Executive Summary

Post-quantum cryptography is not an immediate technical problem, but it is an emerging information risk. The most credible concern is not future system outages, but long-term data confidentiality, where encrypted information accessed today could be decrypted years later as quantum capabilities mature.

Cloud providers are planning for this transition, but organisations remain accountable for understanding which data must remain confidential over the long term and how suppliers are expected to manage future change. A proportionate response today is awareness, supplier assurance, and crypto agility, not a technology programme.

For cloud-first organisations, the priority is having a clear, defensible position that can be explained to clients, auditors, and boards, rather than taking action prematurely.

Why Cloud-first Organisations still need to Pay Attention

Quantum computing is no longer a purely academic topic. While practical, large-scale quantum computers are not yet available, the direction of travel is clear enough that governments, standards bodies, and security authorities are starting to issue guidance.

For most organisations, particularly those that are cloud-first, the immediate reaction is often the same: this feels interesting, but surely it is a problem for cloud providers to deal with.

That assumption is only half right.

Why this topic is appearing on risk agendas now?

The concern is not that quantum computers will suddenly make today’s systems unusable overnight.

The more credible risk scenario is often referred to as “harvest now, decrypt later”.

Encrypted data can be copied today and stored indefinitely. When quantum capabilities mature, that data could be decrypted years after it was originally accessed. If information needs to remain confidential for the long term, the exposure already exists, even if no technical compromise is visible today.

This is why post-quantum cryptography is appearing in assurance discussions now, despite quantum computing not yet being operational at scale.

The real risk is long-term confidentiality

Post-quantum risk is often framed as a future technical problem. In reality, it is a present-day information risk.

This is not about outages or sudden system failures. It is about whether information you hold today will still be protected years from now.

For many organisations, that includes:

- Client contracts and transaction records

- Legal correspondence and privileged material

- Valuation data and commercially sensitive reports

- Personal data with long regulatory or ethical expectations

If that information were accessed today and decrypted in the future, the impact could still be material, even if systems continued to operate normally at the time.

From a risk management perspective, this is why awareness matters now.

Cloud-first does not mean risk-free

Cloud providers are actively planning for post-quantum transitions. That is expected and reassuring.

However, organisations still own the information risk.

You decide what data you hold, how long it must remain confidential, and which suppliers you trust to process or store it. Using the cloud does not remove accountability for understanding where cryptography is relied upon, particularly where long-term confidentiality is required.

In practice, most organisations should be able to answer a small number of straightforward questions:

- Which data types need to remain confidential for many years?

- Where is cryptography relied upon to protect that data?

- Are key suppliers planning for post-quantum transition?

These are governance questions, not engineering ones.

What good practice looks like today

Guidance from the UK National Cyber Security Centre is deliberately pragmatic.

There is no expectation to deploy post-quantum cryptography today. No immediate technical change is required. Instead, the emphasis is on preparation and good practice.

Key themes include:

✅  Understanding where and how cryptography is used

✅  Avoiding brittle or hard-coded cryptographic implementations

✅  Building “crypto agility”, the ability to transition algorithms over time

✅  Relying on suppliers who can articulate clear post-quantum roadmaps

✅  This is about being ready for change, not reacting prematurely.

How this fits into ISO 27001 and risk management

From an ISO 27001 perspective, post-quantum cryptography fits naturally into external context, technological change, and emerging risk.

It does not introduce new controls and does not mandate remediation today.

A proportionate response today is simply to:

✅  Recognise post-quantum risk as an emerging information risk

✅  Consider it in relation to long-term data confidentiality

✅  Ensure supplier assurance and cloud strategy take future transition into account

✅  Review periodically as standards and guidance mature

Being able to evidence awareness and a reasoned position is increasingly important, particularly as clients and auditors start asking questions.

What we are seeing in practice

Most early client conversations are exploratory rather than urgent.

Questions tend to sound like:

- “Is this something we should be worried about?”

- “Does our cloud strategy cover us?”

At this stage, the right response is rarely a technical programme. It is a clear explanation of how the organisation is monitoring the issue, what data could be affected over time, and how suppliers are expected to manage future change.