Your ISO 27001 certification is gathering dust on a shelf, and the FCA is about to make that a very expensive problem. The Financial Conduct Authority’s updated operational resilience rules, codified in Policy Statement PS21/3 and enforced from March 2022, are now fully operational. The FCA is now embedded in its enforcement phase — firms must already demonstrate they can remain within impact tolerances for their critical business services. Information security management is the backbone of that capability. If your ISMS isn’t aligned to both ISO 27001 and FCA SYSC requirements, you are already behind.

The Regulatory Tightrope: Why ISO 27001 Alone Is Not Enough

Many UK financial institutions treat ISO 27001 certification as a compliance end-state. It is not. The standard provides a robust framework for managing information security risks, but the FCA expects more. SYSC 4.1 and SYSC 15.1 require firms to have systems and controls that are "appropriate to the nature, scale and complexity of the business." This means your ISMS must be dynamic, tested, and demonstrably effective—not just audited once a year.

The FCA’s operational resilience rules demand that firms map their important business services, set impact tolerances, and conduct scenario testing. Your ISO 27001 risk register and Business Continuity Management (BCM) processes are the operational foundation for this. Without them, you cannot credibly answer the FCA’s question: "How do you know you can stay within your tolerance levels when a ransomware attack hits your payment processing system?"

The FCA's 2023/24 sector reviews indicate that many firms are still in the "mapping and testing" phase, not the "embedding" phase. The regulator has made clear that transitional arrangements have ended. Our team at Pyralink Innovation Ltd sees this daily: firms with ISO 27001 certificates that lack the operational layer the FCA demands. The gap is real, and it is widening.

Step 1: Map Your Critical Business Services to the ISO 27001 Scope

Stop treating your ISMS scope as a static document. The FCA requires you to identify your "important business services" (IBS)—services whose disruption could cause intolerable harm to consumers or market integrity. Your ISO 27001 scope statement must explicitly cover the systems, people, and processes that support these IBSs. If your certification scope excludes your payment gateway, trading platform, or core banking system, you have a fundamental misalignment.

How to Execute This Step

Run a gap analysis between your ISO 27001 Statement of Applicability (SoA) and your FCA-mandated IBS map. For each IBS, document the following:

  1. The supporting information assets and data flows.
  2. The security controls from Annex A that protect each asset.
  3. The impact tolerance (maximum acceptable downtime) per disruption scenario.

Update your SoA to include these mappings. This is not a one-off exercise. Review it quarterly as your business services evolve. Our fractional vCISO consultants can help you operationalise this mapping without disrupting your daily operations.

Step 2: Strengthen Your Risk Management to SYSC Standards

ISO 27001’s risk management approach (Clause 6.1) aligns with FCA SYSC SYSC 4.1, but the standard does not prescribe the rigour the FCA expects. The FCA wants to see a risk appetite statement that defines what is "too much risk" for your information security. Your risk register must include impact ratings in financial terms—not just "High/Medium/Low" labels.

Practical Actions for Compliance Teams

  • Tie risks to IBSs: Every risk in your register should reference the IBS it threatens and the impact tolerance it could breach. If a risk could push your payment system beyond its four-hour tolerance, it needs immediate board-level attention.
  • Add forward-looking threat intelligence: The NCSC’s annual review and the FCA’s Financial Crime and Intelligence Hub provide real-time threat data. Incorporate these into your risk assessment cycles, not just your annual ISO recertification.
  • Test your controls: The FCA expects scenario testing at least annually. This is not a tabletop walkthrough. You must simulate a realistic attack—ransomware, data exfiltration, third-party compromise—and measure whether your technical controls and incident response plan keep you within tolerances.

Our team uses CloudAuditX to automate continuous control monitoring across multi-cloud environments, giving you evidence that controls are working, not just documented.

Step 3: Align Your Incident Response Plan to the FCA’s Reporting Timeline

The FCA’s incident reporting rules (SUP 15.3) are unforgiving. You must notify the FCA of a significant incident within 72 hours, ideally sooner. Your ISO 27001 incident management process (Clause 10.1) must be tuned to this timeline. Most firms’ incident response plans are written for "as soon as practical," not for "within 72 hours or explain why not."

Three Critical Changes

  1. Pre-define reporting criteria: Your incident response playbook must include explicit conditions that trigger FCA notification. Examples: any ransomware event affecting an IBS, any unauthorised access to customer financial data, any system downtime exceeding 50% of your impact tolerance.
  2. Build a 72-hour notification checklist: Train your incident response team on a standardised template that captures: what happened, when it started, what IBSs are affected, what mitigations you have taken, and what the likely impact is. Do not send the FCA a vague email.
  3. Test the clock: Run a tabletop exercise where the team must compile and submit a dummy FCA notification within 72 hours. Most teams fail this on their first attempt because they underestimate the time needed to get board approval and legal sign-off.

