Checklists

This section contains no articles.

Guidance

• SOC 2

  Systems and Organisations Controls 2, more commonly referred to as SOC 2, is a compliance framework created by the American Institute of Certified Public Accountants (AICPA) to help businesses manage and protect customer data. The standard outlines five key areas, called the Trust Services Criteria. These are: Security - Safeguarding data against unauthorised access. Availability - Ensuring that systems are both reliable and accessible for employees and clients. *Processing IntegrityFew readers

• Cyber Essentials

  Cyber Essentials, commonly referred to as simply CE, is a cyber security compliance scheme that is backed by the UK Government. Launched in 2014, the scheme provides a clear framework of basic security controls to safeguard sensitive data and systems from cyber threats, and can be implemented by any business, regardless of industry or size. The is managed by the National Cyber Security Centre (NCSC) and delivered through its partner, IASME, which oversees the certification process and keeps a reFew readers

• ISO27001:2022

  ISO/IEC 27001 is an international standard that outlines the requirements for creating, implementing, maintaining, and updating, an Information Security Management System (ISMS). The primary goal of both the standard, and the ISMS, is to help businesses protect their valuable information assets by ensuring its confidentiality, integrity, and availability. Most recently updated in 2022, the standard requires businesses to assess risks to their information assets, implement appropriate controlsFew readers

• DORA

  The Digital Operational Resilience Act (aka DORA) is a European Union regulation designed to improve the digital security of financial institutions, and their service providers, ensuring that they can withstand, respond to, and recover from all types of ICT (Information and Communication Technology)-related threats and disruptions. Prior to DORA, there was no framework in place for the management or mitigation of ITC risks within the entire European financial sector. DORA introduces five key iFew readers

• What is an ISMS?

  An ISMS, or Information Security Management System, is a structured framework that helps businesses manage, secure, and protect sensitive information. It outlines policies, procedures, and controls, with the overall aim of ensuring the confidentiality, integrity, and availability of information. An ISMS is most commonly recognised as being a key requirements of ISO 27001, as it is a globally recognised standard for information security. It provides businesses with a structured process for identFew readers

• What are security controls?

  Security controls are specific actions, steps, processes or measures that a businesses implements in order to reduce risk, protect data or assets, and meet the requirements outlined by compliance standards. These actions can be digital, such an requiring multi-factor authentication to access company data, or physical, such as installing biometric locks in locations where sensitive information is stored. There are three main types of controls: Preventive Controls stop security incidents bFew readers

• What is a penetration test?

  A penetration test is a simulated cyber attack on a business that is used to identify security vulnerabilities in systems, networks, or applications. Penetration tests can also be physical, using techniques such as lockpicking, badge cloning, and social engineering. As mentioned, the purpose of a penetration test is to assess how well a business can detect and respond to threats. The test helps uncover weaknesses such as unpatched software, misconfigured permissions, insecure networks, and weaFew readers

• What is the CIA Triad?

  The CIA Triad, which stands for Confidentiality, Integrity, and Availability, is a foundational cyber security model that businesses should prioritise when creating, implementing, and managing networks or security systems. Let's go over each of the three ideas: Confidentiality Confidentiality refers to the procedures and controls a business employs to make sure that information is kept both secure and private. This can be enforced through various methods, such as role-based accFew readers

• CIS Controls

  The CIS Controls are a set of 18 different cyber security best practices that have been developed and prioritised by the Centre for Internet Security (CIS). The aim of these controls is to help businesses improve their defences against cyber threats, and to help safeguard important systems and data. Within each of the 18 controls is a set of safeguards that covers a specific aspect of security. In total there are 153 safeguards that businesses can implement. The controls are also organised intFew readers

• What is risk management?

  In the context of cyber security compliance, risk management refers to the process of identifying, assessing and reducing security risks that could threaten an organisation's systems, data, or operations. The goal of risk management is to reduce the likelihood and impact of security threats, whilst still ensuring compliance with regulations and compliance standards. The process typically involves several key steps: Risks must be identified. Risks can include, but are not limited to, cyberFew readers

• What are assets?

  In cyber security and compliance, an asset refers to anything of value that a business needs to protect from security threats, whether digital or physical, and forms a key part of most compliance standards, such as Cyber Essentials, SOC 2, and ISO 27001. Common types of assets include: Data – Customer information, financial records, employee details, intellectual property, and confidential business data. Hardware – Servers, computers, mobile devices, network equipment, and storageFew readers

• What are compliance audits?

  Compliance audits are a formal process that verifies whether an organisation has met the requirements of a compliance standard, regulation, or framework. This is achieved by examining implemented controls, policies, and operational processes, against those outlined by the standard. Audits are typically conducted by external third-party auditors, however businesses may choose to have an internal audit using their own compliance team before going for certification to check correct implementationFew readers

• What are compliance standards?

  Compliance standards are rules, guidelines, and best-practices that organisations must follow in order to meet industry, legal, or regulatory requirements. They are designed with the end goal of protecting sensitive data, maintaining security, and building trust between businesses, regulatory bodies, and customers. Each compliance standard outlines different requirements that organisations must meet, often through the implementation of controls, policies, and other documented processes. For maFew readers