Blogs

After the recent changes to PCI DSS v4.0 we're examining factors behind the greater utilisation of MFA, and what the key changes are in requirements.

When looking to comply with the General Data Protection Regulation (GDPR), it is always a worthwhile exercise....

On 23 January 2023, NCSC published an updated set of requirements, v.3.1 for the Cyber Essentials scheme....

Following the publication of ISO/IEC 27001:2022 on 25 October 2022, this blog will provide you with our high-level analysis of the key changes.

For all of us, email can be both a blessing and a curse. On one hand you have the speed and convenience of communication....

We are hearing a lot about phishing and phishing attacks currently so, in this blog, we will take a step back....

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability....

In this blog, we address one of the big questions facing organisations which accept payment cards....

In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard....

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence)....

As a Payment Card Industry Qualified Security Assessor (PCI QSA) company, we are often asked by organisations which process card payments....

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial....

In this blog, we turn our attention to service providers. The PCI Security Standards Council defines a service provider....

We are often asked, both by those new to PCI DSS and those who have been involved for a while....

For an organisation to achieve and maintain compliance to the Payment Card Industry Data Security Standard (PCI DSS)....

In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around....

In our previous blog, we looked at where your PCI compliance journey starts. The first step is understanding the flow of your payment card data....

Often referred to as the PCI DSS or quite simply PCI, the Standard was developed by the founding payment brands....

The Payment Card Industry Security Standards Council (PCI SSC) defines scoping as “the process of identifying all system components....

PCI remediation is an essential activity for any organisation wishing to fully comply.....

URM’s PCI DSS gap analysis service is aimed at those organisations which are looking to benchmark....

Many organisations have had to adapt very quickly to the rapidly changing restrictions brought in across the globe to help combat the spread of COVID-19.

We are going to explore why the focus on a risk-based approach has helped turn ISO 27001, the International ISM Standard, into such a world-beater.

One of the long-held beliefs underpinning many a password policy is that forcing a regular password change is a good thing.

There is some confusion about the difference between having an ISMS which is certified to ISO 27001 and one which is compliant or aligned to the Standard.

With this blog, the spotlight turns to internal audit and specifically in the context of ISO 27001, the International Standard for ISM.

With the news often including stories regarding high-profile information security breaches, many of us find ourselves asking how we can avoid it.

This blog takes a look at onboarding information systems. When onboarding is mentioned will conclude it’s referring to people but there is a lot more to think

This blog talks about information classification. So, what exactly do we mean by information classification?

In this blog, we are going to look at governance. We are regularly asked, ‘is information governance the same as IT governance?’

When managing the security of your organisation’s information assets, you will need to consider the scope of what you are doing.

The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when.

Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR).

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers.

One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information.

We are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the five questions.

The GDPR (EU) 2016/679 is an EU regulation which came into effect on 25 May 2018 and set a new benchmark for the processing of personal data.

On 16 July 2020, the CJEU issued its judgement on the adequacy of both the Privacy Shield and standard contract clauses (SCCs).

The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent.

The EU GDPR and the UK DPA both require organisations to protect and ensure the privacy of any personal data which they process.

This blog takes a look at DPOs and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.

We discuss the importance of ensuring that your whole organisation can identify a DSAR and the benefits of controlling the entry points of DSARs.

We look at the requirement within both the DPA and the GDPR to verify the identity of an individual making a request before acting or releasing information

Is there a catch-all international standard that effectively proves external verification of data protection compliance?

This blog looks at a very specific area of the GDPR - Article 28 and data transfer outside of the EEA.

This blog focuses on an aspect of the GDPR which can be particularly challenging for a number of organisations.

There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term!

We provide some questions which should help you in determining your level of compliance with the GDPR

We have seen an increased focus on the General Data Protection Regulation (GDPR) by certification body (CB) assessors when conducting ISO 27001 audits.

Broadly speaking, information security is held up by three pillars – People, Process and Technology. It is widely accepted that humans are the weakest link