Governance, Risk Management and Compliance

ISO/IEC 27001:2022 Key Changes
Latest update:
23 Nov
2022

Following the publication of ISO/IEC 27001:2022 on 25 October 2022, this blog will provide you with our high-level analysis of the key changes.

Read more
What are the Primary Objectives of the Controls Detailed in Annex A of ISO 27001:2013?  
Latest update:
23 Nov
2022

Annex A of ISO 27001 comprises 114 controls which are grouped into the following 14 control categories. Each of the 14 categories and provide you with a clear explanation of the primary objective...

Read more
Fist bump
What are the ‘Real World’ Benefits of Implementing ISO 27001?
Latest update:
25 Oct
2022

In this blog, we want to dig a bit deeper into the benefits that are gained from implementing the Standard and from achieving certification...

Read more
Computer Screen
Data Protection
updateD:
6/10/2022
Avoiding Email Data Security Breaches

For all of us, email can be both a blessing and a curse. On one hand you have the speed and convenience of communication, and on the other hand you have a significant information security risk...

Information Security
updateD:
4/10/2022
Should You Start Your ISO 27001 Programme with a Gap Analysis or a Risk Assessment?

The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when.

Information Security
updateD:
4/10/2022
ISO 27002:2022 Update

The purpose of ISO 27002 is to provide organisations with guidance on selecting, implementing and managing information security controls, taking into account the organisation’s information security...

Data Protection
updateD:
30/9/2022
What is the GDPR?

The General Data Protection Regulation (EU) 2016/679 (GDPR) is an EU regulation which came into effect on 25 May 2018 and set a new benchmark for the processing of personal data. It applies to any...

Information Security
updateD:
23/9/2022
Risk Management – What is it and What Role Does it Play in ISO 27001?

We are going to explore why the focus on a risk-based approach has helped turn ISO 27001, the International Information Security Management Standard, into such a world-beater.

ROPA Spreadsheet
Data Protection
updateD:
2/9/2022
Who Needs a ROPA and Why?

Under the UK General Data Protection Regulation (UK GDPR), the majority of organisations processing personal data are required to create and maintain a formal record of processing activities (ROPA)...

Laptop and Secure Banking Device PINsentry
Information Security
updateD:
2/9/2022
PCI DSS v4 – Changes at a Glance

After several years wait, and to surprisingly little fanfare, the Payment Card Industry Security Standards Council (PCI SSC) released the new version of the PCI Data Security Standard (DSS) ...

EU and UK flags
Data Protection
updateD:
2/9/2022
UK International Data Transfer Agreement

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers. The international data transfer agreement...

Man behind the laptop
Information Security
updateD:
24/8/2022
PCI SSC Remote Assessment Guidelines and Procedures

The PCI SCC has recently released a new remote assessment guidelines and procedures. Here we address a number of key questions: What are the Main Contents? What Led to it Being Published? And others.

Information Security
updateD:
11/8/2022
What are the Basics of Internal Auditing?

With this blog, the spotlight turns to internal audit and specifically in the context of ISO 27001, the International Standard for Information Security Management.

Information Security
updateD:
11/8/2022
What’s the Difference Between a Certified and a Compliant ISO 27001 Information Security Management System?

There is some confusion about the difference between having an information security management system (ISMS) which is certified to ISO 27001 and one which is compliant or aligned to the Standard.

Information Security
updateD:
11/8/2022
How Secure is Zoom?

Many organisations have had to adapt very quickly to the rapidly changing restrictions brought in across the globe to help combat the spread of COVID-19 and, in a lot of cases, this has meant that...

Information Security
updateD:
11/8/2022
How to Improve Your Password Management

One of the long-held beliefs underpinning many a password policy is that forcing a regular password change is a good thing.

Information Security
updateD:
11/8/2022
How do You Avoid Information Security Breaches?

With the news often including stories regarding high-profile information security breaches, many of us find ourselves asking how we can we avoid hitting the headlines for all the wrong reasons.

Information Security
updateD:
9/8/2022
How Do You Go About Your ISO 27001 Information Classification?

And how it can help avoid another Snowden Breach! This blog talks about information classification. So, what exactly do we mean by information classification?

