This is one of our ‘back to basics’ articles, where we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around the protection of cardholder data (CHD) and sensitive authentication data (SAD) in particular. Bit of a recap first. The PCI DSS is an information security standard for organisations […]
Section 8.2.4 of the PCI DSS v3.2.1 specifies that passwords must be changed at least once every 90 days. In our day-to-day PCI DSS consultancy work, we are frequently asked whether there is any flexibility in extending the period when passwords need to be changed and whether ‘compensating controls’ can be used. The argument […]
This week’s blog takes a look at internal audit. Whilst it is a mandatory requirement of management systems, internal audit can often be the neglected ‘poor relation’. This is particularly true in smaller organisations where the internal audit team consists of ‘volunteers’ who conduct audits as a secondary role to their day jobs. Their line […]
There is no arguing that exercising is an essential part of business continuity (BC) preparedness. The challenge is how best to exercise our business continuity plans (BCPs) or incident management plans (IMPs). This week’s blog is the first in a series of blogs around exercising where we will lay down what we see as the […]
This week we are looking at the rise of phishing attacks and what we should be doing to prevent them. Let’s start with some scary stats!. Verizon’s 2017 data breach report indicated that: 3% of users who receive phishing emails fall for them (whether via a link or an opened attachment) 15% of all unique users […]
In this week’s blog, we are going to look at governance. We are regularly asked, ‘what do you mean by governance?’ or, ‘is information governance the same as IT governance?’ There seems to be a lot of confusion and mispositioning of governance, its role and the different forms. In this blog, we will provide some […]
One area we are often questioned about is scope. How do you identify and then manage your scope? This week’s tip focuses on just that! When you are looking at the processes associated with managing the security of your organisation’s information assets, there are a number of occasions where you will need to consider the […]
We are often asked ‘should I start my ISO 27001 programme with a gap analysis or is there a better starting point?’. The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when. When it comes to determining your need for information security controls […]
In previous blogs, we have tackled a number of fundamental ISO 27001 components. One of the most significant is management commitment and this week’s top tip will look at just that. Commitment from your leadership team is absolutely crucial to managing information security within your organisation. In just the same way as pretty much any […]