Information

The 27k1 ISMS is a quick and simple way to generate your own data security controls based around the ISO 27001 Data Security Standard. The other supporting services enable a wider coverage of many related concerns.

Designed to address the concerns of data loss, data breach, data theft, data corruption and ransomware, this takes you through a step by step approach to clearly identifying your risks and what you can do to prevent and reduce such events from happening.

The advantages of this approach, as opposed to the traditional 'consultant-led' approach, are that you can go at your pace, developing a totally tailored system, while increasing your knowledge and understanding of the required steps for the system and of data security issues generally - all at less than half of the price of using a consultant.

To find out more, please go to our Contact page.
October 20, 2020
27K1 a finalist in Tech UK 2020 Cyber Innovation Den Competition

27k1 ISMS Programme ranked as finalist in recent Tech UK Cyber Innovation Den competition

Read More
October 19, 2020
Why don't organisations go for a Data Security System?

Some organisations don't decide to get a data security system - there are 5 possible reasons why this may be so

Read More
October 19, 2020
Using additional holidays to enthuse individuals regarding their Data Security role

Some people enjoy time off - and the ability to earn some spare hours may be sufficient to enthuse people about data security enough to earn them.

Read More
October 19, 2020
Offering flexibility and scope in choice of equipment to enthuse individuals in their Data Security role

Some people may choose to improve their working environment and this can be a method to enthuse people about data security too.

Read More
October 19, 2020
Using tailored additional training to enthuse individuals in their Data Security role

Some people react well to being offered additional or specialised training - possibly with additional side benefits - whatever it may take to enthuse them to absorb data security awareness.

Read More
October 19, 2020
Using bonus payments to encourage individuals to refine their Data Security roles

Where money is a key driver, but a change in salary is not possible, maybe a bonus system can be used instead to enthuse people into learning more about data security.

Read More
October 19, 2020
Appeal to an individual's Moral Compass to personalise their drive to adopt a data security mindset

Some people are driven more by their moral compass than whether they are paid more money or have time off. These are key people in your organisation as they will help steer the straight and narrow path.

Read More
October 19, 2020
Appeal to an individual's desire to reduce the work they have to do by adopting a better data security mindset

Some individuals react to the idea that they will have less work to do if they set things up well in the first place - it certainly is true for data security.

Read More
October 19, 2020
Testing Data Security knowledge to trigger salary increases to enthuse individuals in their Data Security role

Some people may be influenced by money and be encouraged to learn more if this is reflected in the reward structure.

Read More
October 19, 2020
Getting the best from your People as they are key to your Data Security set up

Introduction to string of blogs on how to encourage individuals to take data security seriously and apply it with enthusiasm

Read More
October 19, 2020
Catching People Doing Things Right is a vital part of a “No Blame” culture

The best way to make people appreciate being audited is catching them doing something right and commend them for it. So simple!

Read More
October 19, 2020
Auditing - a Vital Control for all Systems

The audit process, though much maligned, is a key and crucial part of data security management - find out why many people get this wrong.

Read More
October 19, 2020
What are the Business day-to-day benefits of operating a Data Security System?

The Business benefits of getting good data security controls - as a contrast to the benefits accruing to the individuals involved.

Read More
October 19, 2020
What are the day-to-day benefits for Staff of operating a Data Security System?

How do you appeal to individuals to encourage them to adopt and develop the data security system requirements with enthusiasm.

Read More
October 19, 2020
When do you tell affected people following a data breach?

Do you have to tell your clients if you have a data breach? Legal need and moral obligations may be different.

Read More
June 16, 2020
Have you heard of the Dark Web? A Beginner's Guide

You may have seen the term "Dark Web" on a film and wondered if it really does exist - and if it does, why the authorities don't do something about it? You might be interested to hear that not only that it does exist, but that the authorities know all about the Dark Web, it […]

Read More
June 16, 2020
Have you heard of Ransomware? A Beginner’s Guide

Historically there have been times that hackers have used Malware simply because they can. This is now no longer the usual reason. Malware tools can be used individually or together to break into different parts of an individual’s or organisation’s systems in order to hijack that system and hold it to ransom – hence “Ransomware”. […]

