Understanding ISO 27001’s 93 Security Controls: Your Essential Guide

By |2025-08-30T13:39:31+01:00September 1st, 2025|ISO 27001 Controls|

Understanding ISO 27001's 93 Security Controls: Your Essential Guide If you've ever wondered what lies behind ISO 27001's reputation as the gold standard for information security management, the answer is largely found in Annex A. This technical appendix contains 93 specific security controls that form the backbone of any robust information security framework. Think of these controls as your organisation's security toolkit. They're organised into four main themes that cover every aspect of information security: organisational security policies, people security, physical and environmental security, and technology [...]

Read More
 0

ISO 27001 Risk Assessment: How to Map Business Risks to Annex A Controls

By |2025-06-29T16:53:26+01:00June 30th, 2025|ISO27001 Certification, ISO27001 Implementation, Risk Assessment|

ISO 27001 Risk Assessment: How to Map Business Risks to Annex A Controls In a previous blog post, I explored whether organisations should choose scenario-based or asset-based risk management techniques when implementing ISO 27001. Today, I want to build on that discussion by examining a critical aspect that many organisations overlook: ensuring your risk register properly addresses the broader organisational risks that underpin the controls in Annex A. This isn't just about compliance box-ticking. When done correctly, your risk mapping demonstrates that you've genuinely considered the [...]

Read More
 0

ISO27001 – Control 5.17 – Authentication Information

By |2025-06-16T17:44:25+01:00June 16th, 2025|Information Security, ISO 27001 Controls|

ISO 27001 - Control 5.17  - Authentication Information Control 5.17 Wording Control 5.17 - Authentication Information states "Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information." What this means Control 5.17 aims to ensure that your organisation has in place proper rules for creating, giving out, and looking after login details like passwords, PINs, and access codes. This matters because the organisation needs to make sure that only the right people [...]

Read More
 0

What happens at an ISO 27001 Certification Audit?

By |2025-05-26T14:31:21+01:00May 26th, 2025|ISO27001 Certification|

Understanding the ISO 27001 Certification Audit Process It's one of the most common questions we get asked as organisations pursue ISO 27001. What happens at the certification audit? Firstly, the certification audit is undertaken in two parts a Stage 1 audit and a Stage 2 audit, both undertaken by a certification body. The audits have two distinct roles. Stage 1: Documentation Review The first stage is primarily a desk-based assessment where auditors examine your Information Security Management System (ISMS) documentation to see if you are ready [...]

Read More
 0

ISO27001 – Control 5.16 – Identity Management

By |2025-06-16T17:47:26+01:00May 5th, 2025|Information Security, ISO 27001 Controls|

ISO 27001 - Control 5.16 - Identity Management Control 5.16 Wording Control 5.16 - Identity Management states "The full life cycle of identities should be managed." What this means Control 5.16 focuses on managing digital identities throughout their complete lifecycle - from creation to deletion. Think of it as a comprehensive system for tracking and controlling every digital identity in your organisation, ensuring that the right people and systems have the right identities and access. It's not just about creating usernames; it's about maintaining a [...]

Read More
 0

5 Information Security Mistakes That Could Cost You Your Business

By |2024-11-02T11:51:16+00:00November 4th, 2024|Cyber Security, Information Security|

5 Information Security Mistakes That Could Cost You Your Business Information security mistakes can devastate UK businesses of any size. In today's digital landscape, these information security mistakes aren't just IT concerns - they're fundamental business risks that UK organisations cannot afford to ignore. With data breaches costing  companies an average of £3.7 million according to IBM's 2024 Cost of a Data Breach Report, even seemingly minor security oversights can have devastating consequences. 1. Assuming Compliance Equals Security Many UK businesses make the critical error of [...]

Read More
 0

UK Procurement Trends: Why Your Company’s Security Posture Matters More Than Ever

By |2024-10-26T10:22:02+01:00October 28th, 2024|Information Security|

UK Procurement Trends: Why Your Company's Security Posture Matters More Than Ever In today's business landscape, UK companies are experiencing a significant shift in how clients evaluate and select their suppliers. A clear trend has emerged: a good security posture has moved from a "nice-to-have" to a critical deciding factor in procurement decisions. Potential clients are reviewing suppliers security requirements to ensure that they have secure practices in place as part of the procurement process. For managers focused on growth and efficiency, understanding this shift could [...]

Read More
 0

Bringing New Blood into InfoSec: Why Mentoring Matters

By |2024-08-26T09:10:07+01:00August 19th, 2024|Information Security|

Bringing New Blood into InfoSec: Why Mentoring Matters Let's face it - the information security landscape is evolving faster than ever. With new threats emerging daily, the demand for assurance from clients that their data is secure and the innovative thinking needed to stay ahead of the curve. But how do we nurture the next generation of InfoSec professionals? The answer might be simpler than you think: good old-fashioned mentoring. Now, I know what you're thinking. "Mentoring? Isn't that just extra work for my already overloaded [...]

Read More
 0

Scenario vs. Asset-Based Risk Assessments: Understanding the Key Differences

By |2024-08-26T09:14:20+01:00August 12th, 2024|Risk Assessment|

Scenario vs. Asset-Based Risk Assessments: Understanding the Key Differences Risk assessment is a crucial process for organisations to identify, analyse, and mitigate potential threats. Two common approaches to risk assessment are scenario-based and asset-based methods. Each has its strengths and is suited to different contexts. Scenario-Based Risk Assessment Scenario-based risk assessment focuses on identifying potential events or situations that could negatively impact an organisation. It is the one I would recommend for those organisations just starting out looking at the risks faced by their organisation as [...]

Read More
 0

Risk Assessment – What scale should I use?

By |2024-08-26T09:11:17+01:00August 5th, 2024|Information Security, Risk Assessment|

Risk Assessment - What Scale should I use? When undertaking a risk assessment process, one of the key things you need to decide upon is the scale you are going to use. I have seen some very complicated risk assessment scales, ones with multiplication of values, a scale of 1 to 10, different areas for reporting risk. It doesn't have to be complicated. Actually the simpler the scale, the easier it is to evaluate risk. Keep it simple Unless your business is complex, multi-million pound and [...]

Read More
 0

© Copyright | All Rights Reserved | Audit & Risk Professionals Llp | Registered in England and Wales, Company Number: OC393687. Registered Address: 2 Masefield Ave, Borehamwood, HERTS, WD6 2HQ | Privacy Policy |

Go to Top