In this episode of InfoSec Insider, Jack Woods and Mark O’Kane, both Consultants at URM, take a deep dive on the ‘People’ controls theme in ISO 27001, and why these controls matter in today’s hybrid workplaces, how they strengthen information security, and what auditors look for during assessments.  Jack and Mark draw upon their extensive experience supporting organisations’ implementation of the Standard to discuss: How to balance the risk of potential insider threats against the downsides of overzealous background checks when implementing pre-employment screening The practical steps you can take to meaningfully enforce people controls beyond generic policies in the context of remote and hybrid work environments How to ensure incident reporting for information security is both mandatory and non-punitive, so employees feel safe to report without fear of reprisal The types of evidence auditors expect to see in a people controls-focused audit The risks that arise when people controls such as training or NDAs are not routinely reviewed/updated as working patterns or staff roles evolve. Ask Jack and Mark a question: https://urmconsulting.com/podcasts/iso-27001-people-controls If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts      Connect with us on LinkedIn      Brought to you by URM, the UK’s leading information and cyber security specialists.

In this episode of InfoSec Insider, Neil Jones, Senior Consultant at URM, explores artificial intelligence impact assessments (AIIAs), a key conformance activity required by ISO 42001, the International Standard for AI Management Systems (AIMS).  Neil leverages over 20 years of experience working with risk and information security-related standards to discuss: What an AIIA is under ISO 42001, and how it differs from a typical risk assessment The role of ISO 42005 and how it relates to AIIAs The seven sections of an AIIA and what each section covers When in the AI lifecycle you need to conduct an AIIA How organisations should balance AIIAs with risk assessments in the context of ISO 42001. Learn more about this topic: https://www.urmconsulting.com/blog/iso-42001-artificial-intelligence-impact-assessments-aiias If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider       You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts       Brought to you by URM, the UK’s leading information and cyber security specialists.    

In this episode of InfoSec Insider, Alastair Stewart and Tibor Laczko, both Senior Consultants and Qualified Security Assessors (QSAs) at URM, offer advice on compliance with the Payment Card Industry Data Security Standard (PCI DSS), with a particular focus on the ‘human’ element of security.  Alastair and Tibor leverage nearly 30 years’ combined experience with the PCI DSS to discuss: How you can minimise the risk of noncompliance caused by human error or behaviour The compliance complications associated with using wireless devices such as Bluetooth headphones Whether ‘pause-and-resume’ recording in call centres is truly secure How to avoid card data leaking through CCTV cameras in environments such as call centres And more! Ask Alastair and Tibor a question: https://urmconsulting.com/podcasts/ the-people-side-of-pci-dss If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider    You can find more episodes of InfoSec Insider here:     https://urmconsulting.com/podcasts    Connect with us on LinkedIn    Brought to you by URM, the UK’s leading information and cyber security specialists.  

In this episode of InfoSec Insider – Talk DP, Rachael Salter and Aimee Brown, both Data Protection Consultants at URM, provide their insights on overcoming data subject access request (DSAR) challenges and how organisations can gain benefits from the fulfilment of DSARs, rather than treating them purely as a business burden.   Rachael and Aimee leverage over 20 years’ combined experience in data protection to discuss: • Whether DSARs can actually enhance customer trust, or are simply a compliance checkbox exercise for organisations• How organisations can reframe DSAR handling as an opportunity to improve their data governance • The hidden costs of DSARs and how you can measure whether those costs bring any tangible benefits• When it is appropriate to push back on a DSAR as ‘manifestly unfounded’ or ‘excessive’ and how to defend this decision to the regulator• How to proactively use DSAR data to inform your privacy strategy and customer engagement.  Ask Rachael and Aimee a question:  https://urmconsulting.com/podcasts/dsars-a-business-burden-vs-a-data-protection-opportunity If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider    You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts    Connect with us on LinkedIn    Brought to you by URM, the UK’s leading information and cyber security specialists.  

