Information Security & ISO 27001

what makes a supplier risk assessment

What Makes a Supplier (And When a Tool Is Not Simply a Tool)

What Makes a Supplier (And When a Tool Is Not Simply a Tool) Every organisation I’ve worked with over the years has a supplier list. It sits somewhere in a spreadsheet, gets reviewed once a year around audit time, and contains the names you’d expect: the IT support company, the payroll provider, maybe a facilities […]

What Makes a Supplier (And When a Tool Is Not Simply a Tool) Read More »

Aerial view of a stone architectural maze with a clear navy blue path marked through it, representing navigation through complex ISO standards

ISO Spaghetti: Why the Standards Landscape Is Confusing (and What to Do About It)

The five standards worth knowing about ISO Spaghetti: Why the Standards Landscape Is Confusing (and What to Do About It) I have lost count of the number of tender documents I have reviewed that specify ISO 22301 and ISO 27001 and ISO 31000, sometimes with ISO 22361 thrown in for good measure. Occasionally all four

ISO Spaghetti: Why the Standards Landscape Is Confusing (and What to Do About It) Read More »

A framed certificate hanging on an office wall, slightly out of focus, with a laptop screen showing a security alert in the foreground

Does Your ISO 27001 Certificate Mean You’re Secure?

Does Your ISO 27001 Certificate Mean You’re Secure? After I published my recent piece on the GCHQ Director’s Bletchley Park lecture, a fellow practitioner left a comment that I’ve been turning over in my head ever since. It’s a question about ISO 27001 certification and what it really proves about security that deserves more than

Does Your ISO 27001 Certificate Mean You’re Secure? Read More »

Graphic quoting GCHQ Director Anne Keast-Butler's 2026 Annual Lecture at Bletchley Park: "From boardrooms to living rooms" — Cambridge Risk Solutions commentary

“From Boardrooms to Living Rooms”: What the GCHQ Director’s Bletchley Speech Really Said

“From Boardrooms to Living Rooms”: What the GCHQ Director’s Bletchley Speech Really Said It’s rare for the Director of GCHQ to speak in public. Anne Keast-Butler said as much herself this morning, standing at Bletchley Park to deliver the first annual GCHQ lecture. The fact that she felt compelled to do so tells you something

“From Boardrooms to Living Rooms”: What the GCHQ Director’s Bletchley Speech Really Said Read More »

Empty distribution warehouse with idle conveyor belt and lone worker facing a blank screen — illustrating the operational impact of a cyber incident

M&S just told us exactly what a cyber incident costs. Are you ready for yours?

M&S just told us exactly what a cyber incident cost a UK business. Are you ready for yours? Yesterday, Marks & Spencer published its full-year results. Profits down 23.8%. Fashion and home revenue down 7.7%. £131 million in direct costs attributed to a single cyber incident. And all of it traceable back to a third-party

M&S just told us exactly what a cyber incident costs. Are you ready for yours? Read More »