Read More
June 16, 2020
Have you heard of Malware? A Beginner’s Guide

Malware comprises a number of nasties: Adware - software displaying adverts and/or banners when user is online – while sometimes acceptable, the malware version relates to the ones you cannot get to go away Bots – an autonomous programme on the internet that can get into programmes and does things that might be different to […]

Read More
June 2, 2020
Some recent thinking on the Digital Threats Landscape

I recently watched a webinar on the Managed Threat Response proposed by Sophos (a programme for real time protection against malicious malware and other digital threats). The thrust of what they were saying is that the threat landscape in the digital world is ever changing and we all need to ensure our responses to these […]

Read More
May 14, 2020
Data Security Presentation to CQI 14th May 2020

I am delighted to have just completed a webinar on Data Security for members of the CQI (Chartered Quality Institute) Birmingham branch. My webinar covered: the GDPR and PECR legislation key points how such data security measures impact on a range of different organisational types: Brokers, Manufacturers, Service Providers etc and finished with a review […]

Read More
May 12, 2020
5 Drivers to get a Data Security ISMS

The problem with Data Security is that it is usually not the reason the organisation was set up. Along with other such peripheral requirements, it can end up being left on a “do-as-little-as-possible” basis. This cannot last. 1.Legal Driver This area covers, among others, the GDPR and PECR legislation. With the recent legislation, let alone […]

Read More
May 7, 2020
Foreign Secretary confirms Hackers taking advantage of Covid 19

Further to my warning that this was the perfect occasion for Hackers to benefit,  now the Foreign Secretary has confirmed it too: Foreign Secretary's Cyber Criminals statement on coronavirus (COVID-19): 5 May 2020 Foreign Secretary Dominic Raab gave the 5 May 2020 daily press briefing on the government's response to the COVID-19 pandemic. “…., I […]

Read More
April 30, 2020
What is an Individual’s right to restrict data processing?

Inasmuch as the data harvested by your organisation relates to individuals, then those individuals have a right to restrict what it is used for – and your organisation needs to have the requisite procedures to deal with this. Your organisation should detail these procedures in its Privacy Policy. A request from an individual to restrict […]

Read More
April 30, 2020
What is ‘Data Protection by design’ under GDPR?

The legislation makes it clear that the GDPR is not to just be a paper exercise - the whole methodology of every organisation (effectively) needs to be redesigned to ensure that the technology and organisation itself have the data protection requirements fully integrated so that this becomes the way that all organisations do business going […]

Read More
April 30, 2020
What does GDPR mean by Vital Interests?

Where you have concluded that the legal basis for processing the data of an individual is “vital interests” then you need to be very clear why this is so.  To demonstrate this, you will need to have recorded why, in each instance, the “Vital Interest” approach is the appropriate one. In some instances, this can […]

Read More
April 30, 2020
What does a Data Processing Impact Assessment (DPIA) involve?

The DPIA must cover the following: a description of the nature, scope, context and purposes of the processing as applicable, the legitimate interests pursued by your business an assessment of the necessity and proportionality of the processing in relation to the purpose an objective assessment of the risks to individuals, which considers both the likelihood […]

Read More
April 30, 2020
When is a Data Protection Impact Assessment (DPIA) necessary?

The Data Protection Impact Assessment (DPIA) is a great tool to assist your management of data security impacts in your organisation. It allows you to identify – and then solve – issues early on, so as to avoid costs and reputation damage that might otherwise occur. The focus is to make your operations as effective […]

Read More
April 30, 2020
What Consent is needed to process children’s personal data for online services?

Any organisation wanting to process a child’s personal data will need to ensure that the data will be processed correctly. Remember that “consent” as a lawful basis is only valid where given by the child if they are 13 years old or over. This means that you cannot assume that they are old enough without […]

Read More
April 30, 2020
How to use “Reasonable Means” to ensure you are dealing with the right person?

It is vital that no data is released, altered or deleted at the request of the wrong person or that consent is asked of the correct person.  To do so would be a data breach under the legislation – even you had thought the request came from the right person. To be clear, only the […]

Read More
April 30, 2020
What are the Legal Grounds for processing personal data?