Information Security
updateD:
9/8/2022
What is the Difference Between IT and Information Governance?

In this blog, we are going to look at governance. We are regularly asked, ‘what do you mean by governance?’ or, ‘is information governance the same as IT governance?’

Information Security
updateD:
9/8/2022
How Should You Onboard New IT Systems and Software?

This blog takes a look at onboarding information systems. When onboarding is mentioned in terms of information security, typically, most will conclude it’s referring to people...

Information Security
updateD:
9/8/2022
5 Ways to Reduce Your PCI DSS Scope

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability of the Standard. Even veterans of PCI DSS compliance...

Information Security
updateD:
9/8/2022
PCI DSS: Pros and Cons of Outsourcing

In this blog, we address one of the big questions facing organisations which accept payment cards and are looking to comply with the PCI DSS. Should we outsource the storing, processing and...

Information Security
updateD:
9/8/2022
Benefits of PCI DSS Compliance

In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard. However, this week we will look at what the benefits are of achieving and maintaining compliance…

Information Security
updateD:
8/8/2022
How do you Identify and Then Manage Your ISMS Scope?

When you are looking at the processes associated with managing the security of your organisation’s information assets, there are a number of occasions where you will need to consider the scope of...

Information Security
updateD:
8/8/2022
How Do You Gain Top Management Commitment?

In previous blogs, we have tackled a number of fundamental ISO 27001 components. In this blog, we’ll take a look at management commitment, one of the most significant.

Information Security
updateD:
8/8/2022
How do I Approach Asset Identification Within My Information Security Risk Assessment?

This is a question which comes up time and time again. Typically, this question is twofold; which assets to include and the depth or granularity. In this blog, we will look at granularity.

Information Security
updateD:
8/8/2022
What Are the Critical Steps When Implementing an Effective Information Security Management System?

Having assisted over 300 organisations achieve ISO 27001 certification, we are often asked about what we consider to be the critical steps when implementing an effective information security system.

Information Security
updateD:
8/8/2022
Three Tips to Help you Simplify your Risk Management Process

A key role of risk management is helping organisations decide how limited resources can be most effectively used to address the most pressing business issues, e.g., threats to information security.

Information Security
updateD:
8/8/2022
PCI Policies, Procedures and Evidence – What is expected?

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence) is what makes for a happy and satisfied PCI Qualified Security Assessor (QSA)...

Information Security
updateD:
8/8/2022
Top 5 common pitfalls of PCI DSS compliance

As a Payment Card Industry Qualified Security Assessor (PCI QSA) company, we are often asked by organisations which process card payments what are main pitfalls to avoid in complying with...

Information Security
updateD:
8/8/2022
Preparing for a Report on Compliance (ROC)

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial, and particularly for those who are experiencing their first visit from a QSA. Like most trials...

Information Security
updateD:
5/8/2022
What Are the Service Provider Levels

In this blog, we turn our attention to service providers. The PCI Security Standards Council defines a service provider a ‘business entity that is not a payment brand, directly involved in the...

Information Security
updateD:
5/8/2022
What Are the Merchant Levels

We are often asked, both by those new to PCI DSS and those who have been involved for a while, what is the difference between a merchant and a service provider, what are the ‘levels’ and what do...

Information Security
updateD:
5/8/2022
PCI DSS compliance as BAU (business as usual)

For an organisation to achieve and maintain compliance to the Payment Card Industry Data Security Standard (PCI DSS), the Payment Card Industry Security Standard Council (PCI SSC) encourages...

Information Security
updateD:
5/8/2022
Can I Store Cardholder Data?

In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around the protection of cardholder data (CHD) and, in particular, sensitive...

Information Security
updateD:
5/8/2022
How can URM help you to achieve PCI compliance and what is our approach?

In our previous blog, we looked at where your PCI compliance journey starts. The first step is understanding the flow of your payment card data – by that we mean where payment card information...

Information Security
updateD:
5/8/2022
PCI DSS – The Payment Card Data Security Standard – What is it?

Often referred to as the PCI DSS or quite simply PCI, the Standard was developed by the founding payment brands of the PCI Security Standards Council (SSC), including MasterCard Worldwide, Visa...

