IT Governance UK

On Tuesday, 18 November, a Cloudflare outage took a significant part of the Internet offline, including major sites, enterprise platforms and public-facing services. Ironically, even Downdetector – the platform that provides real-time information about service outages – apparently went down for a time. This wasn’t an isolated incident, either: an AWS (Amazon Web Services) outage about a month ago caused similar disruption to thousands of dependent services and was followed a few days later by a smaller Microsoft Azure outage. If the largest Cloud providers can experience outages of this size, it’s no great stretch to suggest that all organisations The post What AWS and Cloudflare Outages Teach Us About Cloud Configuration Risks appeared first on IT Governance Blog.

Phishing attacks tend to peak at the end of each year as criminals exploit seasonal pressure and distracted staff to increase the intensity of their campaigns. In 2025, the threat is increasing once again – only this time, AI-generated phishing has moved from a niche tactic to an everyday tool for cyber criminals. This article explains why “phishing season” matters, the trends expected this year and the steps organisations can take to harden their defences. Why phishing peaks at this time of year Phishing activity always rises sharply in Q4. The pattern is consistent across recent breach surveys and confirmed The post Phishing Season 2025: How AI is Supercharging Cyber Crime appeared first on IT Governance Blog.

Enacted in June, the Data (Use and Access) Bill – now the Data (Use and Access) Act 2025 or ‘DUAA’ – marked a significant moment in the evolution of UK data protection legislation. The Act builds on previous legislative efforts – most notably 2022’s shelved DPDI (Data Protection and Digital Information) Bill – and brings together key reforms under one cohesive framework. While its principal focus is to reform the UK GDPR (General Data Protection Regulation and DPA (Data Protection Act) 2018, and the PECR (Privacy and Electronic Communications Regulations), the DUAA is far more than a privacy update. It The post The Data (Use and Access) Act and How it Affects the UK GDPR and DPA 2018, and PECR appeared first on IT Governance Blog.

Summary Welcome to another monthly round-up of monthly cyber attack and data breach news. October 2025 saw 20 publicly reported cyber attacks and data breaches around the globe. In total, at least 21.2 million records were confirmed to have breached As ever, these are the incidents that made the news this month – the list is, by necessity, far from exhaustive. The month’s five largest incidents Prosper Marketplace Dukaan Allianz Life Insurance Company of North America WestJet Motility Software Solutions Trends in October 2025 Key vulnerabilities exploited List of data breaches and cyber attacks disclosed in October 2025 Disclosure date Organisation The post Global Data Breaches and Cyber Attacks in October 2025 – At Least 21.2 Million Breached Records appeared first on IT Governance Blog.

We’re delighted to announce that GRC Solutions – the new name for IT Governance – has been recognised as one of the UK’s leading cyber security companies, ranking 19th in TechRound’s Cybersecurity40 2025 list. The annual campaign celebrates the most innovative and forward-thinking cyber security organisations across the UK and Europe, highlighting those helping businesses and public bodies stay secure in an increasingly complex threat landscape. TechRound – the UK’s independent voice for startups and the wider technology sector – evaluates entrants based on innovation, impact and contribution to the cyber security industry. The 2025 list showcases a diverse range The post GRC Solutions Named Among the UK’s Top 20 Cyber Security Innovators appeared first on IT Governance Blog.

ISO 27001:2022 introduced several new controls designed to reflect modern security practices and the ways organisations use and manage data. Two of the most practical additions sit in the operational controls: 8.12 (data leakage prevention) and 8.10 (data deletion). Both address longstanding weaknesses in many ISMSs (information security management systems). They focus on the lifecycle of data, the risks created by its movement and the need to prevent unnecessary retention. They also bring ISO 27001 closer to regulatory expectations, particularly around access control, monitoring and data minimisation. This blog post explains what the two controls require, why they were introduced The post Data Leakage Prevention and Data Deletion – ISO 27001 Controls 8.12 and 8.12 Explained appeared first on IT Governance Blog.

Cyber attacks evolve faster than traditional security review cycles. So, to stay secure, organisations need a clearer understanding of the threats that are most relevant to their systems, data and business operations. Threat intelligence is the process of collecting and analysing information about these threats so that security decisions are informed by real-world attack patterns rather than theoretical risk models. Done well, it enables organisations to both pre-empt attacks and respond more effectively when incidents happen. This is the purpose of ISO 27001:2022 control 5.7. As one of 11 new controls introduced by the 2022 iteration of the Standard, it The post Threat Intelligence – ISO 27001:2022 Control 5.7 Explained appeared first on IT Governance Blog.

Although DORA (the EU Digital Operational Resilience Act) has been in effect since January 2025, organisations that supply the EU’s financial services sector are under growing pressure to demonstrate compliance with its requirements. For most, this isn’t about starting from scratch but about mapping what’s already in place, identifying where DORA goes further and then expanding on current practices. After all, DORA builds on – not replaces – established frameworks, standards and other compliance regimes such as ISO 27001, NIS2 (the Network and Information Security Directive 2) and the GDPR (General Data Protection Regulation). It formalises ICT risk governance for The post How DORA fits with ISO 27001, NIS2 and the GDPR appeared first on IT Governance Blog.

The CISM® (Certified Information Security Manager) exam is one of the toughest in the field – according to most providers, pass rates are around 60–65% (ISACA doesn’t publish official figures). Even experienced professionals find it demanding, something our consultants know first-hand. Soji Ogunjobi is a cyber security specialist and instructor, with nearly two decades of experience as a cyber security professional and IT auditor. He also has an MSc in Information Technology, Computer and Information Systems, as well as CISM, CISSP, CISA, CCSP and various other cyber security qualifications. Below are five practical CISM exam tips drawn directly from his The post CISM Exam Tips from a Consultant: Five Insider Insights to Help You Pass appeared first on IT Governance Blog.

The 2022 update to ISO 27001 introduced a new control for the use of Cloud services. It outlines the policies and procedures that are required when acquiring, using, managing or exiting Cloud services. Adding this control was an obvious and necessary step given just how many organisations use Cloud services as part of their core business activities. An estimated 96% of all organisations use at least one Internet-based IT resource, such as Amazon Web Services or Microsoft Azure. Whenever an organisation implements a new resource on which sensitive data is stored or upon which key business activities rely, it must The post How To Comply with ISO 27001’s New Cloud Services Control appeared first on IT Governance Blog.