How to build a security culture using ISO 27001 with Tobias Mielke

In this episode of Exploring Standards, host Jess sits down with Tobias Mielke, Global Product Manager at TÜV Nord, to explore one of the most overlooked dimensions of information security - culture. While many organisations treat ISO 27001 as a compliance checkbox, Tobias makes the case that the standard is actually a powerful framework for embedding security into the DNA of your organisation. From phishing emails to access controls, real security starts with how people think and behave when no one is watching.

What You'll Learn

• What ISO 27001 is and why every organisation, regardless of size or sector,  needs to take information security seriously
• The difference between having security policies and actually having a security culture
• Why leadership buy-in isn't just helpful,  it's essential for any ISMS to succeed
• How the risk assessment process helps employees understand their personal role in protecting information
• Which Annex A controls typically require the biggest cultural shift (and why access management and incident reporting top the list)
• How to embed security controls into daily habits rather than treating them as annual compliance exercises
• The real-world external benefits of a strong security culture, from customer trust to commercial advantage
• How to measure whether your security culture is genuinely improving, not just audit-ready
• The single most important first step any organisation can take tomorrow to start building a real security culture

Key Takeaway

Security culture isn't built through policy documents,  it's built through people. When leadership visibly champions information security as a business priority, and when employees understand the why behind the controls, ISO 27001 transforms from a compliance label into a practical roadmap for lasting organisational change.

About Tobias

Tobias Mielke is Global Product Manager at TÜV Nord Group, based in Germany, where he oversees the technical development and ongoing support of a portfolio of management system standards, including ISO 27001 (Information Security Management Systems), ISO 27701 (Privacy Information Management), ISO 22301 (Business Continuity Management), and ISO 42001 (AI Management Systems). In addition to his product management role, Tobias works as an ISO Lead Auditor for information security and related standards, with hands-on experience certifying organisations across multiple sectors, including critical infrastructure.

Connect with Tobias:

Website: https://www.tuv-nord.com/uk/en/

LinkedIn: www.linkedin.com/in/tobiasmielke

Connect with Assent:
LinkedIn: https://www.linkedin.com/company/associate-enterprises-ltd-t-a-assent/
Facebook: https://www.facebook.com/assentuk
Youtube: https://www.youtube.com/channel/UCWw6ny-YyfkxdGm7ig4yFoQ
Instagram: @assentriskmanagement

Subscribe for more episodes exploring standards, compliance, and governance topics!