Information Security
updateD:
5/8/2022
PCI DSS Reduction and Assessment

The Payment Card Industry Security Standards Council (PCI SSC) defines scoping as “the process of identifying all system components, people, and processes to be included in a PCI DSS assessment to...

Information Security
updateD:
4/8/2022
PCI DSS Remediation and Implementation

PCI remediation is an essential activity for any organisation wishing to fully comply with the applicable 12 technical and operational control requirements of the PCI DSS. Whilst many PCI remediation

Information Security
updateD:
4/8/2022
PCI DSS Gap Analysis

URM’s PCI DSS gap analysis service is aimed at those organisations which are looking to benchmark their current corporate information security practices (relating to payment card data) against...

Data Protection
updateD:
25/7/2022
How to Respond to a Data Subject Access Request (DSAR)

Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR).

Data Protection
updateD:
25/7/2022
What is the UK International Data Transfer Agreement and What Are the Implications?

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers. The international data transfer agreement...

Data Protection
updateD:
25/7/2022
Data Subject Access Requests (DSARs) Services

One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information being held by an organisation...

Data Protection
updateD:
25/7/2022
Data Transfer Risk Assessment

In this blog, we are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the five questions. What is a TRA? Who does it...

Data Protection
updateD:
25/7/2022
The CJEU Declares the EU-US Privacy Shield Invalid and SCCs Valid

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgement on the adequacy of both the Privacy Shield and standard contract clauses (SCCs). The EU-US Privacy Shield was...

Data Protection
updateD:
25/7/2022
What is the Purpose of ISO 27701 and What Benefits Does it Bring?

The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent. Fortunately, guidance exists in the form of ISO/IEC 27701:2019...

Data Protection
updateD:
25/7/2022
ISO 27701:2019 and the GDPR

The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) both rquire organisations to protect and ensure the privacy of any personal data which they process...

Data Protection
updateD:
25/7/2022
In-house Resource vs Virtual DPO

This blog takes a look at data protection officers (DPOs) and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.

Data Protection
updateD:
25/7/2022
Supply Chain Compliance with the GDPR

This blog focuses on an aspect of the GDPR which can be particularly challenging for a number of organisations, namely, how do you ensure your supply chain complies with the Regulation when processing

Data Protection
updateD:
25/7/2022
Data Subject Access Requests (DSARs) – The Need for Education and Centralised Processes

In this blog, we will discuss the importance of ensuring that your whole organisation can identify a DSAR, the benefits of controlling the entry points of DSARs and creating a centralised DSAR process

Data Protection
updateD:
22/7/2022
Verifying the Identity of Someone Requesting Information Under the GDPR

This blog looks at the requirement within both the DPA 2018 and the GDPR to verify the identity of an individual making a request before acting or releasing information. Our clients are regularly...

Data Protection
updateD:
22/7/2022
Data Protection and Management System Standards – Which is Best for Me?

A question we are increasingly asked is ‘Is there a catch-all international standard that effectively proves external verification of data protection compliance?’ It would be great if the answer to..

Data Protection
updateD:
22/7/2022
Transferring Personal Data Outside of the EEA

This blog looks at a very specific area of the GDPR - Article 28 and data transfer outside of the EEA. One of the ways in which you can legitimise an ex-EEA data transfer is by using the standard...

Data Protection
updateD:
22/7/2022
What is the Difference Between Personal Data and Sensitive Personal Data?

There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term! So, let’s see if we can clarify the situation

Data Protection
updateD:
22/7/2022
Tips on Demonstrating UK GDPR Compliance

The easy way (if it was available!) would be to certify to an approved UK GDPR certification scheme. The Data Protection Act 2018 gave the UK’s privacy regulator, the Information Commissioner’s...

Data Protection
updateD:
22/7/2022
Are you adequately covering GDPR within your ISMS?

We have seen an increased focus on the General Data Protection Regulation (GDPR) by certification body (CB) assessors when conducting ISO 27001 audits. In the past, assessments typically focused on..

Information Security
updateD:
22/7/2022
What are the Most Common Insider Threats to Information Security?