In this episode of InfoSec Insider, George Ryan, Consultant at URM, provides key advice and guidance on the impact of artificial intelligence (AI) on organisations, and the steps they can take to establish control over its usage.  George leverages his extensive experience helping organisations strengthen their information and cyber security to discuss:   What ‘AI’ is   How AI and its usage can impact organisations  How organisations can look to control AI among its staff and within its operations.  Learn more about this topic: https://www.urmconsulting.com/blog/establishing-organisational-control-over-artificial-intelligence  If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider         You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts         Brought to you by URM, the UK’s leading information and cyber security specialists. 

In this episode of InfoSec Insider, Martin Brazier, Senior Consultant at URM, explores the EU Artificial Intelligence (AI) Act, the world’s first comprehensive regulation on AI by a major regulator.  Maritn draws upon over 20 years of experience in compliance, information management and data protection to discuss: What AI is and how it is defined by the EU AI Act Which entities the Act is applicable to, the different ‘compliance roles’ it defines and the obligations associated with each How AI risk is categorised, and the provisions for and restrictions upon each risk level How the AI Act will be enforced The current UK approach to AI legislation and the impact of the AI Act beyond the EU. Learn more about this topic: https://www.urmconsulting.com/blog/the-eu-artificial-intelligence-act If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider        You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts        Brought to you by URM, the UK’s leading information and cyber security specialists.    

In this episode of InfoSec Insider, Scott Lloyd, Senior Consultant at URM, offers key advice and guidance on the ISO 27001 certification process, how organisations can ensure they are prepared for a smooth and successful certification assessment.  Scott leverages his extensive experience in the field of information security to discuss: Common misconceptions about certification The ‘must-have’ documentation organisations need to have in place ready for their Stage 1 audit The Stage 2 audit, the difference between minor and major nonconformities and how they affect certification How organisations should handle minor nonconformities so that they do not become majors in the future The 3-year certification cycle and Continual Assessment Visits (CAVs) Learn more about this topic: https://www.urmconsulting.com/blog/iso-27001-how-certification-works   If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider       You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts       Brought to you by URM, the UK’s leading information and cyber security specialists.      

In this episode of InfoSec Insider – Talk Cyber, George Ryan, consultant at URM, provides his insights on the steps organisations can take to protect themselves against ransomware attacks.  George leverages his extensive experience helping organisations strengthen cyber security measures to discuss: What ransomware is and why it has so frequently made headlines in recent years Who is responsible for protecting an organisation against ransomware The role of people, processes and technology in enhancing ransomware defences Which measures organisations with minimal or no cyber security should prioritise. Learn more about this topic: https://www.urmconsulting.com/blog/critical-cyber-security-practices-to-defend-against-ransomware-attacks If you enjoyed this episode of InfoSec Insider – Talk Cyber, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider       You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts       Brought to you by URM, the UK’s leading information and cyber security specialists.       

In this episode of InfoSec Insider, Martin Brazier, Senior Consultant at URM, breaks down the Social Tenants Access to Information Requirements (STAIRs), a forthcoming information access standard that will give greater rights to tenants of private registered providers (PRPs).  Martin leverages over 20 years of information management and data protection experience to discuss: What the STAIRs are and how they came about What PRPs will need to do to comply with the STAIRs The steps organisations can take now to prepare for STAIRs compliance.  If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://www.urmconsulting.com/blog/getting-ready-for-the-social-tenant-access-to-information-requirements-stairs You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts     Brought to you by URM, the UK’s leading information and cyber security specialists.

In this episode of InfoSec Insider, Mark O’Kane, Consultant at URM, provides key advice and guidance on the two business continuity-related controls in Annex A of ISO 27001.  Mark draws upon his extensive experience helping organisations implement and certify against the Standard to discuss: The requirements of the business continuity controls and how they help organisations security their assets during a disruption How organisations can meet the requirements of and ensure conformance to Controls A.5.29 and A.5.30 The common mistakes organisations make when implementing and maintaining these controls, and how these mistakes can be avoided. Learn more about this topic: https://www.urmconsulting.com/blog/iso-27001-2022-a-5-organisational-controls-business-continuity If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider     You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts     Brought to you by URM, the UK’s leading information and cyber security specialists.      

