ISO 27001 vs. Hackers: Lessons from Marks & Spencer

In April 2025, British retail giant Marks & Spencer (M&S) fell victim to a major cyberattack that disrupted critical parts of its operations. Customers across the UK experienced service failures in click-and-collect, online orders, and contactless in-store payments, with the disruption lasting over three weeks.

The attack is widely attributed to Scattered Spider, a sophisticated hacker group known for targeting large enterprises with ransomware, social engineering, and supply chain attacks. The fallout from the breach was significant - M&S reportedly lost an estimated £4 million in daily sales, faced a substantial dip in share value, and endured a serious blow to customer confidence.

This incident highlighted an uncomfortable truth: even the most established brands with digital maturity are vulnerable to evolving cyber threats. It also served as a stark reminder of the real-world consequences of gaps in information security.

Had M&S implemented and fully embedded the practices outlined in ISO 27001:2022, the internationally recognised standard for Information Security Management Systems (ISMS), the impact of the attack could have been significantly reduced - or potentially avoided.

Understanding ISO 27001:2022 and Why It Matters

ISO 27001:2022 provides a comprehensive framework for managing information security risks. It enables organisations to protect their data assets through a structured and risk-based approach that covers people, processes, and technology.

The standard ensures that:

• Information is kept confidential (only accessible to authorised individuals)

• Data integrity is maintained (no unauthorised changes)

• Information is available when needed (ensuring business continuity)

Importantly, ISO 27001 is not just for IT departments - it’s a company-wide standard that requires board-level engagement, cross-department collaboration, and continual oversight.

How ISO 27001 Could Have Helped M&S

1. Risk Assessment and Threat Identification

One of the core requirements of ISO 27001 is to identify information security risks proactively. For a retailer the size of M&S - managing everything from e-commerce platforms and payment systems to customer loyalty databases - this would involve mapping out every asset, vulnerability, and potential attack vector.

The attack on M&S reportedly exploited both supply chain access points and social engineering techniques - areas that may have been better protected under a certified risk assessment framework.

2. Supplier and Third-Party Security Management

Retailers depend heavily on external providers - especially for online infrastructure, cloud services, and payment gateways. ISO 27001 places strong emphasis on managing supplier risk, requiring organisations to assess third-party security controls, enforce contractual obligations, and monitor supplier performance.

Had M&S followed ISO 27001 clauses related to A.5.19 (supplier relationships) and A.5.23 (third-party service delivery management), it might have identified and addressed vulnerabilities introduced by outsourced systems before attackers exploited them.

3. Incident Response and Recovery Planning

Clause A.5.29 of ISO 27001 focuses specifically on information security incident management. It requires organisations to establish clear procedures for detecting, reporting, and responding to breaches.

With this in place, M&S would have had a well-rehearsed incident response plan, complete with:

• Roles and responsibilities during a breach

• Communication protocols to minimise confusion

• Recovery playbooks to bring systems back online faster

This could have significantly reduced the downtime experienced by customers and limited the reputational fallout.

4. Business Continuity and Operational Resilience

The extended disruption M&S faced showed just how reliant retail operations are on digital infrastructure. ISO 27001 requires integration with business continuity planning, ensuring that even in the face of a cyberattack, key operations can continue.

Clauses such as A.5.30 (ICT readiness for business continuity) and A.5.34 (redundancy of information systems) aim to minimise downtime, maintain customer service, and protect critical revenue streams.

Rebuilding Trust After a Breach

One of the most damaging effects of a high-profile breach is the erosion of customer trust. For brands like M&S, which have built their reputation on reliability and customer care, a breach can undermine decades of goodwill.

Achieving and publicly promoting ISO 27001 certification can help rebuild trust by demonstrating that the organisation:

• Takes information security seriously

• Has implemented globally recognised best practices

• Is committed to continuous improvement and transparency

More than just a badge, ISO 27001 sends a strong message to customers, regulators, and investors alike.

The Bigger Picture: Why Other UK Businesses Should Take Note

M&S is not alone. The UK has seen a significant rise in cyber incidents in 2025, with organisations across finance, retail, legal, and education facing ransomware, phishing, and data theft. The National Cyber Security Centre (NCSC) continues to warn businesses of increasing cyber sophistication and supply chain vulnerabilities.

For any business that stores personal data, processes payments, or delivers services online, ISO 27001 is no longer a "nice to have" - it’s essential.

Implementing ISO 27001:

• Reduces the risk of security breaches

• Enhances internal awareness and accountability

• Improves data governance and regulatory compliance (e.g., UK GDPR)

• Strengthens procurement positioning, as many clients now demand ISO certification from suppliers

Conclusion: The Cost of Inaction Is Now Measurable

The 2025 cyberattack on Marks & Spencer offers a clear lesson: even trusted, tech-savvy brands can be caught off guard without a robust ISMS in place.

With ISO 27001:2022, UK organisations have a proven, scalable framework to protect themselves. It not only helps mitigate the impact of cyberattacks - but also boosts confidence, strengthens resilience, and ensures continuity in an increasingly digital economy.

In today’s threat landscape, the question is no longer whether your business will be targeted - only whether you’ll be prepared.

Don't wait any longer. Sign up to a Certification Audit with AAA and take the first step towards achieving ISO 27001 certification.