Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

What is
Information Security?
An Overview

What is Information Security?  
An Overview

Information is undoubtedly one of an organisation’s most valuable assets, be that client, employee, financial, intellectual property or operational.  It is imperative that these information types are protected to ensure privacy, maintain operational integrity and trust with stakeholders, comply with regulations (such as the GDPR), and safeguard the organisation’s reputation.  By implementing robust information security measures, organisations can mitigate risks associated with external threats such as cyberattacks (malware, ransomware, and phishing), along with internal threats such as data breaches unauthorised access and human error.

But where do organisations start in terms of implementing information security?  This is where information security standards fit in.  There are a wide range of standards which can help organisations establish and maintain a comprehensive framework or management system in order to protect their information assets from various threats.  Listed below are some of the more prominent ones.

Overview of Key Information Security Standards

ISO 27001

ISO 27001 is a leading global standard designed to help organisations manage their information security management systems (ISMS’).  ISO 27001 is a risk-based standard designed to protect sensitive company and customer information with a set of organisational, physical, people and technological controls.  The Standard has wide appeal and can be adopted by organisations of all sizes from small and medium-sized enterprises (SMEs) to large multinational corporations and from all market sectors, including both public and private sectors.  ISO 27001 was updated in 2022 when a number of the mandatory management system clauses were updated to improve the alignment with other ISO Annex SL standards, such as ISO 9001 and ISO 22301.  The more significant changes, however, were made to Annex A controls with the intention of reflecting the evolving nature of cybersecurity threats etc.  With ISO 27001, the ISMS is based on a model of continuous improvement, including regular reviews and audits.  In order to provide additional assurance to stakeholders, organisations can seek independent assessment though accredited certification bodies and gain certificates that are awarded on 3-year cycles.

Learn more about ISO 27001

Expert's support

Having been involved in implementing ISO 27001 since its inception in 2005, URM is adept at  supporting  organisations implement an ISO 27001-conformant ISMS  from conducting gap analyses and risk assessments, through to remediation activities and delivering management system and security control audits.

Get professinal support

SOC 2

SOC 2 (or Service Organization Control 2 to give it its full title) is a standard which is tailored to service providers that store customer data in the cloud, ensuring that this data is managed securely.  Target service providers include cloud service providers, IT managed service providers SaaS (Software as a Service) companies, and data centres.  SOC 2 is most popular in the United States, where it originated and is widely recognised.  However, it is gaining popularity in the UK and other countries with significant technology and cloud service sectors.  Companies operating internationally or serving U.S.-based clients often seek SOC 2 compliance to meet market demands and regulatory expectations.   The Standard focuses on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy and provides detailed audit reports that assess a service provider's controls in these areas.

Learn more about SOC 2

How URM can help?

URM can provide a full range of SOC 2 services, from delivering gap analyses and assessing what efforts are required to comply or attest, to preparing organisations for a SOC 2 report (be that Type 1 or Type 2).

Get in touch

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a niche standard which is designed to secure credit and debit card transactions against data theft and fraud.  It includes stringent security requirements such as encryption, access control, and regular security testing.  The Standard is globally recognised and widely implemented in many countries and is particularly popular and mandated in regions with significant e-commerce and financial activities.  As such, PCI DSS is specifically targeted at any organisation that handles payment card data, including merchants, processors, acquirers, issuers and service providers, effectively any entity involved in processing, storing, or transmitting credit and debit card information.  In order to validate compliance, organisations must undergo regular assessments.   Organisations handling large volumes of transactions (over 6 million per card brand for merchants and 300,000 for service providers) must have their compliance assessed by an independent Qualified Security Assessor Company (QSAC), such as URM, which completes a report on compliance (RoC).

Find out more about PCI DSS

Professional help

Apart from conducting RoC assessments and supporting SAQs, URM can assist organisations by conducting gap analyses and helping with any PCI implementation or remediation activities.

