Thinking
Articles on compliance, business continuity, and information security, written for the people who have to make it work in practice.
Stage 1 is the audit most organisations misunderstand. What the certification body is there to check, the findings that recur across real Stage 1 preparations, and the honest readiness test to apply before booking anything.
Read the article →What the certification body reviews at Stage 1, the findings that catch organisations out, from contradictory SoAs to the internal audit impartiality trap, and how to walk in ready.
Read the article →The word audit covers four different activities, and buying the wrong one wastes money in both directions. The full taxonomy, ending in a decision you can make in one pass.
Read the article →The consequence spectrum from ICO complaint to the litigation amplifier, the new statutory complaints route from June 2026, and the first 48 hours after a miss.
Read the article →The session shape, who must be in the room, what good scenarios and outputs look like, and what separates a useful exercise from theatre.
Read the article →The NCSC is handling four nationally significant cyber incidents every week, with nation-state actors now behind the majority of the most serious cases. If your risk register has not been updated to reflect the current threat landscape, the gap between document and reality is growing.
Read the article →New legislation is coming. Organisations that treat this as a compliance exercise will miss the point. Here is what the Bill actually requires and how to get ahead of it.
Read the article →AI is changing what governance means in practice. This is a guide for leaders who need to make decisions now, not wait for the regulatory landscape to settle.
Read the article →Most risk registers are documents that satisfy an auditor, not tools that drive decisions. Here is what the difference looks like in practice and how to close the gap.
Read the article →Most organisations do not struggle with crisis communications because they lack tools. They struggle because the tools are not connected to clear decision-making frameworks.
Read the article →The quantum threat to current encryption standards is not theoretical. The transition window is open now, and organisations that wait will face a harder migration later.
Read the article →AI-powered attacks are breaking traditional authentication methods, from deepfaked biometrics to intercepted one-time passwords. What modern security and ISO 27001 compliance now require.
Read the article →From SIM-swap fraud to AI-powered campaigns and quishing, phishing keeps evolving. The countermeasures that work, the M&S lesson, and how ISO 27001:2022 structures the defence.
Read the article →The Corporate Sustainability Reporting Directive has implications beyond the EU. If your organisation works with European entities, here is what you need to understand.
Read the article →No articles match your search.