Insights
Practical guidance on compliance, information security, and risk management.
Thoughts on compliance, security, and the practicalities of building robust management systems. All written in plain English, focused on what actually matters.
ISO 42001 Stage 1: what happens on the day, and what to have ready
The first ISO 42001 audits are landing in Europe. Where certification bodies have accredited schemes, and where organisations have been working …
Do you need a Virtual Chief AI Officer? When the role earns its keep and when it does not
The Virtual Chief AI Officer role has emerged fast. In the last twelve months it has moved from a novelty offered by a handful of AI-focused firms to …
Law firms under three-front attack: what the Silent Ransom Group, the Pillsbury class action, and the FBI's May advisory tell us
Someone walks into a US law firm’s reception in April 2025. They tell the receptionist they are from the firm’s IT service provider, …
Think before you paste: the ClickFix scam explained
You visit a website, or open an email link that looks legitimate. A window appears asking you to prove you are human. It looks like the …
ISO 22301 Stage 1: what happens on the day, and what to have ready
Stage 1 of an ISO 22301 audit tests whether the Business Continuity Management System (BCMS) is ready to be evaluated in Stage 2. The event is …
Mandatory AI literacy under the EU AI Act: what Article 4 requires
Article 4 of the EU AI Act has been in force since 2 February 2025. It requires every organisation that uses AI systems, not just those that build …
Internal audit across management system standards: clause 9.2 in practice
Every ISO management system standard requires an internal audit programme. Clause 9.2 is effectively identical across ISO 27001, ISO 22301, ISO 27701, …
IEEE 802.11bf: Wi-Fi sensing as opportunity and threat
IEEE 802.11bf, published on 26 September 2025, is an amendment to the 802.11 family that turns Wi-Fi into a sensing platform. By analysing how radio …
Five recurring themes in ISO 27001 audit findings
An OFI, Opportunity for Improvement, is an audit observation that does not constitute a nonconformity but signals room for the ISMS to mature. They …
Preparing for ISO 42001 certification: a practical roadmap
ISO 42001 has gone from a curiosity to a real certification programme remarkably quickly. Published in December 2023, it is the first international …
$25 million and a video call: what the Arup deepfake scam changed
In January 2024, a finance worker at the Hong Kong office of Arup, the British multinational engineering consultancy responsible for the Sydney Opera …
Past the vanity metrics: measuring security that actually matters
A security leader recently shared a thought on LinkedIn that has stayed with us. “Most security dashboards look impressive. Green metrics. Clean …
Lessons from recent cyberattacks: what they tell us about resilience
When ticketing systems went down at one of Europe’s largest rail operators earlier this year, millions of passengers found themselves staring at …
ISO 27001 Stage 2: what happens on the day, and what to have ready
Stage 1 tested whether the ISMS was designed. Stage 2 tests whether it works. The gap in effort between the two is larger than most organisations …
ISO 27701 Stage 1: what happens on the day, and what to have ready
ISO 27701 is an extension of ISO 27001, not a standalone privacy standard. That single fact shapes the entire Stage 1 audit. The auditor is not …
ISO 27001 Stage 1: what happens on the day, and what to have ready
Stage 1 is the audit event that reveals whether the ISMS is real or theoretical. Stage 2 will test whether the controls actually work. Stage 1 tests …
Integrated management systems: what genuinely integrates, what doesn't, and how to tell what you actually have
Ask three consultants to define an integrated management system and you will get three answers. The most common one is documentation-based: a shared …
Axlio ISO implementation roadmap
Implementing an ISO standard can feel complex at first, particularly if it is your organisation’s first certification. In practice the journey …
What ISO 27001 certification really involves
If you are considering ISO 27001 certification, you have probably encountered plenty of marketing material promising quick and easy implementation. …
ISO 27001 vs ISO 22301: what is the difference?
Two ISO standards come up regularly in conversations with Irish organisations: ISO 27001 (information security) and ISO 22301 (business continuity). …
Common ISO 27001 audit findings, and how to avoid them
After supporting numerous ISO 27001 implementations and audits, we have noticed patterns in what auditors find. Here are the most common issues, and …
AI and the collapsed barrier to entry for cybercrime
A decade ago, building a credible phishing email aimed at an Irish business meant either fluent English with familiarity with local business culture, …
Preparing for an ISO 22301 audit: the questions auditors actually ask
An ISO 22301 certification audit is structurally similar to an ISO 27001 audit: a stage 1 documentation review, a stage 2 evidence walk-through, and …
ISO 9001 Stage 1: what happens on the day, and what to have ready
ISO 9001 is the oldest ISO management-system standard still in wide use. First published in 1987, updated most recently in 2015, it is the standard …
The RoPA gap: what the DPC actually wants under Article 30, and where most organisations fall short
The Data Protection Commission has known for years that most organisations do not have a defensible Record of Processing Activities. In early 2022 the …
Ready to discuss your requirements?
Let's have a conversation about how we can help your organisation.
Let's talk