Get professinal support

Gambling Commission RTS

The Gambling Commission (GC) Remote Technical Standards (RTS) serves as a critical regulatory framework for the UK online gambling industry, ensuring that operators maintain high standards of fairness, security, and player protection.  The GC RTS is specifically targeted at online gambling operators and software providers operating within the UK market. This includes companies offering online casino games, sports betting, bingo, and other forms of remote gambling.  Compliance with the RTS is mandatory for these operators to obtain and retain their licences from the UK Gambling Commission.  The RTS aims to ensure that gambling products and services are fair, secure, and reliable, protecting consumers and maintaining the integrity of the UK gambling industry.  In terms of security, RTS mandates that organisations implement robust security controls to protect player data and prevent unauthorised access or cyberattacks.

Find out more about GC RTS

How URM can help?

URM can provide a full range of SOC 2 services, from delivering gap analyses and assessing what efforts are required to comply or attest, to preparing organisations for a SOC 2 report (be that Type 1 or Type 2).

Get in touch

SWIFT CSP

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security Programme (CSP) is aimed at enhancing the security of the SWIFT network, which is used for global financial transactions to prevent, detect, and respond to fraudulent activities.  The SWIFT CSP is aimed at financial institutions and entities that use the SWIFT network for international banking transactions.  As part of the CSP, users are required to submit their attestation of compliance with the SWIFT Customer Security Controls Framework (CSCF) and share these with counterparts.  The 2022 version of the CSCF contains 31 controls, of which 22 are mandatory and 9 are advisory.  These controls are mapped against international standards such as NIST, PCI DSS and ISO 27002.  The 31 controls are based on 3 objectives; ‘Secure your Environment’, ‘Know and Limit Access’ and ‘Detect and Respond’ and are underpinned by 8 principles.

Find out more about SWIFT CSP

How URM can help?

URM offers a range of SWIFT CSP services from conducting a review of current cybersecurity posture against the CSCF requirements and identifying gaps, through to remediation support and an independent assessment of policies, processes, and business practices against CSCF requirements.

Get professinal support

NIST

The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency operating within the U.S. Department of Commerce which plays a pivotal role in setting standards and guidelines for the U.S. technology industry and promoting the safe and secure use of technology in both the private and public sectors.   NIST is particularly relevant to U.S.-based organisations but has also been adopted globally.  Notable within NIST frameworks is the Cybersecurity Framework (CSF), which provides a set of best practices for managing cybersecurity risks, and the NIST Special Publication (SP) 800 series, which includes detailed guidance on a range of cybersecurity controls and practices ranging from access control and incident response to physical security and risk management.  In February 2024, NIST released v2.0 of the CSF, which introduced a 6th function, Govern, to the Framework Core and expanded its scope to explicitly include all organisations in any sector.

Find out more about NIST

How URM can help?

URM can support organisations by assisting with each of the 7-step CSF implementation process or specific steps including scoping, creating current and target profiles, conducting risk assessments, prioritising gaps and implementing action plans.

Contact URM

CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a U.S.-based standard specifically tailored to address the cybersecurity requirements and challenges faced by the U.S. defence sector.  It is designed to ensure that supply-chain contractors working with the U.S. Department of Defense (DoD) implement adequate cybersecurity practices.  In order to protect against cyber threats, defence contractors and other organisations that handle controlled unclassified information (CUI) are required to meet a set of cybersecurity standards and practices to adopt appropriate cybersecurity measures.  These measures incorporate best practices from various cybersecurity standards, such as NIST and ISO 27001.

In November 2021, the DoD announced ‘CMMC 2.0’ an updated programme structure with three CMMC maturity levels (Foundational, Advanced and Expert), each building on the previous one, with the highest level requiring organisations to implement advanced and comprehensive cybersecurity practices.   Organisations which handle CUI on behalf of the DoD are required to achieve compliance or certification at the level which corresponds to the type and sensitivity of information being handled.

Find out more about CMMC

Professional help

URM’s support services include conducting gap analyses, implementing any identified improvements and supporting the certification audits.

Get professinal support

Contact the ISO 27001 Experts Today

Having assisted over 400 organisations to implement an ISMS and then achieve ISO 27001 certification since the Standard’s establishment in 2005, we at URM are the ideal experts and partners to help you certify.  With our fully-tailored approach, we can support you through each stage of the ISO 27001 management system lifecycle, offering guidance specific to your organisation’s unique requirements.  

Get in touch with our information security experts today to find out more.

