WADIFF Consulting help Clear Review get ISO27001 certification

Clear Review provides a platform to help companies drive employee performance improvement and provide measurements that companies require to make business decisions. Clear Review already had Cyber Essential plus, getting ISO27001 certification was the next step to ensure there is a robust security framework covering all areas of the company; from onboarding clients and their… Read More

WADIFF Consulting help any-3 get ISO27001 certification

any-3 provides bespoke surveys around engagement, diversity and self-assessments to high profile corporates and public sector organisations. Clients expect data to be kept secure and may undertake audits or run tests with any-3 to confirm everything is in place to protect the confidentiality, integrity and availability of data. Getting ISO27001 certification was the next step… Read More

Let’s talk about Information transfer policies and procedures (ISO27001 Annex A Control 13.2.1)

Questions about how to address this control are usually raised by clients early on in discussions on how to implement ISO27001 requirements. “What is meant by transfer?” and “Do we really need complex procedures as that isn’t going to work with our culture” are typical. The ISO27001 document gives the outline “Formal transfer policies, procedures…..protect… Read More

Policy pile up creates user uncertainty

This blog was written after recently working with different companies on their Information Security Management Systems (ISMSs).  The ISO27000 standard – the Overview and vocabulary part of the ISO27nnn series – defines an ISMS as consisting of “policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its… Read More

Are you meeting the GDPR Accountability principle?

Meeting the General Data Protection Regulation (GDPR) requirements isn’t a one-off ‘set and forget’ activity. Ongoing work is needed to ensure the requirements continue to met, this is covered by the Accountability principle in Article 5. It states that the controller “shall be responsible for, and be able to demonstrate compliance with, paragraph 1”; and… Read More

CNIL – causes of reported data breaches (May – October 2018)

The CNIL (the French Data Protection Authority) received 742 notifications of personal data breaches (and see the original report in French) that affected over 33 million individuals located in France or elsewhere. 695 related to confidentiality breaches. The accommodation and food services sector had the highest number of breaches – 185. This is due to a specific case… Read More

Legitimate Interests – 3 part test

Legitimate interests (LI) is one of the lawful basis for processing personal data. The ICO say it is appropriate “where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing”. The three parts to the test to identify a LI have been… Read More

Anyone talking about GDPR should include this slide! #ourGDPRstatus

It isn’t hard to find an event at the moment that is specifically about GDPR or includes sessions to cover different aspects of it. With so many companies talking about it and promoting products and services to help prepare for May 2018, you would think/hope they would be the ones that are well on their way… Read More

Will marketing make companies miss the May 2018 GDPR deadline?

We all do marketing to make us stand out from the competition and show the compelling reasons to have the product or service we provide. But sometimes a marketing message doesn’t give the complete picture. For the General Data Protection Regulation (GDPR), this could lead companies to believe they comply but actually have several outstanding issues to address.… Read More

Why keeping information secure is much more than an IT issue

When I ask business owners what they are doing to keep their business information secure, the vast majority say it is an IT issue and I should talk to their IT team or the company used to maintain their IT systems. But what about dealing with risks from your staff, lack of adequate physical security or keeping… Read More