InfoSec & Cyber Security Consultancy

There can be little doubt that securing and protecting information is an essential requirement for organisations, irrespective of their market sector or size. The challenge for many organisations, however, is implementing and maintaining a level of information security that is appropriate to them.

This can be achieved by adopting an approach to information security management that is based on continuous improvement and regular review – a management system.

It is important to note that no two information security management systems (ISMS’) will be the same, due to organisational differences in the actual and perceived values of information, business goals, risk appetites, demands by customers/regulators etc.

Your ISMS should be tailored to and reflect your organisation, how you work, the terminology you use and be part of business as usual.

We, at URM, are cognisant of these requirements and are dedicated to assisting you identify, achieve and maintain your desired levels of information security.

How Do We Achieve This?

Understanding your business goals/objectives

Our first goal is to understand what your organisation’s mission is, what your business objectives are and where information security fits into these.

It is important to assess what the impact would be on your organisation if you suffered a loss of confidentiality, integrity or availability to your key information and to understand what your risk appetite is.

Our approach is based on ensuring that information security is totally embedded and integrated into the day-to-day management of your business and is not some stand-alone function.

Adopting a Risk-Based Approach

This is the area where we believe we can add the greatest value to an organisation. Since 2002, we have been developing and honing our risk assessment methodologies and software tools to enable you to identify, in a scientific but practical and pragmatic manner, where your greatest information-related risks are.

By adopting such an approach, you will be able to save time and money by prioritising and implementing controls (technical, people, policy and process-related) which are appropriate and relevant to you and that bring the greatest benefit.

Specialists in ISO 27001, PCI DSS and Data Protection

Having been involved in implementing ISO 27001, the International Standard for Information Security, since its inception, we believe we have unrivalled insights into the Standard’s requirements and how best to satisfy them.

Our own ISMS has been certified to this Standard since 2008. We strongly believe that with its risk-based approach and emphasis on continuous improvement, ISO 27001 provides an ideal and pragmatic information security framework for any organisation and the perfect internal and external demonstration that you take information security seriously.

Assisting organisations comply and certify to this Standard is undoubtedly one of our distinctive competences and we have a track record of over 200 successful projects. We can offer you a service which matches your skills, resource availability, budget, timescales and aspirations.

This includes full lifecycle services or assistance with specific aspects such as identifying and valuing assets, conducting risk assessments, developing policies and processes, conducting audits and developing and delivering security awareness programmes.

URM also regularly holds free seminars on implementing ISO 27001. Case Studies of organisations certified against ISO 27001 and which have benefited from the assistance of URM can be found here.

Cyber Security Consultancy

Cyber Essentials

Cyber Essentials  is a simple yet effective Government scheme that is aimed at helping protect organisations from a range of the most common Internet-based threats. The Cyber Essentials scheme specifies the following 5 basic control areas that all organisations must address in order to achieve certification:

  1. Access control
  2. Secure configuration
  3. Software updates
  4. Malware protection
  5. Firewalls and internet gateways

There are two levels of certification with the scheme, namely Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials requires your organisation to complete an online self-assessment questionnaire which is then assessed and verified by a certification body such as URM.

Cyber Essentials Plus focuses on the same controls, but involves a more robust and independent examination of your IT infrastructure again by a certification body such as URM. 

Whilst acting predominantly as a certification body, URM also has an independent team of consultants who can help you understand the requirements of Cyber Essentials and how to address them.

Phishing Exercise

A growing cyber risk for all organisations is phishing where fraudsters attempt to access valuable information such as usernames, passwords and account information by masquerading as a reputable entity or person in an email or another communication medium.

Phishing can also involve sending malicious attachments or website links in order to infect computers or mobile devices.

In order to combat the threat of phishing, organisations need to adopt technical solutions backed up by comprehensive staff awareness campaigns designed to increase the likelihood of users spotting a phishing attempt and raising a security incident to enable the organisation to respond accordingly.

A Quick Walk Through Phishing


In order to assist organisations assess its users’ awareness and vigilance to phishing attempts and processing of incoming third party emails, URM has developed an effective methodology aimed at determining and measuring an organisation’s level of exposure.

Working closely with sponsors from the client organisation, we develop micro websites and a campaign of orchestrated emails aimed at inducing users to open the email, click on a link and provide sensitive information e.g. passwords.

This involves creating initial emails and micro websites that look like the intended email/website and then responding and evolving the campaign as users begin to interact with the emails.

Naturally, the potential impact to the organisation of clicking on unknown links and providing confidential information could be extremely damaging.

At the end of the exercise, through the use of its tracking software, we are able to report back on the number of users who potentially exposed the organisation to the risk of a data breach or to malicious software. Once completed, the results of the exercise can then form a very powerful component of any staff awareness programme.

By referring to the actions of personnel from the actual organisation, cyber risk is no longer an abstract term but something users can practically relate to.

Let us know a bit more about your background and how we can help.

More about Infosec

Consultancy Services

Information Security Training

About URM

Follow us on