STAIRs Webinar: Are you Ready?
Many PRPs remain uncertain of what STAIRs will mean in practice when this new statutory framework comes into effect. The impact is expected to be highly significant. This session will set out the practical steps PRPs can take now to get ready for these new Requirements.
Cyber Essentials 2026: Lessons Learned From Real Assessments
This session will show you exactly what assessors look for, where organisations commonly fall short, and how to position your submission for a smooth, successful outcome.

ISO 27001 Clause 8.1: Effective ISMS operational planning and control
URM’s blog explains the requirements of ISO 27001 Clause 8.1 and why it matters, as well as sharing key insights on how to properly implement it in practice.
URM’s blog explains how organisations can unintentionally and without realising fall into scope of the PCI DSS, despite not directly handling card data.
URM’s blog explains how to meet ISO 27001 Clause 10.2, including finding nonconformities, performing root cause analysis, implementing corrective actions & more
URM’s blog breaks down the foundational ‘must-dos’ that underpin effective business continuity, highlighting key success criteria and common pitfalls for each.
Next 12 Months in Privacy
In this episode of InfoSec Insider – Talk DP, Rachael Salter and Aimee Brown, both Consultants at URM, consider emerging trends in the field of data protection and privacy, and the practical implications for organisations that need to maintain compliance. Aimee and Rachel leverage 20 years’ combined experience in data protection to discuss:
- What they think will define privacy risk over the next 12 months
- Why artificial intelligence (AI) will continue to expose weak data protection practices
- The privacy issues that are most likely to grow fastest in practice
- Where regulators are most likely to focus next
- The steps organisations should take now to prepare for the next wave of scrutiny and enforcement.
You can register for the STAIRs webinar or watch the recording here.

Cyber Essentials Changes in 2026 – Adjusting CE VSA Responses
We explain IASME’s clarification on adjusting CE VSA responses once CE+ testing has started.
Watch the video
Business Continuity Awareness Quiz
By completing the quiz, you will gain a clearer understanding of how organisations prepare for, respond to, and recover from disruption, and why business continuity is a shared responsibility rather than a purely technical or specialist function.

ISO 27001 FAQs
How long does it take to implement ISO 27001?
There is no straightforward answer to this question as it depends on the size and complexity of your organisation, what systems and processes are already in place and what resources are available. However, in URM’s experience it typically takes between 6 and 9 months for a small, low complexity organisation to fully implement ISO 27001.
With larger, more complex environments, 9 to 18 months is closer to the norm for fully establishing an ISMS. This naturally assumes that the appropriate resources are made available to achieve the desired outcomes.
Apart from the existing maturity of operational practices and controls and availability of in-house resource, another key determinant in how long an ISO 27001 implementation will take place will be the support and involvement of senior management. URM has seen organisations achieve very aggressive timescales in implementing and achieving ISO 27001 certification where Senior Management has prioritised the project, often associated with being awarded a significant client project.
Is there a legal requirement to comply with or be certified to ISO 27001?
There is, generally, no direct legal requirement for compliance as such, indicating why many people choose to use the word conformance rather than compliance. Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so. However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders.
There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by virtue of a contract.
What does ISO 27001 require you to do?
A key requirement of ISO 27001 is that you adopt a risk-based approach when implementing your ISMS. You are also required to ensure that certain processes are in place to ensure effective and proactive management and continuous improvement.
These requirements are broken down into 7 major clauses, which deal with context of the organisation, leadership, planning, support, operation, performance evaluation and improvement. These clauses are consistent with other ISO Management system standards such as ISO 9001 and ISO 22301, and is known as the harmonised structure.
When was ISO 27001 last updated?
The current version of the Standard, ISO/IEC 27001:2022 replaced the 2013 version of the Standard on 25 October 2022. As of 1 May 2024, all initial and recertification assessments must be conducted against ISO 27001:2022 and, on 31 October 2025, all ISO 27001:2013 certificates will be withdrawn. Whilst the management system clauses received a relatively minor makeover in order to harmonize ISO 27001 with other standards, the information security controls contained within Annex A were completely restructured with some controls being merged with others as well as 11 new ones being introduced.
ISO 27001, ISO 22301, ISO 20000 and PCI DSS consultancy and product-related case studies

Cyber Essentials and Cyber Essentials Plus Changes 2026 Summary
In this document, we outline the key changes to Cyber Essentials and Cyber Essentials Plus scheme and what they mean for you as applicants.
URM is pleased to provide a FREE consultation on Transitioning to ISO 27001:2022 for any UK-based organisation.
You do not need a fully defined programme to start the conversation. We offer a free, no‑obligation call to help you understand SOC 2 requirements, assess your current position, and identify practical next steps.
A short, free, non‑commitment call can help you confirm scope, understand technical and compliance expectations, and take a proportionate approach to testing, implementation, and assessment.