Your ISO 27001 internal audit programme should include a specific audit step for incident response timeliness. If your last audit did not check this, schedule a corrective action now.

Step 4: Implement Continuous Compliance Monitoring

Annual external audits are not enough. The FCA expects you to monitor compliance daily, not when your certification body arrives. This is where most firms trip up. They pass their ISO 27001 re-certification with zero non-conformities, yet six months later they cannot produce evidence of access control reviews or vulnerability patching.

Building a Continuous Monitoring Programme

Use a combination of automated tools and manual reviews to close the gap. For example:

  • Automated configuration scanning: Run monthly scans of your cloud infrastructure (AWS, Azure, GCP) against CIS benchmarks. Log all deviations. This is a direct feed into your risk register.
  • Quarterly control testing: Manually test a subset of your Annex A controls each quarter. Rotate the selection so every control is tested within 18 months. Document the results as evidence for your management review.
  • Monthly management reviews: The ISO 27001 standard requires periodic reviews (Clause 9.3). The FCA expects quarterly at minimum. Our consultants recommend a monthly standing agenda item for information security metrics—incident counts, risk register changes, training completion rates.

Run a free CloudAuditX scan to see how automated visibility can replace manual evidence gathering.

Common Mistakes That Cost Firms Their FCA Readiness

We see the same errors repeatedly. Avoid them:

  1. Treating ISO 27001 and FCA compliance as separate projects. They are the same system. Your ISMS is the vehicle; FCA requirements are the destination. Align them from day one.
  2. Writing policies that no one reads. A 150-page information security policy impresses auditors but fails operational staff. The FCA cares about execution, not documentation volume. Create role-specific playbooks instead.
  3. Ignoring third-party risk. Your cloud provider, payment processor, and even your email hosting service are part of your incident tolerance chain. The FCA expects you to have contractual SLAs and continuity plans for these suppliers. ISO 27001 Clause 8.1 (operational planning) and 8.2 (supplier management) must explicitly cover third-party resilience.
  4. Failing to involve the board. The FCA’s Senior Managers and Certification Regime (SM&CR) makes the board accountable for operational resilience. Your ISO 27001 management review minutes must demonstrate that the board understands the risks and approves the approach. If the board cannot explain the metrics on the dashboard, you have a governance gap.

Worked Example: A Mid-Sized Payment Processor

Consider a UK-based payment processing firm with £50M annual turnover, a cloud-native platform on AWS, and 150 staff. They hold ISO 27001:2022 certification but have not mapped their ISMS to FCA requirements. Our team conducted a three-week engagement:

  • Week 1: We mapped their three IBSs (payment authorisation, settlement, and customer support) to the ISO 27001 scope. We found that two IBSs relied on a shared AWS RDS instance not included in the SoA.
  • Week 2: We updated the risk register with financial impact ratings for each IBS. The "Payment Authorisation System" had a tolerance of two hours. A simulated DDoS attack showed they could survive only 45 minutes before breaching tolerance.
  • Week 3: We re-architected the incident response plan to include a dedicated FCA notification stream, and we automated monthly compliance scans via CloudAuditX. The board now receives a live dashboard of security posture against both ISO 27001 and FCA tolerances.

The result: they passed their next internal audit, their FCA supervisory engagement was closed with no findings, and they reduced their cyber insurance premium by 12%. This is replicable. Start with a free compliance scanner to see where you stand.

How Pyralink Innovation Ltd Helps You Bridge the Gap

Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). We have built ISMSs for regulated financial firms that meet both ISO 27001 and FCA standards. Our team does not write theoretical frameworks; we implement production-ready systems backed by £5M professional indemnity insurance.

Our core services include:

  • ISO 27001 certification support: From gap analysis to certification audit, we align your ISMS to FCA SYSC from the start.
  • Fractional vCISO: Starting at £497/month, a dedicated cybersecurity leader who attends your management reviews and ensures operational resilience stays on track.
  • CloudAuditX: Our multi-cloud auditing platform automates compliance monitoring, logs control evidence, and produces ready-to-submit reports for ISO auditors and the FCA.

We have also built a free compliance scanner that checks your cloud environment against 200+ controls. Use it now to identify your first five gaps in under ten minutes.

Enforcement Is Here — Act Now

The FCA has made clear that transitional grace has ended. They have published clear guidance on what "embedded" operational resilience looks like. If you are still building your testing programme, you need to accelerate. The audit cycle for ISO 27001 takes three to six months. Mapping it to FCA requirements takes another two to four. Scenario testing must be completed at least once before you present evidence to the regulator.

Start today. Run a free scan of your cloud environment with CloudAuditX to see exactly where your controls fail to meet FCA expectations. Then book a free security review with our team. We will walk through your current ISMS, identify the top three gaps, and give you a roadmap to align before the deadline. No fluff, no sales pitch—just actionable advice from consultants who have done this for firms like yours.

Related Reading