InfoSec Insider

In this episode of InfoSec Insider, Neil Jones, Senior Consultant at URM, provides key insights on achieving and maintaining conformance to Clause 6.3 (Planning of changes) of ISO 27001, the International Standard for Information Security Management Systems (ISMS’).  Neil leverages over 20 years of real-world information security knowledge and experience to discuss: What Clause 6.3 is and why planned ISMS change management is so important The common mistakes organisations make when planning ISMS changes under Clause 6.3 The seven practical actions he recommends for effective implementation of Clause 6.3, which of these actions organisations most frequently overlook, and why How to determine whether your existing change management processes are suitable for Clause 6.3 conformance. Learn more about this topic: https://www.urmconsulting.com/blog/iso-27001-clause-6-3-the-importance-of-planned-isms-change-management If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider       You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts    Brought to you by URM, the UK’s leading information and cyber security specialists.

In this episode of InfoSec Insider – Talk Cyber, Stuart Moran and George Ryan, Consultants at URM, explore recent shifts in cyber security expectations and regulatory requirements faced by organisations in the medical supply chain, both in the UK and across the globe.  Stuart and George leverage their extensive experience helping organisations in the medical sector enhance information and cyber security to discuss:    The NHS’ recent open letter to suppliers, which highlights tighter scrutiny and more direct engagement, and what this means for NHS suppliers Which of the NHS’ new cyber security requirements for suppliers (MFA, continuous monitoring and immutable backups) will be most challenging to embed and why The biggest gaps and understanding or readiness among suppliers implementing the Data Security and Protection Toolkit (DSPT), and the practical differences between Categories 2 and 3 of the DSPT How shifts in standards such as ISO 13485 and the broader medical device regulatory landscape will influence suppliers’ design and manufacturing of their products, particularly around software and AI How the FDA’s power to deny market access to medical devices with insufficient cyber security may impact UK suppliers operating internationally, and whether this hints at a broader, global trend towards stricter cyber controls.   Learn more about this topic: https://www.urmconsulting.com/blog/iso-13485-and-beyond-key-updates-shaping-the-medical-device-regulatory-landscape  https://www.urmconsulting.com/blog/nhs-cyber-security-open-letter-what-does-it-mean-for-suppliers   If you enjoyed this episode of InfoSec Insider – Talk Cyber, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider             You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts           Brought to you by URM, the UK’s leading information and cyber security specialists.

In this episode of InfoSec Insider, Alastair Stewart and Tibor Laczko, both Senior Consultants and Qualified Security Assessors (QSAs) with URM, answer the niche and unusual questions they encounter around the Payment Card Industry Data Security Standard (PCI DSS).  Alastair and Tibor leverage nearly 30 years’ combined experience with the PCI DSS to discuss:    The strangest misconceptions they have heard about PCI DSS and cardholder data security What PCI DSS would look like if it were invented today, and what would be left out entirely The simple PCI DSS controls that people routinely misunderstand The most unusual systems or devices they have seen brought into scope Whether something can be both technically compliant and completely insecure at the same time, and whether there is such a thing as ‘too compliant’ Finer technical details of the Standard, such as Kubernetes network policies, how to evidence a control that never triggers, corporate VPNs that impact segmentation, and more. Ask Alastair and Tibor a question. If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider         You can find more episodes of InfoSec Insider here:  https://urmconsulting.com/podcasts         Connect with us on LinkedIn      Brought to you by URM, the UK’s leading information and cyber security specialists.   

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, Senior Data Protection Consultant at URM, provides a break down and analysis of how the Information Commissioner’s Office (ICO’s) enforced UK data protection (DP) regulations in 2025, and how this compares to the action taken by the regulator in previous years.  Stuart leverages his 25+ years of specialisation in data protection law to discuss:    The context of changes in ICO enforcement activities between 2024 and 2025  The main headline takeaways from his 2025 analysis, particularly in relation to the ICO’s fining activities  What the regulator itself has said recently about new ways in which it’ll tackle enforcement in 2026 and beyond  Ongoing DP stories to keep an eye on which might have an impact on the ICO, its fining posture and its ability to enforce any fines it imposes.   Learn more about this topic: https://www.urmconsulting.com/blog/analysis-of-enforcement-action-by-the-ico-in-2025-actions-way-down-security-data-breach-fines-way-up   If you enjoyed this episode of InfoSec Insider – Talk DP, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider         You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts         Brought to you by URM, the UK’s leading information and cyber security specialists.