There are 6 legally recognised grounds for processing personal data. Your organisation will need to determine which is appropriate for each data flow. One or more grounds may apply. No one ground is more viable than another in law – it will simply depend on the purpose behind the use of the data. Agreement by […]

Read More
April 30, 2020
Uncover what is really going on with an Information Audit

To determine what information your organisation holds, you need to run an audit of the flows of data through your organisation.  The Information Audit will identify: the paths through which data passes: how the data is collected and why where the data is sent within the organisation what is done with it other than storage […]

Read More
April 30, 2020
What are the Rights relating to automated decision making?

This relates to the potential for a decision being made as part of the automated structures utilised by your organisation that adversely affects the individual whose data is being used to make that decision. eg Profiling. You will need to have the appropriate procedures to ensure that this does not happen. This will require certain […]

Read More
April 30, 2020
Profiling – a typical automated decision-making process

Profiling – a typical automated decision-making process Profiling is a subset of the possible automated decision-making processes – but a sufficiently important one that the GDPR legislations specifically covers this area. The legislation defines Profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or […]

Read More
April 30, 2020
How to Manage Information Risks?

You need to ensure you have the requisite procedures set up to manage the information risks in a structured way. To manage the risks involved you have to have a clear understanding of what is involved. This covers you and any data processors you use. You will need to identify a senior person in your […]

Read More
April 30, 2020
How to Institute Processor Contracts?

You will already have contracts (verbal or written) with any data processors you use. These need to be enhanced by the responsibilities inferred by GDPR legislation. To this end a written contract is necessary to make clear responsibilities and liabilities. It is your responsibility to comply with GDPR and to show that you are – […]

Read More
April 30, 2020
How much can we charge for a SAR?

The base line here is that there is no standard charge for a bona fide SAR (Subject Access Request) and except for 2 specific circumstances, charging is not permitted. Note that the SAR can be charged for if it is “manifestly unfounded or excessive, particularly if it is repetitive”: The definition of “manifestly unfounded” relates […]

Read More
April 30, 2020
How long do we have to respond to a GDPR request?

This applies to: A Supplier Access Request (SAR) Request for update or correction of data Request for processing restriction Request for deletion of data Request for moving/copying/transferring data Objections for processing of personal data The GDPR requires that each of the above scenarios be responded to within a month – and the ICO recommends that […]

Read More
April 30, 2020
What is a Legitimate Interests Assessment (LIA)?

There are three distinct sections to assessing Legitimate Interest: Firstly – What is the purpose of processing the data? Why is the data required, what is it for and to do what? Who is it processed for? How? What additional public benefits may arise due to the processing? If there are such benefits, are they […]

Read More
April 30, 2020
How does GDPR define Legitimate Interests?

This lawful basis is likely to be very popular with many organisations – it allows data to be collected without consent and used without acknowledgment BUT still requires that the organisation be very clear, in advance, as to why it feels it is entitled to do this.  Furthermore, just because the data has been collected […]

Read More
April 30, 2020
Does an individual have the right to require updates or corrections to data?

You want data about individuals for a range of reasons. Whatever those reasons are, it will be no good to your organisation if it is incorrect or out of date.  Since the individual does not want to be treated on the basis of incorrect or out of date information, you and the individual are wanting […]

Read More
April 30, 2020
Do we need an Information Security Policy under GDPR?

You need to ensure that your organisation has an Information Security Policy in place together with the appropriate training, systems, controls and procedures to ensure that it is enacted, checked and works. You need to assess all personal data held and determine the risk that it poses a risk in the event of a data […]

Read More
April 30, 2020
Accountability under GDPR: the Data Protection Policy

To best demonstrate that you and your organisation comply with the principles embodied in the GDPR legislation, an appropriate Data Protection Policy is key. Such a policy ensures that you have a consistent and accountable approach to all data security matters. It can be included as part of existing policies or be an additional separate […]

Read More
April 30, 2020
What is the Individual’s Right of Access to data about them (SAR)?

The GDPR legislation requires your organisation to recognise individual’s rights to have a copy of their data (ie data about them). Such a request for information is called a Subject Access Request (SAR) in the GDPR Legislation and this term may be one you have seen elsewhere. Specifically, every individual may require you to provide: […]

Read More
April 30, 2020
What is the Individual’s Right to be keep informed including the use of a Privacy Policy?

