Zero Trust, devised by John Kindervag, offers a radical approach to network architecture and management. The premise behind zero trust approach is quite simply ‘never trust, always verify’. In practice, this means you need to minimise the line between the outside world and the internal network. In a zero-trust environment, you treat the internal network […]
This week’s top tip looks at a frequently asked question by organisations which are looking to comply or certify to ISO 27001, the International Information Security Standard – ‘what tools will I need to manage an information security management system (ISMS)’. A big concern for many organisations is that implementing an ISMS will lead to […]
We are often asked whether the terms business continuity (BC) and disaster recovery (DR) mean or represent the same thing and if not what are the key differences. This top tip will provide some clarity on the respective definitions and in doing so ensure your organisation is prepared to deal with both BC and DR […]
This week’s top tip looks at the key considerations when accepting card payment via phone. For many organisations accepting card payment via phone is just ‘business as usual’, for others it’s one of those things that is done as a back-up or an occasional ‘one off’. An example of the latter is online only organisations […]
Are you ready for the unexpected? Here’s some food for thought. Did you know that: ► More than 40% of businesses affected by the Manchester bombing of 1996 went out of business? ► Approximately 18,000 businesses ceased to exist following the attacks of September 11 2001 ► 92 businesses employing 9,500 staff were forced to […]
One of the long-held beliefs underpinning many a password policy is that forcing a regular password change is a good thing. After all, by changing our passwords on a regular basis we might be able to stop an attacker taking advantage of a password they may have discovered. However, by forcing users to change […]
This is the question of the week, what is the difference between a certified and a compliant ISO 27001 management system? There is some confusion about the difference between having an information security management system (ISMS) which is certified to ISO 27001 and one which is compliant or aligned to the Standard. This week’s top […]
This week’s top tip looks at the requirement within both the DPA 2018 and the GDPR to verify the identity an individual making a request before acting or releasing information. Our clients are regularly raising questions and concerns with our consultants along the lines of ‘what do I need to do?’ Let’s start by […]
The information security controls that all organisations need to implement are heavily dependent on the information being stored, processed or transmitted and the purpose of the processing. For example, whilst regular penetration testing may be appropriate for some organisations, it may not be required for others. This is where risk management kicks in. Best practice dictates that you need to identify the risks that your organisation faces before proceeding with the implementation of appropriate controls to reduce these risks to a level which is acceptable to your stakeholders. Risk appetite will typically be defined by directors, shareholders or regulators along with compliance […]
Are Standard Contractual Clauses Sufficient? This week’s top tip looks at a very specific area of GDPR – Article 28 to be precise and data transfer outside of the EEA. One of the ways in which you can legitimise an ex-EEA data transfer is by using the standard contractual clauses (SCCs). Article 28 mandates […]