
Table of Content
ISO/IEC 27001 Webinar
Preparing Businesses for a Secure Digital Future Hosted by Risk Associates in Collaboration with P@SHA and RACERT
In collaboration with the Pakistan Software Houses Association (P@SHA) and RACERT, Risk Associates hosted a live webinar designed to help Pakistan’s software and technology industry understand the practical value of ISO/IEC 27001, the globally recognised standard for Information Security Management Systems (ISMS). Led by Risk Associates’ CEO/Country Head for Pakistan, Naveed Naqvi, alongside Director of Professional Services Usman Vaseer, the session covered everything from what ISO/IEC 27001 actually means for a software house, to how certification works, and what realistic implementation looks like. The session addressed common misconceptions, real-world challenges, and actionable next steps.
Our Delegates



P@SHA’s Industry Engagement lead Kavar Mahmud opened the session before handing over to the Risk Associates team. Naveed Naqvi, with 22+ years of experience spanning KPMG, banking (as CISO of HBL Metropolitan Bank for 10 years), and cybersecurity consulting, introduced himself and the firm. Risk Associates operates globally with headquarters in Australia and a significant presence in Pakistan, Middle East, and Southeast Asia. Usman Vaseer (Director of Professional Services) at Risk Associates and Salman Rizvi (Senior Lead Auditor) at RACERT also introduced themselves before the technical session began.
The session introduced six ISO management system standards particularly relevant to software and technology companies:
- ISO/IEC 27001: Information Security Management System (ISMS). The primary focus of this webinar and the most widely adopted security standard globally.
- ISO/IEC 27701: Privacy Information Management, often combined with ISO 27001 for a joint certification.
- ISO/IEC 42001: AI Management System (AIMS). Published in 2023, relevant for organisations using AI tools and automation.
- ISO 22301: Business Continuity Management, covering recovery from cyberattacks, ransomware, and natural disasters.
- ISO/IEC 20000: IT Service Management, focused on IT process quality.
- ISO 9001: Quality Management System; the foundational management standard that underpins all other ISO frameworks.
All six share the same 10-clause High Level Structure, which means organisations can pursue multiple certifications without building everything from scratch each time.
The session explained the Plan-Do-Check-Act (PDCA) cycle, the engine behind any ISO management system:
- Plan: Define your risk assessment, security objectives, controls, roles, and documentation.
- Do: Implement controls and processes as planned.
- Check: Monitor through internal audits, KPI reviews, and management reviews.
- Act: Address findings, close gaps, and drive continual improvement.
“ISO/IEC 27001 is not a one-time achievement. It is an ongoing cycle that strengthens your security posture year after year, including against threats like phishing, which was highlighted as a practical example.
Usman Vaseer addressed a common question: if regulators like SBP already have their own requirements, why pursue an international standard?
The answer: ISO/IEC 27001 is a flexible, globally recognised framework that satisfies multiple regulatory requirements at once. It is acceptable to regulators across Australia, Europe, the Middle East, and increasingly in Pakistan. For software houses, the benefits are concrete:
- Winning enterprise and government contracts that list ISO/IEC 27001 as a mandatory RFP requirement
- Meeting SBP IT Security Guidelines for clients in the banking sector
- Satisfying NEPRA, OGRA, PTA, and other sector specific regulators
- Building trust with international clients and partners around data protection
- Demonstrating that your organisation handles confidential client data securely, a critical factor for software development companies
The broader point: certification is not about proving it to yourself. It is about proving it to everyone else; your regulators, your enterprise clients, your international partners.
Before walking through the process, Usman explained the structural foundation of ISO/IEC 27001. Like all ISO management system standards, it follows a 10-clause High Level Structure:
Clauses 1–3 Scope, references, and definitions
Clause 4 Context of the organisation
Clause 5 Leadership
Clause 6 Planning
Clause 7 Support
Clause 8 Operations
Clause 9 Performance evaluation
Clause 10 Improvement
Clauses 4 to 10 form the core of the management system, these are what an organisation implements, maintains, and gets audited against.
The certification journey then follows these steps:
Define scope: Determine which systems, locations, and processes fall within your ISMS.
Risk assessment: Identify and evaluate your information security risks.
Statement of Applicability (SoA): Select relevant controls from ISO/ICE 27001’s Annex A and formally document any exclusions with justification.
Implement controls: Across people (HR policies), processes (access management, incident response), and technology (DLP, password policies).
Internal audit: Conducted by a trained internal auditor or external consultant prior to the certification audit.
Stage 1 & Stage 2 external audit: Performed by an accredited certification body such as RACERT (UKAS-accredited).
Surveillance audits: Annual reviews to confirm the ISMS remains effective and maintained.
- Recertification: A full audit cycle repeated every three years.
One of the most discussed pain points was the lack of internal resources and expertise. The session outlined several available solutions:
- Consultancy support: Consultants conduct gap analysis, build documentation, and guide implementation alongside your team.
- Internal audit training: A certified ISO/IEC 27001 Lead Auditor can be trained internally to handle ongoing audit functions.
- Virtual CISO (vCISO): A cost-effective and globally accepted solution for organisations that cannot hire a full-time Information Security Officer. Risk Associates offers both vCISO and fractional CISO services.


