposed the personal data of over 90 organisations, many of whom had trusted Capita to manage pensions, payroll, or recruitment services. The breach cost the company millions in remediation, forced multiple client contract terminations, and further eroded public trust in outsourcing providers.

How ISO 27001:2022 Would Have Made a Difference

ISO 27001 offers a comprehensive, proactive framework for identifying, managing, and mitigating information security risks. The clauses and controls outlined in the 2022 version of the standard align precisely with the areas where Capita failed.

Key ISO 27001 controls that directly relate to the incident include:

• A.5.9 (Inventory of Information and Other Associated Assets): Capita lacked an up-to-date asset inventory, meaning legacy servers were left unmonitored and unsupported.

• A.5.10 (Acceptable Use of Information and Associated Assets): Without clear usage policies and governance, outdated systems remained active without oversight.

• A.8.8 (Management of Technical Vulnerabilities): The lack of regular patching and vulnerability scanning on the Exchange server was a central weakness. ISO 27001 requires a documented vulnerability management plan - something that could have prevented this breach.

• A.5.19-A.5.21 (Supplier Relationships): Capita’s clients were uninformed about the breach for days or even weeks. ISO 27001 ensures that suppliers and partners are contractually bound by information security terms and monitored accordingly.

• A.5.25 (Information Security Incident Management): The slow detection and response to the attack allowed the threat actors to remain inside Capita’s systems for an extended period. ISO 27001 mandates defined responsibilities, rehearsed response plans, and timely notifications.

• A.6.3 (Planning of Changes): A lack of formal change management contributed to poor awareness of what systems were active, what data was held, and who was responsible for their maintenance.

Why This Matters to UK Organisations Today

The Capita incident isn’t isolated. The UK’s National Cyber Security Centre (NCSC) continues to warn that ransomware and supply chain attacks are rising across every sector, from manufacturing and education to finance and healthcare. Any organisation - especially those handling personal data or acting as processors for clients - must demonstrate due diligence in information security.

ISO 27001 certification is no longer just a competitive advantage; it is increasingly a requirement from clients, procurement teams, and regulators. It shows that your organisation takes security seriously, has embedded it into its core processes, and is committed to continuous improvement.

For businesses using outsourced service providers, ISO 27001 also helps establish clearer expectations and accountability with suppliers - a vital step in today’s interconnected digital economy.

Let ISO 27001 Be Your Framework for Confidence

Capita’s breach shows how easily years of trust and commercial success can be undermined by poor internal controls and reactive security culture. With ISO 27001:2022, your organisation can move from a passive to a proactive stance, backed by a framework that’s internationally recognised, audit-tested, and fully adaptable to your needs.

At AAA Certification Ltd, we support businesses of all sizes to achieve ISO 27001 certification through a clear, friendly, and expert-led process. Whether you’re just starting out or reviewing your current controls, our approach ensures that certification is more than just a tick-box exercise - it’s the foundation of a secure and resilient business.

Don't wait any longer. Sign up to a Certification Audit with AAA and take the first step towards achieving ISO 27001 certification.