How ISO 27001 Can Help Banks And Suppliers Establish Operational Resilience
From April 2022, banks active in the United Kingdom will be required to test the resilience of their operations to cyber threats, as stated by the Bank of England’s Prudential Regulation Authority (PRA).

The letter to CEOs, published on January 12th, outlines key priorities for international banks active in the United Kingdom, stating: “We expect firms to develop their security controls and capabilities to manage the increasing risk of cyber threats, as set out in Supervisory Statement (SS) 1/21. We encourage all firms, regardless of size, to test their resilience against such threats.”
By the end of March 2022, banks will need to have:
| PRA requirement (by end of March 2022) | How ISO 27001 addresses it |
|---|---|
| Identify and map important business services | Build the ISO 27001 asset register of informational and physical assets |
| Set impact tolerances for these | Score the likelihood and impact of each risk in a risk assessment |
| Initiate a programme of scenario testing | Apply security controls, assign tasks and re-evaluate risk scores |
So, how can ISO 27001 certification help?
{{snapshot}}
PRA resilience rules at a glance
- From April 2022, banks active in the UK must test the resilience of their operations to cyber threats, under the Bank of England’s PRA.
- By end of March 2022 banks had to map important business services, set impact tolerances and start scenario testing.
- Much of the ISO 27001 certification process maps directly onto these requirements — see the ISO 27001 hub for the full checklist.
{{/snapshot}}
The ISO 27001 certification process
ISO/IEC 27001:2013 provides a framework to help businesses from any industry, and from small operations to multinational corporations, protect their information. This is done by implementing an Information Security Management System (ISMS) and a related set of policies and procedures.
1. Identifying and mapping important business services: Asset register
The very nature of the ISO 27001 standard means that businesses seeking certification must identify and map their important business services, as stated in the PRA letter to CEOs. This forms the ISO 27001 asset register, and must include informational assets as well as physical – for example HR cabinets, offices and warehouses, removable media, application software and more.
2. Set impact tolerances: Risk assessment
Once the asset register is complete, the business attempting ISO 27001 certification must undertake thorough risk assessments for each asset. One way to approach this is to score the likelihood and impact of each risk that has been identified to generate an overall risk score, as seen on the matrix below:

3. Initiate a programme of scenario testing: Tasks, policies and procedures
The business will then need to set up actions to manage and reduce each risk. This could be by applying security controls, such as controls for the management of access rights of users. Risks can then be reevaluated with new scores once controls are in place.
Tasks should be assigned across the organisation where relevant, for example reading a clear desk policy so all staff are aware this is part of their obligation to protect sensitive information.
{{snapshot}}
How ISO 27001 maps to the PRA letter
- Asset register: ISO 27001 requires businesses to identify and map important services — informational and physical assets alike.
- Risk assessment: scoring the likelihood and impact of each risk mirrors the PRA’s impact-tolerance requirement.
- Controls and tasks: applying security controls and assigning tasks delivers the PRA’s scenario-testing programme.
- Certified companies must also recertify annually, keeping information security continuously up to date.
{{/snapshot}}
How does this apply to the PRA letter to bank CEOs?
As outlined above, much of the ISO 27001 certification process applies directly to the requirements for banks operating in the UK set out by the PRA. ISO 27001 certified companies must also recertify annually, ensuring that their approach to information security is regularly considered and updated.
Hicomply’s software is designed to aid this process, providing businesses with the tools to:
- Develop the scope of their ISMS;
- Generate and manage an asset register;
- Automatically link and integrate risks and risk assessments to those assets;
- Automatically assign tasks to relevant owners or company-wide;
- Securely implement and manage policies;
- Prepare for an external audit.
This reduces the time and manual effort of becoming ISO 27001 certified significantly, and will allow banks to demonstrate the ongoing process of “developing dynamic, effective operational risk and control frameworks to manage the threat of operational disruptions” in line with PRA requirements.
{{snapshot}}
Tools banks can lean on
- The right software helps banks develop ISMS scope, generate an asset register and link risks and assessments automatically.
- Tasks are assigned to owners or company-wide, policies managed securely, and teams are prepared for an external audit.
- This reduces the time and manual effort of becoming ISO 27001 certified — speed up prep with free compliance tools.
{{/snapshot}}
How will the PRA requirements impact bank suppliers?
While banks themselves will be primarily responsible for ensuring risks from third-party suppliers are managed, the new requirements are also likely to impact how banks assess their partners and suppliers. In these instances, ISO 27001 can help suppliers to assure banks that operational risk – and the mitigation of risk – is taken seriously.
To learn more about how Hicomply can help banks and their suppliers obtain ISO 27001 certification and comply with the January 2022 PRA requirements, get in touch or book a demo.
{{snapshot}}
What Hicomply recommends
Operational resilience is not a one-off project — the PRA expects firms to keep developing dynamic, effective risk and control frameworks, which is exactly what an always-on ISMS delivers. We recommend banks and their suppliers treat ISO 27001 as the shared backbone: the asset register, risk assessments and controls that satisfy the certification are the same evidence that reassures a bank about a supplier’s risk posture. Take a platform tour to see how continuous, audit-ready compliance keeps annual recertification from becoming a scramble.
{{/snapshot}}
Useful links
Ready to Take Control of Your Privacy Compliance?
See how Hicomply can accelerate your path to CAF compliance in a 15-minute demo.