In this episode of InfoSec Insider, Jack Woods and George Ryan, both Consultants at URM, share their insights on how organisations can achieve strong information security governance and asset management that facilitate conformance to ISO 27001, the International Standard for Information Security Management Systems (ISMS).  Jack and George draw on their extensive experience supporting organisations’ ISO 27001 certifications to discuss: How to transform high-level information security policies into day-to-day behaviour across teams, and who should own information security within organisations Defining clear information security roles and responsibilities, and how to overcome the practical challenges of implementing segregation of duties What best practice looks like when maintaining contact with authorities, special interest groups, and threat intelligence The importance of integrating information security into project management How to produce usable (rather than bureaucratic) documented operating procedures that reduce operational risk Effective information handling and asset management, from inventorying assets and acceptable use through to classification and labelling of information. Ask Jack and George a question: https://www.urmconsulting.com/podcasts/information-security-governance-compliance-and-asset-management   If you enjoyed this episode of InfoSec Insider – Talk Cyber, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider             You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts             Brought to you by URM, the UK’s leading information and cyber security specialists.

In this episode of InfoSec Insider – Talk Cyber, Mark O’Kane, Consultant at URM, explains the second of the NIST Cybersecurity Framework’s (CSF’s) five core functions, the Identify function, sharing his insights on what organisations can do in practice to meet its requirements.   Mark uses his extensive experience working in information security and risk management to discuss: Where the Identify function sits within the overall NIST CSF How your organisation can meet the requirements around identifying and managing assets The practical steps provided by the CSF for organisations struggling to understand their cyber security risks How to identify areas for improvement in your cyber security programme in line with the Identify function’s requirements. Learn more about this topic: https://www.urmconsulting.com/blog/the-core-functions-of-nist-csf-identify If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider   You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts   Brought to you by URM, the UK’s leading information and cyber security specialists.   

In this episode of InfoSec Insider, Alastair Stewart and Tibor Laczko, both Senior Consultants and Qualified Security Assessors (QSAs) at URM, share their perspective on how organisations can most effectively and efficiently prepare for a Payment Card Industry Data Security Standard (PCI DSS) assessment.  Alastair and Tibor leverage nearly 30 years’ combined experience with the PCI DSS to discuss:   Practical steps teams can take to ensure the assessment runs smoothly overall What you should have ready before your PCI DSS assessment is even booked and how to determine if your scope definition is clear enough What useable evidence looks like from a practical perspective, and whether to provide everything up front or respond as questions are asked When self-assessment questionnaires (SAQs) vs. full assessed engagements are needed, and what to keep from an SAQ in case a full engagement is required in the future What to do differently if this years’ assessment follows significant amounts of change And more. Ask Alastair and Tibor a question: https://urmconsulting.com/podcasts/preparing-for-a-pci-dss-assessment   If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider       You can find more episodes of InfoSec Insider here:  https://urmconsulting.com/podcasts       Connect with us on LinkedIn   Brought to you by URM, the UK’s leading information and cyber security specialists.   

In this episode of InfoSec Insider – Talk DP, Rachael Salter and Aimee Brown, Data Protection Consultants at URM, explore the challenges of workplace privacy and data protection compliance in a hybrid business landscape, and how these challenges can be overcome.  Rachael and Aimee leverage over 20 years’ combined experience in data protection to discuss: Why employee data is becoming such a significant risk for businesses The legal and ethical boundaries when monitoring employees Why operational challenges make employee data subject access requests (DSARs) and monitoring so difficult Practical steps that small and medium-sized enterprises (SMEs) can take to monitor lawfully and reduce risk How future trends like artificial intelligence (AI) and global rules change workplace privacy. Ask Rachael and Aimee a question: https://urmconsulting.com/podcasts/workplace-privacy-in-a-hybrid-world-monitoring-dsars-and-building-trust URM’s blog on data protection considerations for monitoring employees: https://www.urmconsulting.com/blog/data-protection-considerations-for-monitoring-employees If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here:   https://urmconsulting.com/podcasts      Connect with us on LinkedIn      Brought to you by URM, the UK’s leading information and cyber security specialists.   

In this episode of InfoSec Insider – Talk Cyber, Jack Woods and George Ryan, both Consultants at URM, outline the steps organisations can take to ensure they are prepared in the event of a cyber breach and able to minimise the impact of a breach as much as possible.  George and Jack leverage their extensive experience helping organisations strengthen their cyber and information security posture to discuss:   The importance of approaching cyber security breaches as a question of ‘when’ not ‘if’, and how to ensure your organisation is appropriately resilient The documentation and procedures organisations should have in place, such as business continuity, disaster recovery, and communication plans, and how to test these plans’ effectiveness through exercising When disconnecting your organisation’s environment, i.e., ‘pulling the plug’, is an appropriate response to an attack Technical measures all organisations should have in place to mitigate the impact of a breach, such as segregation, backups, etc. Ask Jack and George a question: https://www.urmconsulting.com/podcasts/minimising-the-impact-if-a-breach-occurs Learn more about this topic:  https://www.urmconsulting.com/blog/minimising-the-impact-when-a-breach-occurs If you enjoyed this episode of InfoSec Insider – Talk Cyber, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider           You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts           Brought to you by URM, the UK’s leading information and cyber security specialists.       