Wherever your personal data was collected, you would want to know what was being done with it and why. For this reason, among others, your organisation should do the same for all those individuals whose data it has collected.  It should state what has been collected, why and who you may be sharing it with. […]

Read More
April 30, 2020
What is the Individual’s right to data portability?

In order that the individual may move, copy of transfer their data (also known as data portability) from your organisation to another (or from another organisation to yours), they have the right to request that this be undertaken by the organisation holding the data. You are required to have procedures to enable this to be […]

Read More
April 30, 2020
What is the Individual’s Right to Object to Personal Data Processing?

If an individual feels that their data has been incorrectly or inappropriately (ie illegally) processed, you are required to respond to their request with a course of action and to handle the case on its merits. You must ensure that the individual knows, at the point when they first interact with you, that they are […]

Read More
April 30, 2020
How should Consent be asked for under GDPR?

How your organisation asks for, and records, an individual’s consent to acquire, store, handle and use their data is key. The whole point of the GDPR legislation is to ensure that the individual's personal data is protected - but there are allowable ways to use it - so long as this is done correctly. Consent […]

Read More
April 30, 2020
What is the Individual’s right to request removal and disposal of data?

There may come a time when your organisation no longer wants an individual’s data at the end of whatever process the data was taken for. But the individual has the right to require that you remove that data at an earlier time. For this to take place the following have to apply: The data is […]

Read More
April 30, 2020
How do you process Children’s personal data?

It is vital that those people about whom you collect data, should be able to understand that you are doing so and what you are doing with it.  The way you collect, process and share such information should be described in a way that the individuals affected can understand – especially the case with children […]

Read More
April 30, 2020
What do we do for Breach Notification?

You need to be able to show how you will spot, cope with and solve any problems caused by data breaches from your organisation or of your data. In some instances, you will need to report when you have a data breach to the ICO and this will sometimes include information as to who has […]

Read More
April 30, 2020
What do we do for International Transfers under GDPR?

If data is transferred across international boundaries, you have to ensure that it is correctly and appropriately protected – from damage, hacking, loss or misdirection and more. The GDPR being an EU Regulation, this was designed to apply outside the European Economic Area – but it is good practice to consider this issue as soon […]

Read More
April 30, 2020
What is Management’s Responsibility under GDPR?

As with all projects undertaken by any organisation, the key personnel and decision makers must “walk the walk” to demonstrate support for the beneficial culture of data protection compliance. Thus these are the prime focus of awareness raising and briefing when installing the changes due to GDPR. Within the organisation, to encourage the absorption and […]

Read More
April 30, 2020
What is Special Category Data?

When handling data flows, not all data types are equal. Special Category Data is the term used to cover those types of data which are more sensitive to the specific individual to whom they refer. It covers: Racial/ethical origin Political opinion Religious or Philosophical beliefs Trade Union Membership Genetic data Biometric data used for identification […]

Read More
April 30, 2020
What is the Requirement for Data Protection Officers (DPO)?

The DPO will be someone in your organisation, or a 3rd party specialist contracted to your organisation who will take the responsibility for your data protection compliance.  (This does not pass this responsibility out of your care so much as ensure that there is an expert on the field able to handle the data security […]

Read More
April 30, 2020
GDPR Coverage Costs

“Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt.” Data Protection Fee Micro SME Enterprise Turnover Band Up to £632,000 Up to £36m Over £36m Employees Band Up to 10 Up to 250  Over 250 Fee Cost £40 £60 £2,900 Data […]

Read More
April 16, 2020
Do you know your riskiest data asset?

“My what?” Your riskiest data asset. The asset in your organisation that has the most risk from a data security point of view. “Oh! Er… well my computers I suppose…” Probably not. Try again! “Um. Well.. my servers and laptops…” Still probably not. Let me help. What about data sticks? Do you think they are […]

Read More
April 16, 2020
How does 27k1 ISMS work?