Broadly speaking, information security is held up by three pillars – People, Process and Technology. As threats to our information security (and particularly cyber-related threats) continue to emerge

Data Protection
updateD:
21/7/2022
BS 10012:2017 – What are the Benefits and How Do I Achieve Certification

BS 10012 is a British management system standard which has been developed to enable organisations to implement a personal information management system (PIMS). It provides a framework for maintaining

Data Protection
updateD:
21/7/2022
Gaining Senior Management Buy-In to GDPR Compliance

“It is non-negotiable…….. the potential fines are enormous…….individuals can be held personally liable”. So, with all of these compelling reasons, why can it still be challenging to gain traction on

Data Protection
updateD:
21/7/2022
THE GDPR – 5 Myths Dispelled

The adoption of the General Data Protection Regulation (GDPR) by the European Council and Parliament in April 2016 had wide-ranging impacts. These affect all organisations processing personal data...

Information Security
updateD:
21/7/2022
Everything You Need to Know About ISO 27001 Certification

ISO 27001 is the International Standard for Information Security Management. As with all ISO standards, it has been developed by a panel of experts from across the globe and provides a specification

Information Security
updateD:
21/7/2022
How Do You Implement a Successful ISMS?

The first and primary myth to dispel is that executing your decision to use an information security management system (ISMS) to manage the security of your information assets is a project. It is not.

Information Security
updateD:
20/7/2022
10 Top Tips for Keeping Information Secure When Homeworking

Following on from COVID, working from home is now a standard working practice, but how do we go about it in a secure way. In this blog, we aim to provide 10 top tips to enable you to keep important

Information Security
updateD:
20/7/2022
5 Common Fallacies Associated with ISO 27001 Certification

There are many good reasons to implement an information security management system (ISMS) and get it certified to ISO 27001. The most common is that customers or clients, or in some cases stakeholders

Information Security
updateD:
20/7/2022
Information Security Management Systems, ISO 27001 and the Benefits of Implementation.

In this blog, we’re going back to basics and looking at some of the fundamentals of information security and ISO 27001, starting with the core ingredient, the information security management system...

Information Security
updateD:
20/7/2022
How do You Develop and Implement an Incident Management Plan?

Due to the increased use of information technologies and the ‘human’ involvement (both malicious, accidental and incompetent!), it is inevitable we are all going to face more and more information...

Information Security
updateD:
19/7/2022
How Do You Meet the Asset Management Requirements of IS0 27001?

In order to meet the requirements of ‘Asset management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define appropriate protection ...

Information Security
updateD:
19/7/2022
How do you Categorise Your Assets When Conducting an Information Security Risk Assessment?

‘How do we approach asset identification within our information security risk assessment?’. This blog examines which assets or asset types to include and should be read...

Information Security
updateD:
18/7/2022
Key Things You Should Know About ISO 27001

ISO 27001 is the International Standard for Information Security Management that provides any organisation, irrespective of size or sector, with a framework and an approach to protecting...

Security padlock reflected in glasses
Data Protection
updateD:
15/7/2022
When and How to Conduct a Data Protection Impact Assessment (DPIA)

A DPIA delivers a pre-emptive approach to assessing these risks, and by applying corrective actions can help prevent a data breach occurring. We present an outline of steps in conducting a DPIA

Cubes stack one on the top of another create word RISK
Information Security
updateD:
23/6/2022
Asset identification within RA

A question which comes up time and time again is ‘How do I approach asset identification within my information security risk assessment’. Typically, this question is twofold; which assets to include

Handshake
Information Security
updateD:
23/6/2022
Benefits of Implementing ISO 27001

What are the Benefits of Implementing ISO 27001? We dig a bit deeper on the benefits that are gained from implementing the standard and from achieving certification.

Padlock on the blue circuit board
Information Security
updateD:
23/6/2022
What is ISO 27001?

ISO 27001 is the International Standard for Information Security Management. Effectively, it provides any organisation, irrespective of size or sector, with a framework and an approach to protecting..

ROPA Spreadsheet
Data Protection
updateD:
23/6/2022
How to Create a Record of Processing Activities (ROPA)

Creating a ROPA will involve understanding and capturing processing activities throughout an organisation. In this blog, we will outline a step-by-step procedure on how you can create a ROPA.

No items found.
"
Two-way interaction really developed the course material.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.