In this episode of InfoSec Insider, Mark O’Kane, Consultant at URM, explores the National Institute of Standards and Technology Cybersecurity Framework’s (NIST CSF’s) newly introduced Govern Function, outlining its purpose and significance within version 2.0 of the Framework. Mark examines each of its six Categories in detail, from defining organisational context and risk management strategy to establishing oversight and supply chain risk management, and explain the policies, processes and activities you will need to implement and conduct for conformance with each Category. If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts      Connect with us on LinkedIn      Brought to you by URM, the UK’s leading information and cyber security specialists.   

In this episode of InfoSec Insider – Talk DP, Aimee Brown and Rachael Salter, both Data Protection Consultants at URM, share their insights on the principle of data protection (DP) by design and by default, particularly as it relates to small and medium-sized enterprises (SMEs).  Rachael and Aimee leverage over 20 years’ combined experience in data protection to discuss: What ‘data protection by design and by default’ means under the UK General Data Protection Regulation (GDPR) Why this approach is so important for SMEs How SMEs can practically implement DP by design and default The common pitfalls SMEs face when applying this principle The emerging and future trends that make DP by design and default even more critical. Ask Rachael and Aimee a question:  https://urmconsulting.com/podcasts/data-protection-by-design-and-by-default URM’s blog on data protection impact assessments (DPIAs): https://www.urmconsulting.com/blog/when-and-how-to-conduct-a-data-protection-impact-assessment-dpia If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts      Connect with us on LinkedIn        Brought to you by URM, the UK’s leading information and cyber security specialists.     

In this episode of InfoSec Insider – Talk Cyber, Jack Woods and George Ryan, both Consultants at URM, explain the steps organisations can take to reduce the likelihood of suffering a security breach.  George and Jack leverage their extensive experience helping organisations strengthen their cyber and information security posture to discuss: What constitutes a security breach and how they are commonly caused Where to start in strengthening your organisation’s defences and the key measures you should have in place across people, process, technology and supply chain The importance of preparing for if an attack does occur and reducing the impact of a breach. Ask Jack and George a question: https://www.urmconsulting.com/blog/reducing-the-likelihood-of-a-security-breach Learn more about this topic: https://www.urmconsulting.com/blog/strengthening-your-cyber-defences-practical-steps-for-every-business If you enjoyed this episode of InfoSec Insider – Talk Cyber, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider          You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts          Brought to you by URM, the UK’s leading information and cyber security specialists.      

In this episode of InfoSec Insider – Talk Cyber, George Ryan, Consultant at URM, breaks down the Defence Cyber Certification (DCC), a new certification framework developed by the Ministry of Defence (MoD) and IASME for UK defence suppliers.  George draws upon his extensive experience helping organisations strengthen their cyber security to discuss: What the DCC is and who it’s for The four levels of compliance in the DCC, what they mean and how they work How the DCC can benefit organisations in the defence sector The steps involved in achieving the DCC. Learn more about this topic: https://ratethispodcast.com/infosecinsider        You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts        Brought to you by URM, the UK’s leading information and cyber security specialists.     

In this episode of InfoSec Insider – Talk DP, Martin Brazier, Senior Data Protection Consultant at URM, explores the considerations organisations should make to maintain data protection (DP) compliance in their development and deployment of artificial intelligence (AI) systems.  Martin leverages his 20+ years’ specialisation in DP and information management to discuss: What AI is The current AI regulatory framework and how it’s evolving How the 7 core principles of the General Data Protection Regulation (GDPR) apply and relate to AI How to comply with rules around automated decision making and meet data subject rights obligations in your development or use of AI Additional DP factors to consider, such as continuous improvement, appropriate risk mitigations, and using established methods to assess and record decisions.   Learn more about this topic: https://www.urmconsulting.com/blog/data-protection-considerations-for-artificial-intelligence-ai If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider         You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts         Brought to you by URM, the UK’s leading information and cyber security specialists.   

In this episode of InfoSec Insider, Alastair Stewart and Tibor Laczko, both Senior Consultants and Qualified Security Assessors (QSAs) at URM, explore the theory versus the reality of compliance with the Payment Card Industry Data Security Standard (PCI DSS). Alastair and Tibor leverage nearly 30 years’ combined experience with the PCI DSS to discuss:  Whether it would be cheaper to simply pay the fines instead of being PCI DSS compliant How often they see organisations treat PCI as a one-time project versus an ongoing programme The possibility of still suffering a breach while being fully compliant, and whether this has happened in the past The PCI requirements organisations struggle with most in practice How smaller merchants can cope with PCI requirements that were designed with larger organisations in mind The areas where PCI DSS lags behind current security threats And more. Ask Alastair and Tibor a question: https://www.urmconsulting.com/podcasts/pci-dss-standards-vs-reality If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider       You can find more episodes of InfoSec Insider here:  https://urmconsulting.com/podcasts       Connect with us on LinkedIn       Brought to you by URM, the UK’s leading information and cyber security specialists.   

