July 2019

  • information security controls you should implement, infosec, information security, ISO 27001, International Standards

    Tips from URM – What dictates which information security controls you should implement?

    The information security controls that all organisations need to implement are heavily dependent  on the information being stored, processed or transmitted and the purpose of the processing.  For example, whilst regular penetration testing may be appropriate for some organisations, it may not be required for others.     This is where risk management kicks in.  Best practice dictates that you need to identify the risks that your organisation faces before proceeding with the implementation of appropriate controls to reduce these risks to a level which is acceptable to your stakeholders.  Risk appetite will typically be defined by directors, shareholders or regulators along with compliance […]

  • PCI DSS - The devil is in the…….Diagrams, pci dss, pci ,payment card data security standard , infosec, information security, iso 27001

    PCI DSS – The devil is in the…….diagrams

    When looking at the key success criteria for any PCI compliance programme, there is no disputing the importance attached to accurately scoping the cardholder data environment (CDE).    Within this blog, we are not going to delve into the murky depths of why a network component may be in or out-of-scope (thank goodness I hear you […]

  • Data Transfer, gdpr, data protection , information security, infosec,, infosecurity

    Data Transfer – Are Standard Contractual Clauses Sufficient?

    Are Standard Contractual Clauses Sufficient? This week’s top tip looks at a very specific area of GDPR – Article 28 to be precise and data transfer outside of the EEA. One of the ways in which you can legitimise an ex-EEA data transfer is by using the standard contractual clauses (SCCs).   Article 28 mandates […]

  • Information Assets, Information Security, Infosec, ISO 27001, Infosecurity , International Standards

    Understanding information assets

    Definition of information assets Well, that’s easy, there isn’t one, well at least not one universally accepted definition. ISO/IEC 27000:2018 Overview and vocabulary refers to ‘information asset’ 33 times, but never actually defines it.   A frequently (ab)used definition of an information asset is ‘everything that has a value to the organisation’.  This is the […]

  • Quick and simple BC exercises, practica advice with regards to Business Continuity , ISO 22301 ISO International Standard, , top tip,

    Tips from URM – Quick and simple BC exercises

    In a previous blog we looked at the different types of exercise you can utilise to validate your business continuity approach.  This week’s top tip focuses on the desk check and facilitated discussion.   At the simplest level, within any good business continuity (BC) exercise programme, lie the following two types of exercise:   A […]

  • Onboarding Information Systems

    Essentially, the trick is to identify the security requirements of any new software or…   This week’s blog takes a look at onboarding information systems.  When onboarding is mentioned in terms of information security, typically, most will conclude it’s referring to people, and particularly the starters and leavers process.   However, it is also important […]

  • vulnerabilities vs penetration test , information security , PIC DSS, Infosec , INfosecurity, Payment Card Data Security Standard , vulnerability assessment

    Vulnerability assessment vs. Penetration testing

    Vulnerability assessment  – Penetration testing, can things go wrong? There seems to be a market trend to offer a vulnerability assessment and package it as a penetration testing exercise.   Both are security controls in ISO/IEC 27001: 2013 Annex A and both have distinct purpose and deliverables.  In addition, they both feature quite heavily within the […]

  • ICO fines BA £183m fines can be levied for administrative and governance failures, not just data security breaches. Are you doing enough in reviewing and implementing appropriate information security and privacy management controls to limit the potential impact to your organisation?

    Tips from URM – Reviewing and Implementing Management Controls

    ICO fines BA £183m There are enough articles out there regurgitating the news about the BA data breach which we aren’t going to repeat.  For us the message is simple, and let’s make no bones about it, the Commissioner has enhanced powers under DPA 18/GDPR and clearly intends to use them.   Prior to this […]

  • Business Continuity | Exercise plan for critical activities, business continuity, recovery plan, disaster recovery, iso standards, ISO 22301 ISO INTERNATIONAL STANDARDS

    Exercising your department’s BC Plans

    Exercise plan for critical activities In our previous business continuity (BC) blog, we provided an overview of different types of exercises that will help you identify whether your current BC arrangements are effective in managing a disruptive incident.   That, along with instilling confidence and ‘training’ your teams, is one of the main objectives of running […]

  • PCI DSS compliance, Payment Card Industry Data Security Standard, Payment card industry, Payment card, consultancy, visa, mastercard

    Benefits of PCI DSS Compliance

    Benefits of PCI DSS Compliance In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard. However, this week we will look at what the benefits are of achieving and maintaining compliance….aside from meeting your contractual obligations!   As a rule, all organisations that store, process or […]