A supplier’s certificate doesn’t protect you
Your supplier sends their ISO 27001 certificate. Professionally formatted, issued by an accredited body, clearly showing they’ve been assessed against […]
In Practice
Why supplier questionnaires collapse under growth
Supplier questionnaires start with good intentions. Someone realises you should probably check the security of platforms handling your customer data.
Evidence doesn’t appear at audit time. It accumulates over time
The most persistent myth about audit evidence is that you create it when you need it. That audit preparation is
“We have a policy” is not evidence
Having a policy proves intent. It doesn’t prove behaviour. This distinction matters more than almost anything else in compliance, because
Why audits fail at the follow-up question
The first question in an audit is usually easy to answer. It’s the second or third question that causes problems.
You can’t manage risk if you don’t know what you’re protecting
Three people sit down to assess risk. They agree to focus on “data security risks.” One person is thinking about
Why most risk registers fail in growing businesses
You inherited a risk register when you joined. Or maybe you built one because someone said you should. Either way,
If everything is “high risk”, you’ve learned nothing
Your risk register shows twelve high risks, seven medium risks, and three low risks. The board meeting is in an