In this episode of InfoSec Insider – Talk Cyber, George Ryan, Consultant at URM, provides his insights on the best next steps organisations can take following Cyber Essentials certification to further enhance their security.  George leverages his extensive experience assisting organisations to strengthen their cyber security measures to discuss:   What is covered by the Cyber Essentials scheme The more advanced cyber and information security frameworks organisations can implement having achieved Cyber Essentials How organisations can enhance their cyber and information security without implementing additional frameworks. Learn more about this topic: https://www.urmconsulting.com/blog/supplementing-cyber-essentials If you enjoyed this episode of InfoSec Insider – Talk Cyber, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider     You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts     Brought to you by URM, the UK’s leading information and cyber security specialists.     

In this episode of InfoSec Insider, Mark O’Kane, Consultant at URM, offers his insights and advice on the six incident management-related controls in Annex A of ISO 27001, which are contained within the ‘Organisational’ and ‘People’ control themes.  Mark leverages his extensive experience supporting organisations to implement ISO 27001 to discuss: The requirements of the incident management controls and how they fit into the overall aim of the ‘Organisational’ and ‘People’ control themes How the incident management controls help organisations address information security incidents How organisations can effectively put these controls into practice. Learn more about this topic: https://www.urmconsulting.com/blog/iso-27001-2022-a-5-organisational-controls-incident-management If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider    You can find more episodes of InfoSec Insider here:    https://urmconsulting.com/podcasts    Connect with us on LinkedIn  Brought to you by URM, the UK’s leading information and cyber security specialists.    

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, Senior Data Protection Consultant at URM, provides his insights on the Data (Use and Access) Act, which received Royal Assent on 19 June.  Stuart draws upon over 25 years of specialisation in data protection law to discuss: The background, scope, and intention of the DUA Act How the DUA Act is expected to impact the UK’s data protection regulatory landscape, and how it may lighten the compliance burden on organisations, particularly in relation to: Automated decision-making International transfers of personal data Data subject access requests (DSARs) The Privacy and Electronic Communications Regulations (PECR) The ‘legitimate interests’ basis for processing Which provisions in the Act may make data protection compliance more difficult When these changes are likely to come into force. Learn more about this topic: https://www.urmconsulting.com/blog/dua-act-finally-becomes-law If you enjoyed this episode of InfoSec Insider – Talk DP, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider     You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts     Brought to you by URM, the UK’s leading information and cyber security specialists. 

In this episode of InfoSec Insider, Mark O’Kane, Consultant at URM, offers his insights into the legal, regulatory and contractual-related controls (A.5.31-37) from Annex A of ISO 27001:2022 and how they can be effectively implemented by organisations.  Mark draws upon his extensive experience assisting organisations to certify against the Standard to discuss: The requirements of the legal, regulatory and contractual controls and how they fit into the overall aim of the ‘Organisational’ control theme How the legal controls help to prevent breaches of legal, statutory, regulatory or contractual obligations related to information security How to put controls A.5.31-37 into practice. Learn more about this topic: https://www.urmconsulting.com/blog/iso-27001-2022-a-5-organisational-controls-legal-regulatory-and-contractual   If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts      Brought to you by URM, the UK’s leading information and cyber security specialists.    

In this episode of InfoSec Insider – Talk Cyber, George Ryan, Consultant at URM, explores the Lexcel Practice Management Standard (Lexcel), the Specialist Quality Mark (SQM) and their relationship with the Cyber Essentials scheme.  George leverages his extensive experience assisting organisations to enhance their cyber security to discuss:  What Lexcel and the SQM are, and why they are needed How these standards relate to cyber security How Cyber Essentials ties these standards, and how certification to the scheme can benefit law firms’ Lexcel/SQM compliance efforts How law firms can strengthen their security further having achieved Cyber Essentials. Learn more about this topic: https://www.urmconsulting.com/blog/understanding-lexcel-and-the-specialist-quality-mark-sqm-how-cyber-essentials-can-benefit-your-practice   If you enjoyed this episode of InfoSec Insider – Talk Cyber, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts      Brought to you by URM, the UK’s leading information and cyber security specialists.    