The user of the 27k1 ISMS starts by entering details specific to the organisation: Name and address and details of organisation Breakdown of zones/areas of activity within the organisation Breakdown of employees within the organisation Data assets held by the organisation: People, Hardware, Software, Communications, Storage, etc The next step is to run through the […]

Read More
April 16, 2020
What would you do if a client asked how good your data security was?

Imagine the occasion – you are about to sign a contract that will leapfrog your organisation forward well past your targets for the year and you are sitting there with self-congratulations buzzing through your head when suddenly your soon-(hopefully)-to-be-client asks: “for goodness’ sake don’t let this IP get out – it has taken us years […]

Read More
April 16, 2020
How will Brexit affect data security requirements?

The GDPR[1] and PECR[2] are the controlling legislation for data security.  They are both pieces of EU Legislation. So, they do not require any further member state legislation to be introduced before becoming law throughout the EU and UK. The key UK data security legislation is the Data Protection Act 2018 (DPA 18). When the […]

Read More
April 16, 2020
Step by Step Process following ISO 27001 Data Security Standard

This can be described verbally as follows: Determine the Data Assets (computers, mobiles, filing cabinets, whiteboards, servers, people etc – ie everywhere that data is held – hard or virtual copy or in someone’s head) Run through each Data Asset (or group of them) against the Controls and Procedures set by the standard to determine […]

Read More
April 16, 2020
The mobile phone: a lifeline or a liability?

Most people forget that their personal mobile phone is a huge data security liability. Data on emails, apps and connections needs as much security on your mobile as for the rest of the organisation. Every app on your phone – from the official to the casual – provides an access point for hackers, the potential […]

Read More
April 16, 2020
This is the best time for Hackers!

Imagine you were a hacker. Hackers are very happy right now.  They know: That everyone is now using home equipment, and systems potentially disconnected from secure communications. That IT staff will be over-run with other problems than checking that hacks are being performed. That they can probably get a hack to slip between the defences […]

Read More
April 16, 2020
What are your legal obligations on data security?

Your legal obligations in the data security field are potentially vast – wide ranging and powerful – yet it seems that many are barely aware that there is law in the first place! Thou shalt not….(insert almost anything) is the result – and is consequently confusing.The resultant potential fines, prison sentences, prohibitions (and consequent loss […]

Read More
April 16, 2020
What is the 27k1 ISMS anyway?

ISMS stands for Information Security Management System. That means it is a structured approach for controlling your organisation’s data security to ensure: It does not get into the wrong peoples’ hands It is not corrupted It is used by the people that should have access and not by those that don’t Rules are set as […]

Read More
April 16, 2020
What is the 27001 Data Security standard?

This is a series of recommendations as to how to address concerns about data security – what to do to control the related risks and how to determine improvements while providing appropriate flexible criteria checklists against which to assess the right actions. The processes are carried out within an Information Security Management System (ISMS) which […]

Read More
April 16, 2020
What is the cost of being covered by GDPR rules?

“Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt.” Data Protection Fee Micro SME Enterprise Turnover Band Up to £632,000 Up to £36m Over £36m Employees Band Up to 10 Up to 250  Over 250 Fee Cost £40 £60 £2,900 from […]

Read More
April 16, 2020
What’s the worst that can happen following a data breach?

Reputation Loss is the worst result from a data breach. Reputation Loss will: Bankrupt your business faster than any fine. Lose your customers faster than you are able to react. Drag your business down faster than any criminal sentences. Act faster than any slap on the wrist from the Information Commissioner’s Office. Be slow to […]

Read More
April 15, 2020
Did you know that data protection covers your filing cabinets?

A paper book, and a computer disk, had equivalent data. They were laid to rest one night when, later, A thief decided to take a look At the computer and, at the book. He found it harder the book to see, So, when he found the computer, he said with glee, “At last, success, I […]

Read More
April 9, 2020
What’s the difference between data security and GDPR?

Data Security is a heading for ensuring your data fulfils the following criteria: Availability - Accessible by those authorised to use it Usability - Format pertinent to necessary usage Currency - Sufficient date clarity for optimising usage Complete - All relevant data available in both time frame and scope Confidentiality - Secure, controlled and safe […]

Read More

Secure Business Data

We are here to help you secure your business data using cutting edge technology.
GET SECURE
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram