IT Governance UK

SOC (System and Organization Controls) audits provide an independent assessment of the risks associated with using service organisations and other third parties. SOC 2 audits assess service organisations’ security, availability, processing integrity, confidentiality and privacy controls against the AICPA (American Institute of Certified Public Accountants) TSC (Trust Services Criteria). A SOC 2 report is generally aimed at existing or prospective clients, and is used to assess how well an organisation safeguards customer data and how effectively its internal controls operate. This blog outlines nine steps that will help you understand what SOC 2 requires, prepare your controls and documentation, and approach your The post Nine Steps to SOC 2 Compliance – Including a SOC 2 Readiness Checklist appeared first on IT Governance Blog.

Summary Total number of incidents disclosed: 29 Total number of known breached records: 14.9 million Welcome to another monthly round-up of monthly cyber attack and data breach news. At least 29 publicly disclosed incidents were reported worldwide in July 2025, spanning sectors from retail and travel to telecoms, healthcare, government and cryptocurrency. Based on confirmed figures, a minimum of 14.9 million records were breached this month. This is a lower-bound figure, as several major incidents did not provide confirmed counts but likely involved significant volumes of personal data. Top 5 incidents by number of records affected 1. Co-op (update) 2. Qantas The post Global Data Breaches and Cyber Attacks in July 2025 appeared first on IT Governance Blog.

ICO cookie compliance crackdown Earlier this year, the ICO (Information Commissioner’s Office) announced its intention to tackle cookie compliance across the UK’s top 1,000 websites. We were subsequently contacted by a company that operates one of those websites and which the ICO had contacted about its cookie compliance. The ICO gave the company two weeks’ notice to rectify its cookie compliance before reviewing the site and, if necessary, taking action. So, we performed a cookie compliance assessment on the website to help the company ensure its compliance ahead of the ICO’s review. Our recent webinar Cookie Law in 2025: What The post Data Protection Enforcement: Your Cookie Compliance Questions Answered appeared first on IT Governance Blog.

The GDPR (General Data Protection Regulation) references “appropriate technical and organisational measures” nearly 100 times – yet it stops short of providing a precise definition of the term. This article examines what TOMs are, how they align with the GDPR’s overall objectives, what kinds of controls they typically involve, and how to ensure they’re “appropriate”. What are technical and organisational measures? The GDPR requires data controllers and processors to implement security controls to safeguard personal data against unauthorised access, alteration or destruction. These safeguards are known collectively as technical and organisational measures, or TOMs. TOMs are controls that reduce the The post A Guide to TOMs (technical and organisational measures) under the GDPR appeared first on IT Governance Blog.

And how do you choose the right one for your needs? Penetration testing (also known as ‘pen testing’ or ‘ethical hacking’) offers a vital tool for identifying gaps and opportunities to strengthen your security programme. We asked our head of security testing, James Pickard, to explain the different types of test. In this interview Is your security programme effective? Hi James. What are key challenges when implementing a security programme? Resources and costs are often top of the list. Many organisations have a tight budget for security, and lack in-house specialist skills – which doesn’t combine well with the fact The post What are the Different Types of Penetration Test? appeared first on IT Governance Blog.

Article 5 of the UK GDPR (General Data Protection Regulation) sets out six key data processing principles – sometimes informally referred to as data protection principles. These underpin all personal data processing and serve as a practical framework for ensuring compliance. This blog post outlines each of the six principles, explains how they apply in practice and offers guidance on how to demonstrate compliance. What are the GDPR data processing principles? Lawfulness, fairness and transparency Organisations must process personal data in a way that is: These obligations require you to think about how you collect data, what individuals are told The post The Six Data Processing Principles of the UK GDPR Explained appeared first on IT Governance Blog.

The CRISC® (Certified in Risk and Information Systems Control®) certification from ISACA® is a globally recognised credential for IT and business professionals. Launched in 2010, it has become the benchmark for validating expertise in enterprise risk governance and control management. CRISC is aimed at those operating in or aspiring to work in IT risk management roles, such as risk analysts, control professionals, IT managers and compliance officers. It bridges technical knowledge and strategic risk governance capability. Over 30,000 professionals hold CRISC certifications today. What are the 4 CRISC domains? The CRISC exam tests candidates across four domains, structured to reflect The post The 4 CRISC Domains Explained appeared first on IT Governance Blog.

Extending your ISMS to address Cloud security risks ISO 27001 sets out the specification for an ISMS (information security management system). But did you know you can extend your ISO 27001 ISMS to cover specific aspects of Cloud security? Let’s take a closer look at both ISO 27017 and ISO 27018. Note: The current versions of ISO 27017 and ISO 27018, ISO/IEC 27017:2015 and ISO/IEC 27018:2019, are aligned to the previous (2013) edition of ISO 27002. The ISO 27001:2022 standard completely reorganises the control set, adding 11 new controls, including 5.23: Information security for use of Cloud services. No old The post What Are ISO 27017 and ISO 27018, and What Are Their Controls? appeared first on IT Governance Blog.

The CISMP (Certificate in Information Security Management Principles) is one of the UK’s most widely recognised entry-level qualifications for information security professionals. Accredited by BCS, The Chartered Institute for IT, it provides a comprehensive foundation in cyber security and information security management. CISMP is designed for individuals working in, or aspiring to work in, security-related roles – particularly those seeking to progress into management or governance positions. It is also suitable for business professionals who need a broader understanding of information security as part of their wider operational responsibilities. It is frequently cited as the first step towards more advanced The post The 9 CISMP Domains Explained appeared first on IT Governance Blog.

This evening’s episode of Panorama on BBC One, Fighting Cyber Criminals, examines the 2023 ransomware attack on KNP Logistics, as well as the recent attacks on Marks & Spencer, the Co-op and Harrods. KNP, a Northamptonshire haulage group that included the 158-year-old transport company Knights of Old, lost access to all its data after the Russian Akira group accessed an employee account by exploiting a weak password. Despite reportedly complying with industry standards and holding insurance against cyber attacks, the company couldn’t recover its data and entered administration. The BBC reported at the time that 730 employees would be made The post How One Weak Password Destroyed a 158-Year-Old Company appeared first on IT Governance Blog.