In this episode of InfoSec Insider, Mark O’Kane, Consultant at URM, offers his insights into the information security management controls within Annex A of ISO 27001, which comprise the first eight controls of Annex A’s ‘Organisational’ control theme.  Mark leverages his extensive experience supporting ISO 27001 implementations to discuss: What the organisational controls are, and how the first eight fit into the overall aim of the ‘Organisational’ control theme The role of management and senior leadership in relation to information security, and how leadership is linked to the creation of information security policies The importance of segregation of duties and clearly defined roles and responsibilities in addressing information security risk How maintaining contact with authorities, special interest groups, and threat intelligence sources can help you address both security risks that may materialise and security incidents that have occurred Common challenges and mistakes associated with implementing these controls, and how they can be overcome. Learn more about this topic:  https://www.urmconsulting.com/blog/iso-27001-2022-a-5-organisational-controls-information-security-management If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider   You can find more episodes of InfoSec Insider here:    https://urmconsulting.com/podcasts     Brought to you by URM, the UK’s leading information and cyber security specialists.  

In this episode of InfoSec Insider, Wayne Armstrong, Senior Consultant at URM, provides his insights on the 4 controls that relate to access management in the ‘Organisational’ control theme of ISO 27001’s Annex A.  Wayne leverages his 30+ of experience with information security to discuss:  The requirements of each of the following 4 controls and how your organisation can go about meeting them:  A.5.15 – Access control  A.5.16 – Identity management  A.5.17 – Authentication information  A.5.18 – Access rights.  Learn more about this topic: https://www.urmconsulting.com/blog/iso-27001-2022-a-5-organisational-controls-access-management  If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts    Brought to you by URM, the UK’s leading information and cyber security specialists. 

In this episode of InfoSec Insider, Wayne Armstrong, Senior Consultant at URM, breaks down the 5 supplier management-related controls in the ‘Organisational’ control theme of ISO 27001’s Annex A.  Wayne draws upon 30+ of experience with information security to discuss:  Why your organisation should consider supplier management as part of information security   What each of the following 5 controls cover and how to implement them:  A5.19 – Information security in supplier relationships  A5.20 – Addressing information security within supplier relationships  A5.21 – Managing information security in the ICT supply chain  A5.22 – Monitoring, review and change management of supplier services  A5.23 – Information security for use of cloud services.   Learn more about this topic: https://www.urmconsulting.com/blog/iso-27001-2022-a-5-organisational-controls-supplier-management   If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts    Brought to you by URM, the UK’s leading information and cyber security specialists. 

In this episode of InfoSec Insider, Jack Woods, Consultant at URM, explores information risk assessment and risk treatment in the context of ISO 27001, the International Standard for Information Security Management Systems (ISMS’).  Jack leverages his extensive experience assisting organisations to implement an ISMS and certify to the Standard to discuss: The purpose of a risk assessment How risk fits into ISO 27001 and its requirements How to conduct an information security risk assessment The actions you can take to treat the risks you identify. Learn more about this topic:  https://www.urmconsulting.com/blog/information-risk-assessment-and-treatment-in-iso-27001 If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider    You can find more episodes of InfoSec Insider here:   https://urmconsulting.com/podcasts    Brought to you by URM, the UK’s leading information and cyber security specialists.

In this episode of InfoSec Insider, Wayne Armstrong, Senior Consultant at URM, provides his insights on the 34 technological controls in Annex A of ISO 27001 and how these can be implemented by organisations looking to conform or certify to the Standard.  Wayne leverages his 30+ years of experience in information security and risk management to discuss: What the technological controls in ISO 27001 are designed to achieve How you can go about selecting the most appropriate technological controls for your organisation How the guidance contained in ISO 27002, the supplementary standard to ISO 27001, can help your organisation meet the Standard’s requirements in relation to technological controls The constraints that may prevent your organisation from implementing certain controls, and how these can be overcome The importance of balancing security and operational effectiveness and efficiency. Learn more about this topic:  https://www.urmconsulting.com/blog/implementing-technological-controls-in-iso-27001 If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider    You can find more episodes of InfoSec Insider here:   https://urmconsulting.com/podcasts    Brought to you by URM, the UK’s leading information and cyber security specialists.