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, Senior Consultant at URM, breaks down the Upper Tribunal’s recent decision to uphold the ICO’s appeal in the Clearview AI case, sharing his insights on the meaning and impact of this development.  Stuart draws upon over 25 years of specialisation in data protection law to discuss: The Clearview AI case and how it has developed since the ICO’s 2022 decision to impose a £7.5m fine on Clearview The Upper Tribunal’s ruling and how it has clarified the territorial scope of the GDPR, as well as the limits of the Regulation’s Article 2 exemption for law enforcement Why the enforcement limitations of the GDPR mean this ruling may not be as significant a win for the ICO as it initially seems A potential legal challenge to Clearview from well-known data protection activist Max Shrems, potentially signalling hope on the horizon for this case. Learn more about this topic: https://www.urmconsulting.com/blog/icos-appeal-in-clearview-ai-case-upheld If you enjoyed this episode of InfoSec Insider – Talk DP, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts      Brought to you by URM, the UK’s leading information and cyber security specialists. 

In this episode of InfoSec Insider, Frazer Grudings, Senior Consultant at URM, shares his insights on Clause 5.1 of ISO 27001, which covers the leadership and commitment requirements for an information security management system (ISMS) that is conformant to the Standard.  Frazer draws upon over 15 years of information security experience to discuss: The requirements of Clause 5.1 and what conformance to this Clause involves Why leadership and commitment matter to an ISMS What can go wrong when leadership and commitment are not demonstrated. Learn more about this topic:  https://www.urmconsulting.com/blog/iso-27001-clause-5-1-leadership-and-commitment-explained If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider    You can find more episodes of InfoSec Insider here:    https://urmconsulting.com/podcasts    Brought to you by URM, the UK’s leading information and cyber security specialists.    

In this episode of InfoSec Insider, Alastair Stewart and Tibor Laczko, both Senior Consultants and Qualified Security Assessors (QSAs) at URM, offer their advice on the systems and controls that are often overlooked in relation to the Payment Card Industry Data Security Standard (PCI DSS).  Alastair and Tibor leverage nearly 30 years’ combined experience with the PCI DSS to discuss:  Why the PCI DSS covers systems that don’t store card data, such as DNS servers or time servers Why time synchronisation (NTP servers) is a PCI requirement How card data can leak through system logs and how this can be avoided Printers, custom error messages, IoT devices – why they’re in scope and how to maintain compliance. Ask Alastair and Tibor a question: https://www.urmconsulting.com/podcasts/pci-dss-the-overlooked-systems   If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider       You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts       Connect with us on LinkedIn       Brought to you by URM, the UK’s leading information and cyber security specialists.  

In this episode of InfoSec Insider – Talk DP, Rachael Salter and Aimee Brown, both Consultants at URM, explore individuals’ rights under the GDPR beyond the right of access (the most widely discussed of the data subject rights), and the requirements and obligations on organisations handling these.  Rachael and Aimee draw upon over 20 years’ combined experience in data protection to discuss: The data rights aside from the right of access that tend to unexpectedly consume business resources and why The operational risks posed to small and medium-sized enterprises (SMEs) by rights such as erasure, rectification, restriction, portability, and objection How SMEs can recognise success in handling these rights without drowning in process complexity The common pitfalls that cause unnecessary challenges or regulatory difficulties when dealing with these rights How, in real-world terms, businesses can balance customer empowerment through data rights with maintaining smooth, cost-effective operations. Ask Rachael and Aimee a question. If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider      You can find more episodes of InfoSec Insider here:  https://urmconsulting.com/podcasts      Connect with us on LinkedIn  Brought to you by URM, the UK’s leading information and cyber security specialists.   

In this episode of InfoSec Insider, Martin Brazier, Senior Consultant at URM, shares his top tips on crisis communication, considering the steps organisations can take to prepare before a crisis occurs, while it is happening, and after it’s been dealt with to ensure communication is as effective and seamless as possible.  Martin draws upon his extensive experience helping organisations enhance their business continuity to discuss: What a ‘crisis’ is What crisis communication is and how it fits into business continuity planning Why crisis communications matter 7 top tips on ensuring your organisation can communicate effectively in a crisis, such as planning ahead of time, setting the right tone, listening to feedback, and more. Learn more about this topic: https://www.urmconsulting.com/blog/the-eu-artificial-intelligence-act If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here: https://ratethispodcast.com/infosecinsider       You can find more episodes of InfoSec Insider here: https://urmconsulting.com/podcasts       Brought to you by URM, the UK’s leading information and cyber security specialists.