IT Governance UK

This month, we are celebrating author Andrew Pattison! His book: NIST CSF 2.0 – Your essential introduction to managing cybersecurity risks was published in February 2025 and covers the latest updates to the NIST framework.   The NIST CSF (Cybersecurity Framework) 2.0 is designed to help organisations prevent and protect themselves from cyber attacks. This book will help you understand how to: About the author: Andrew Pattison is the global head of GRC and PCI consultancy at GRC International Group, a GRC Solutions company. He has been working in information security, risk management and business continuity since the mid-1990s, helping The post Author of the Month: Andrew Pattison appeared first on IT Governance Blog.

The Cyber Essentials scheme is updated each year to ensure its best-practice approach to basic cyber security remains relevant. So, what’s new for 2025? Cyber Essentials and Cyber Essentials Plus: what’s new in the 2025 update? As of 28 April 2025, new Cyber Essentials certifications will be assessed according to v3.2 of the NCSC Requirements for IT Infrastructure and must use the new ‘Willow’ Question Set, which replaces the Montpellier version. The changes introduced by the 2025 update are minor, but organisations will still need to be aware of what’s expected of them. Here’s a high-level summary. Cyber Essentials Requirements The post The Cyber Essentials Scheme’s 2025 Update and What it Means for Your Organisation appeared first on IT Governance Blog.

‘GDPR’ has become a familiar term. We recognise the visible and consumer-facing aspects of the General Data Protection Regulation in our everyday lives – when consumers exercise their right to withdraw consent to their data being processed via ‘opt out’ or ‘unsubscribe’ buttons, for example. What’s less evident is whether organisations are keeping their practices fully up to date and in line with the GDPR and other applicable data protection laws. For instance: So, how sure are you that your organisation is fully compliant with the relevant data protection legislation? In this blog ‘Once compliant’ does not mean ‘still compliant’ The post What It Takes to Be Your Organisation’s DPO or Data Privacy Lead appeared first on IT Governance Blog.

We regularly sit down with experts from within GRC International Group to get their insights on a technical topic or business area. Here are all our Q&As to date, grouped by broad topic: To get new expert insights straight to your inbox, sign up to our weekly newsletter, the Security Spotlight. Last updated: 15 January 2025. Interviews added: Andrew Pattison on DORA, how it compares to NIS 2, and how it’ll be regulated (DORA); Damian Garcia on transitioning to ISO 27001:2022 (ISO 27001); Louise Brooks on cookie audits (PECR); and Leon Teale on ethical hacking as a career (security testing).  The post Free Expert Insights: Index of Interviews appeared first on IT Governance Blog.

Addressing the new Annex A control set Organisations with ISO/IEC 27001:2013 certification must transition to ISO/IEC 27001:2022 by 31 October 2025. The biggest change for organisations is Annex A, which has been overhauled and includes 11 new controls. How can organisations best approach this new control set? What changes to the main clauses of the Standard tend to get overlooked? And what are common mistakes to avoid when transitioning? Our head of GRC (governance, risk and compliance) consultancy, Damian Garcia, explains. In this interview Are the new controls in ISO 27001:2022 applicable? Where do organisations start when transitioning from ISO The post How Can Organisations Transition to ISO 27001:2022? appeared first on IT Governance Blog.

Q&A with senior penetration tester Leon Teale Have you ever thought about getting paid to break into organisations’ networks? That’s precisely what ethical hackers (also known as ‘penetration testers’ or ‘pen testers’) do. But what exactly does this career involve? Why would you pursue it? And what knowledge and skills do you need to kick-start your career? We put these questions to our senior penetration tester Leon Teale, who’s been a qualified ethical hacker since 2012. In this interview Why pursue ethical hacking as a career What made you choose penetration testing as a career, and what do you enjoy The post The Benefits of Becoming an Ethical Hacker appeared first on IT Governance Blog.

The data breaches that continue to make the headlines show the importance of data protection and laws like the GDPR (General Data Protection Regulation). If you’re only beginning to look at compliance, the Regulation may seem overwhelming. The good news is that many of the GDPR requirements reflect efficient business activities or practices – things that’ll help you as an organisation irrespective of compliance. This blog explains further, as we take you through eight steps towards becoming compliant with the GDPR and similar data protection laws. In this blog 1. Secure management buy-in Board or senior management support is a The post Step-by-Step Guide to Achieving GDPR Compliance appeared first on IT Governance Blog.

Your ISO 27001 journey doesn’t end once you’ve implemented your ISMS (information security management system) and controls. You must check your measures are doing what they’re supposed to do by: This reflects what you’re trying to address: information security risks. In this blog Your information security risks evolve over time All recent ISO management system standards, including ISO 27001:2022, require you to continually improve your management system. Risks evolve over time – particularly in a cyber security context. Cyber criminals are, unfortunately, innovative. They’re constantly coming up with new tools and exploits, meaning that organisations need to be pro-active about The post How You Can Continually Improve Your ISO 27001 ISMS (Clause 10) appeared first on IT Governance Blog.

From 17 January 2025, DORA (Digital Operational Resilience Act) will, as an EU regulation, directly apply throughout the EU. Though the Regulation is primarily concerned with the operational resilience of critical and important functions of EU financial entities, UK organisations may also be in scope – particularly if they supply ICT services to EU financial institutions. As we conduct DORA gap analyses, we’ve noticed how the organisations with an ISO 27001 ISMS (information security management system) tend to have a higher degree of DORA compliance. In this blog How ISO 27001 helps with DORA compliance ISO 27001 provides the ‘building The post How ISO 27001 Helps You Comply With DORA appeared first on IT Governance Blog.

And how to become resilient with ISO 27001 and ISO 22301 Unfortunately, even the most secure organisation can suffer an incident. The odds are simply stacked against you: While you need to protect all your assets from all types of threat, an attacker needs only one exploitable weakness to get into your systems. Plus, any security measure you implement is only designed to stop, at most, a handful of threats – and that’s assuming it was both correctly implemented and still doing its job. Regardless of implementation, single measures aren’t enough – because no measure is foolproof. The consequences of The post Why You Need Cyber Resilience and Defence in Depth appeared first on IT Governance Blog.