From the practice

The NIS2UmsuCG took effect in December 2025 with no transition period. Management liability is personal. Here is what being in scope actually means.

What defensible internal audit looks like: the six dimensions of audit depth, ISO 19011 competence, and ISO/IEC 17021-1 impartiality discipline.

If you are already ISO/IEC 27001 certified, here is the practical pathway to EU AI Act compliance. How ISO/IEC 42001 builds on your existing ISMS, what to integrate, what to add.

The certificate is not the finish line. Most programmes that collapse at surveillance were built around templates rather than the organisation's actual risk profile.

Both cover information security but serve different purposes, different audiences, and require different evidence. The answer depends on your customers.

A virtual CISO is not a cheaper substitute for a full-time hire. It is a different kind of engagement with different scope, deliverables, and value.

European SaaS companies increasingly need SOC 2 to sell into American enterprise accounts. Here is when to pursue it and how to build the programme efficiently.

Stage 2 is where the ISMS is tested against real evidence. Most organisations underestimate what auditors are actually looking for and where the gaps tend to appear.

The Statement of Applicability is one of the most misunderstood documents in ISO 27001. Getting it right is not optional, it is the first thing a certification auditor will review.

NIS 2 does not stop at your organisation's boundary. Supply chain security is an explicit Article 21 obligation. What does that mean for how you manage vendors?

ISO 42001 is the international standard for AI Management Systems. For organisations deploying AI in the EU, here is what building a compliant AIMS actually involves.

Information security awareness training is a control that every ISMS relies on. Here is what it is for, what the regulations require, and where programmes commonly fall short.