Webinar

11:00 am
|
Wednesday
|
8
July
2026

Many PRPs remain uncertain of what STAIRs will mean in practice when this new statutory framework comes into effect.  The impact is expected to be highly significant. This session will set out the practical steps PRPs can take now to get ready for these new Requirements.  

Read more
USB stick, Padlock, Keys
Webinar

11:00 am
|
Wednesday
|
15
July
2026

This session will show you exactly what assessors look for, where organisations commonly fall short, and how to position your submission for a smooth, successful outcome.

Read more
USB stick, Padlock, Keys
Find out more events
Stuart Moran
|
Senior Consultant at URM
Warren Howard
|
Senior Consultant at URM
Published on
03
July
2026

URM’s blog explains the requirements of ISO 27001 Clause 8.1 and why it matters, as well as sharing key insights on how to properly implement it in practice.

Read more
Information Security
Published on
26/6/2026
How Organisations Fall Into PCI DSS Scope Without Realising It

URM’s blog explains how organisations can unintentionally and without realising fall into scope of the PCI DSS, despite not directly handling card data.

Information Security
Published on
17/6/2026
ISO 27001 Clause 10.2: Nonconformity and corrective action

URM’s blog explains how to meet ISO 27001 Clause 10.2, including finding nonconformities, performing root cause analysis, implementing corrective actions & more

Business Continuity
Published on
12/6/2026
The Essential Must-Dos of Business Continuity

URM’s blog breaks down the foundational ‘must-dos’ that underpin effective business continuity, highlighting key success criteria and common pitfalls for each.

Find out more blogs
Talk DP
Season
2
, Episode
42
(
92
)

Next 12 Months in Privacy

In this episode of InfoSec Insider – Talk DP, Rachael Salter and Aimee Brown, both Consultants at URM, consider emerging trends in the field of data protection and privacy, and the practical implications for organisations that need to maintain compliance.  Aimee and Rachel leverage 20 years’ combined experience in data protection to discuss:

  • What they think will define privacy risk over the next 12 months
  • Why artificial intelligence (AI) will continue to expose weak data protection practices
  • The privacy issues that are most likely to grow fastest in practice
  • Where regulators are most likely to focus next
  • The steps organisations should take now to prepare for the next wave of scrutiny and enforcement.

You can register for the STAIRs webinar or watch the recording here.

Listen to the episode
Find out more podcasts
|

By completing the quiz, you will gain a clearer understanding of how organisations prepare for, respond to, and recover from disruption, and why business continuity is a shared responsibility rather than a purely technical or specialist function.

Take the quiz
Find out more quizzes

ISO 27001 FAQs

How long does it take to implement ISO 27001?

There is no straightforward answer to this question as it depends on the size and complexity of your organisation, what systems and processes are already in place and what resources are available.  However, in URM’s experience it typically takes between 6 and 9 months for a small, low complexity organisation to fully implement ISO 27001.  

With larger, more complex environments, 9 to 18 months is closer to the norm for fully establishing an ISMS. This naturally assumes that the appropriate resources are made available to achieve the desired outcomes.

Apart from the existing maturity of operational practices and controls and availability of in-house resource, another key determinant in how long an ISO 27001 implementation will take place will be the support and involvement of senior management.  URM has seen organisations achieve very aggressive timescales in implementing and achieving ISO 27001 certification where Senior Management has prioritised the project, often associated with being awarded a significant client project.

Is there a legal requirement to comply with or be certified to ISO 27001?

There is, generally, no direct legal requirement for compliance as such, indicating why many people choose to use the word conformance rather than compliance.  Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so. However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders.  

There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by virtue of a contract.

What does ISO 27001 require you to do?

A key requirement of ISO 27001 is that you adopt a risk-based approach when implementing your ISMS.  You are also required to ensure that certain processes are in place to ensure effective and proactive management and continuous improvement.  

These requirements are broken down into 7 major clauses, which deal with context of the organisation, leadership, planning, support, operation, performance evaluation and improvement.  These clauses are consistent with other ISO Management system standards such as ISO 9001 and ISO 22301, and is known as the harmonised structure.

When was ISO 27001 last updated?

The current version of the Standard, ISO/IEC 27001:2022 replaced the 2013 version of the Standard on 25 October 2022.  As of 1 May 2024, all initial and recertification assessments must be conducted against ISO 27001:2022 and, on 31 October 2025, all ISO 27001:2013 certificates will be withdrawn.  Whilst the management system clauses received a relatively minor makeover in order to harmonize ISO 27001 with other standards, the information security controls contained within Annex A were completely restructured with some controls being merged with others as well as 11 new ones being introduced.

Read more
Find out more FAQs
Release date:
17
April
2026

In this document, we outline the key changes to Cyber Essentials and Cyber Essentials Plus scheme and what they mean for you as applicants.

Read more
Find out more white papers
Course type: 
Online
PCIRM
DATE:
14
September 2026
-
21
September 2026
Location:

All you need to know about the information risk management, conducting risk assessments and developing risk treatment plans.

Register
USB stick, Padlock, Keys
Scheduled courses
URM is one of the UK's most trusted training providers in the areas of risk management and business continuity. Check our training program.
Find out more
"
Everything on the assessment day ran really smoothly which made achieving Cyber Essentials Plus a painless process. URM’s Pen tester was polite with all members of staff he engaged with so everyone was happy to take the time out of their day.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.