Upcoming events
Webinar
STAIRs Webinar: Are you Ready?
11:00 am
|
Wednesday
|
8
July
2026
Many PRPs remain uncertain of what STAIRs will mean in practice when this new statutory framework comes into effect. The impact is expected to be highly significant. This session will set out the practical steps PRPs can take now to get ready for these new Requirements.
Read more
Webinar
Cyber Essentials 2026: Lessons Learned From Real Assessments
11:00 am
|
Wednesday
|
15
July
2026
This session will show you exactly what assessors look for, where organisations commonly fall short, and how to position your submission for a smooth, successful outcome.
Read more
Recent blogs
How Organisations Fall Into PCI DSS Scope Without Realising It
Published on
26
June
2026
TRENDING
URM’s blog explains how organisations can unintentionally and without realising fall into scope of the PCI DSS, despite not directly handling card data.
Read more
Information Security
Published on
17/6/2026
ISO 27001 Clause 10.2: Nonconformity and corrective actionTRENDING
URM’s blog explains how to meet ISO 27001 Clause 10.2, including finding nonconformities, performing root cause analysis, implementing corrective actions & more
Business Continuity
Published on
12/6/2026
The Essential Must-Dos of Business ContinuityTRENDING
URM’s blog breaks down the foundational ‘must-dos’ that underpin effective business continuity, highlighting key success criteria and common pitfalls for each.
Artificial Intelligence
Published on
5/6/2026
Implementing and Certifying to ISO 42001TRENDING
URM’s blog breaks down how to effectively implement ISO 42001, where it differs from other ISO standards, and the common certification pitfalls to avoid
Recent podcast
InfoSec Insider
Season
2
, Episode
41
(
91
)
PCI DSS and Service Providers
TRENDING
In this episode of InfoSec Insider, Alastair Stewart and Tibor Laczko, both Senior Consultants and Qualified Security Assessors (QSAs) with URM, explore some of the most misunderstood areas of PCI DSS scoping, focusing on service providers, merchants, and complex modern payment architectures. Alastair and Tibor leverage nearly 30 years’ combined experience with the PCI DSS to discuss:
- When an organisation stops being “just a merchant” and becomes a PCI DSS service provider, and what really drives that distinction
- How an organisation can be both a merchant and a service provider at the same time, and how this should be handled during a PCI DSS assessment
- The most common mistakes organisations make when deciding how they should be classified for PCI DSS purposes
- Whether companies providing payment-enabled platforms, but not directly handling PAN, can still fall under the definition of a service provider
- The responsibilities that remain when a third-party platform hosts the payment page but payment fields are served directly by a provider
- And more.
Recent VIDEO
Cyber Essentials Changes in 2026 – Adjusting CE VSA Responses
We explain IASME’s clarification on adjusting CE VSA responses once CE+ testing has started.
Watch the videoRecent quiz
Business Continuity Awareness Quiz
TRENDING
By completing the quiz, you will gain a clearer understanding of how organisations prepare for, respond to, and recover from disruption, and why business continuity is a shared responsibility rather than a purely technical or specialist function.
Take the quiz
FAQs
ISO 27001 FAQs
How long does it take to implement ISO 27001?
There is no straightforward answer to this question as it depends on the size and complexity of your organisation, what systems and processes are already in place and what resources are available. However, in URM’s experience it typically takes between 6 and 9 months for a small, low complexity organisation to fully implement ISO 27001.
With larger, more complex environments, 9 to 18 months is closer to the norm for fully establishing an ISMS. This naturally assumes that the appropriate resources are made available to achieve the desired outcomes.
Apart from the existing maturity of operational practices and controls and availability of in-house resource, another key determinant in how long an ISO 27001 implementation will take place will be the support and involvement of senior management. URM has seen organisations achieve very aggressive timescales in implementing and achieving ISO 27001 certification where Senior Management has prioritised the project, often associated with being awarded a significant client project.
Is there a legal requirement to comply with or be certified to ISO 27001?
There is, generally, no direct legal requirement for compliance as such, indicating why many people choose to use the word conformance rather than compliance. Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so. However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders.
There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by virtue of a contract.
What does ISO 27001 require you to do?
A key requirement of ISO 27001 is that you adopt a risk-based approach when implementing your ISMS. You are also required to ensure that certain processes are in place to ensure effective and proactive management and continuous improvement.
These requirements are broken down into 7 major clauses, which deal with context of the organisation, leadership, planning, support, operation, performance evaluation and improvement. These clauses are consistent with other ISO Management system standards such as ISO 9001 and ISO 22301, and is known as the harmonised structure.
When was ISO 27001 last updated?
The current version of the Standard, ISO/IEC 27001:2022 replaced the 2013 version of the Standard on 25 October 2022. As of 1 May 2024, all initial and recertification assessments must be conducted against ISO 27001:2022 and, on 31 October 2025, all ISO 27001:2013 certificates will be withdrawn. Whilst the management system clauses received a relatively minor makeover in order to harmonize ISO 27001 with other standards, the information security controls contained within Annex A were completely restructured with some controls being merged with others as well as 11 new ones being introduced.
Recent case studies
ISO 27001, ISO 22301, ISO 20000 and PCI DSS consultancy and product-related case studies
Recent White paper
Cyber Essentials and Cyber Essentials Plus Changes 2026 Summary
Release date:
17
April
2026
In this document, we outline the key changes to Cyber Essentials and Cyber Essentials Plus scheme and what they mean for you as applicants.
Read more
We will ensure you never become a ‘slave to the Standard’ and your ISMS is something which can easily be maintained and improved.
Find out more
how URM CAN HELP?
URM CONSULTING services
Are you looking for help preparing for a PCI DSS assessment?
As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Read more
URM CONSULTING services
Are you planning your ISO 27001 audit programme?
Contact our experts and find out what you will need to carry out in order to have an effective ISO 27001 auditing function and programme
Read more
URM CONSULTING services
Early stages are the best time to get expert input
You do not need a fully defined project to speak with us. We offer a free, non-commitment call to help you explore your ISO 27001 approach, identify potential gaps or risks.
Read more
"
Very concise webinar giving some interesting thoughts on transition etc. and guidance on preparation for transition.
Webinar 'ISO 27001:2022 – What’s new?'
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.