Shadow IT refers to IT systems, applications, and cloud services that employees use without the knowledge or approval of the IT department. Common examples include personal cloud storage, messaging apps, and SaaS tools. Shadow IT often emerges because official solutions are perceived as cumbersome. The risk: data ends up on uncontrolled systems, security policies are bypassed, and the organisation loses visibility. In an ISMS you counter shadow IT through an up-to-date asset register, regular network scans, and pragmatic IT procurement that fulfils legitimate needs quickly.