Contact Us

InfoSec Solutions & Products

One the key requirements of ISO 27001 is the need for robust risk assessment which can produce repeatable and comparable results.  With its proven, best practice methodology, URM’s information security risk management software, Abriska 27001, enables you to meet this requirement.   We can also assist you to increase awareness among your staff with our expertly designed and engaging learning management system (LMS), Alurna.

View Products

InfoSec Training Courses

Our information security and ISO 27001 training courses can help you learn how to effectively manage information security.  Our Certificate in Information Security Management Principles (CISMP) training course will prepare you to take the BCS (Chartered Institute for IT) administered exam, enabling you to gain an industry-recognised qualification.  Meanwhile, our Introduction to ISO 27001 Course and ISO/IEC 27001:2022 Transition Course will significantly enhance your ISO 27001 knowledge and professional skillset.

View Training Courses

Webinars & Events

URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations  looking to improve their information security, risk management, data protection etc. The webinars  are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR.  All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.

Webinar5 Steps to Improve Your Supplier Information Security Risk Management

URM presents and discusses 5 key steps you can take to improve your supplier information security risk management.

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarISO 27001 Implementation and Certification

Webinar aimed at those organisations which are looking to implement ISO 27001 and certify to the 2022 version of the Standard.

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarTransitioning to PCI DSS v4.0

URM’s webinar is aimed at providing valuable advice and guidance on preparing you for a successful transition to PCI DSS v4.0

Read more
Listen to recording
USB stick, Padlock, Keys

Information Security FAQs

What are 4 types of information security?

If we look to guidance from Annex A of ISO 27001, then the answer is organisational, people, physical and technological.  The International Standard groups information security into these 4 categories.  The ‘organisational’ category requires the creation of policies, roles and responsibilities and day-to-day business activities.  The ‘people’ category ensures that the most appropriate staff are employed, and that they understand what is expected of them in relation to the business’ approach to infosec.  ‘Physical’ controls relate to the security of business premises, clear desk policies etc, whilst, ‘technological’ controls relate to measures that may be adopted by organisations to assist in securing information through the use of technology such as capacity management, configuration management, change management, network security, firewalls, cryptography etc.

What are the 3 principles of information security?

The three aspects that information security (infosec) seeks to protect are ‘confidentiality’, ‘integrity’ and ‘availability’. Confidentiality ensures that information is not made available or disclosed to unauthorised entities.  Integrity protects the accuracy and completeness of assets, whilst Availability ensures that information is accessible and usable on demand by authorised individuals.tc.

What are information security examples?

Examples of information security include encryption, firewalls, antivirus software, multi-factor authentication (MFA), vetting of individuals, controlling access to premises / information and providing staff awareness training.

What are 5 information security policies?

Policies provide direction on your organisation’s approach to different aspects of information security management. Policies may relate to the classification of data, password management, acceptable use of assets, authentication procedures and incident response - these are five examples, but your organisation  may choose to formulate a policy relating to any aspect of information security (infosec) management.

Read more
Information Security FAQ

Speak to Information Security Expert

Having assisted over 400 organisations to achieve ISO 27001 certification URM are the ideal experts and partners to help you certify.

Speak to one of our experts for more information on how we can help. Simply call 0118 206 5410 or request a call back using the form below.

PCI DSS v4.0: Targeted Risk Analysis

Published on
4/6/2024

URM’s blog dissects the new PCI DSS requirements around targeted risk analysis, what they involve, and how the 2 types of TRA in the Standard differ.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
3/6/2024
PCI DSS v4.0: Forced Password Changes and Zero Trust Architecture

URM’s blog drills down into the PCI DSS v4.0 requirements around forced password changes, with a particular focus on the addition of zero-trust architecture.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/5/2024
Common Pitfalls Identified in Organisations Seeking ISO 27001 Certification

URM’s blog discusses the common pitfalls of the ISO 27001 implementation and certification process, and how you can avoid making the same mistakes.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
19/4/2024
Planning Your ISO 27001 Audit Programme

URM’s blog drills down into ISO 27001 audits, offering advice on how to effectively develop and implement an ISO 27001 conformant audit programme.

Read more
"
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform