Expert guidance from our CREST-accredited, CISSP and OSCP-certified team. Practical insights on compliance frameworks, threat landscape trends, and security best practices for UK organisations.
A practitioner's guide to ISO 27001 certification, covering the latest 2022 revision, common pitfalls, typical timelines, and how to build an ISMS that survives its first surveillance audit.
A practical checklist for SMEs navigating UK GDPR requirements, from appointing a DPO to conducting DPIAs and managing subject access requests — without the legal jargon.
Understanding the differences between Cyber Essentials and Cyber Essentials Plus, who needs which certification, and how to prepare for the technical assessment.
An analysis of current ransomware trends affecting UK businesses, including the rise of double-extortion tactics, supply chain attacks, and practical mitigation strategies.
How threat actors are leveraging AI to craft more convincing phishing campaigns, and the technical and human controls organisations should deploy to defend against them.
ISO 27001 is the international standard for information security management systems (ISMS). For UK organisations handling sensitive data, holding ISO 27001 certification demonstrates to clients, partners, and regulators that you take information security seriously — and that your controls have been independently audited.
ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. It is a risk-based framework: rather than prescribing specific technical controls, it requires organisations to identify their information security risks and select appropriate controls to mitigate them.
The current version is ISO/IEC 27001:2022, which restructured Annex A controls from 14 categories down to 4 themes: Organisational, People, Physical, and Technological. Organisations certified to the 2013 version had until 31 October 2025 to transition.
Before building your ISMS, conduct a gap analysis comparing your current security posture against ISO 27001 requirements. This identifies what you already have in place and what needs to be developed. At Primelo Cyber, we use a structured methodology that maps your existing controls to Annex A, giving you a clear picture of the work ahead.
This phase involves defining your ISMS scope, conducting a formal risk assessment, developing policies and procedures, and implementing the controls identified in your Statement of Applicability (SoA). Key documents include your Information Security Policy, Risk Assessment Methodology, Risk Treatment Plan, and internal audit programme.
Before your certification audit, you must conduct at least one internal audit cycle and a management review. These demonstrate that your ISMS is operating as intended and that senior management is actively engaged in its governance.
The certification audit is conducted in two stages by an accredited certification body. Stage 1 is a documentation review to confirm readiness. Stage 2 is an on-site (or remote) audit that assesses whether your ISMS is effectively implemented and operating as described.
Typical timeline: From kickoff to certification, most organisations achieve ISO 27001 in 4-8 months depending on size, complexity, and existing security maturity. Organisations with little existing documentation may need 9-12 months.
Our ISO 27001 Lead Auditor certified consultants have guided over 50 organisations through certification. We provide end-to-end support from initial gap analysis through to certification readiness, including risk assessment facilitation, policy development, control implementation, and internal audit delivery. Contact us for a no-obligation discussion about your certification goals.
The UK General Data Protection Regulation (UK GDPR) applies to all organisations that process personal data of individuals in the United Kingdom, regardless of company size. For SMEs, achieving and maintaining compliance can feel overwhelming — but it does not require an army of lawyers. This guide breaks down the essential steps.
Under UK GDPR, personal data means any information that can identify a living individual — names, email addresses, IP addresses, employee records, customer databases, and more. If your organisation collects, stores, processes, or shares any such data, UK GDPR applies to you.
Document what personal data you hold, where it came from, who it is shared with, and how long you retain it. Article 30 requires organisations with 250+ employees to maintain formal records, but the ICO recommends all organisations do this regardless of size. A data mapping exercise is the foundation of GDPR compliance.
Identify your lawful basis for each processing activity. The six lawful bases under UK GDPR are: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Relying on the wrong basis is one of the most common compliance failures.
Provide clear, transparent privacy notices that explain what data you collect, why, how long you keep it, and what rights individuals have. Your privacy notice must be easily accessible — not buried in terms and conditions.
Establish a process for handling SARs within the statutory one-month timeframe. Train staff to recognise SARs (they do not need to use specific wording) and have a documented workflow for locating, reviewing, and disclosing personal data.
Conduct DPIAs for any processing that is likely to result in high risk to individuals. This includes large-scale processing of sensitive data, systematic monitoring of public areas, and automated decision-making with legal effects.
Implement a data breach response procedure that can detect, investigate, and report breaches within 72 hours to the ICO where required. Not all breaches need reporting, but you must document all incidents and your decision-making process.
Key point: GDPR compliance is not a one-time exercise. Schedule regular reviews of your processing activities, update privacy notices when practices change, and conduct annual training for all staff who handle personal data.
Ensure you have compliant data processing agreements (DPAs) with all third parties who process personal data on your behalf — including cloud providers, payroll processors, email marketing platforms, and IT support companies.
If you transfer personal data outside the UK, ensure appropriate safeguards are in place. This typically means relying on UK adequacy decisions, standard contractual clauses, or binding corporate rules.
For expert guidance on UK GDPR compliance tailored to your organisation, including DPO-as-a-service and DPIA support, get in touch with our data protection team.
Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against common cyber threats. Developed by the National Cyber Security Centre (NCSC), it covers five technical controls that, when properly implemented, can prevent the majority of commodity cyber attacks.
The standard Cyber Essentials certification involves completing a self-assessment questionnaire (SAQ) that is reviewed by an accredited assessor. The organisation answers questions about how they implement each of the five controls, and the assessor verifies that the responses meet the required standard.
Cyber Essentials Plus includes everything in the standard certification, plus an independent technical audit. An accredited assessor performs hands-on testing of your systems to verify that the controls are effectively implemented — not just documented.
Important: From April 2023, Cyber Essentials certification must be renewed annually. The NCSC updates the requirements periodically, so organisations should review the latest specification before each renewal.
If you are primarily looking to demonstrate basic security hygiene and your clients or contracts do not specifically require Plus, start with standard Cyber Essentials. If you handle sensitive data, work with government contracts, or want the assurance that comes from independent testing, Cyber Essentials Plus is the stronger choice.
Many organisations start with standard Cyber Essentials and progress to Plus once their security posture matures. Our team can guide you through either path — contact us for a free scoping conversation.
Ransomware continues to be one of the most disruptive threats facing UK organisations. Our SOC team has observed several significant shifts in attacker behaviour over the past 12 months that all organisations should be aware of.
The majority of ransomware attacks in 2025-2026 involve not just encrypting data, but also exfiltrating it before encryption. Attackers threaten to publish stolen data on leak sites if the ransom is not paid, adding reputational damage to the operational impact. Some groups have added a third layer: contacting victims' clients or regulators directly to increase pressure.
Attackers increasingly target managed service providers (MSPs) and software supply chains to reach multiple victims through a single compromise. The focus has shifted from brute-force attacks to exploiting trusted relationships — compromising one supplier can provide access to hundreds of downstream organisations.
The time between initial compromise and ransomware deployment has decreased significantly. Where attackers previously spent weeks or months inside a network before deploying ransomware, current campaigns often move from initial access to encryption within 24-48 hours, leaving less time for detection and response.
We help organisations assess their threat landscape and strengthen their response readiness. Contact us to discuss how we can help protect your business.
Social engineering remains the most common initial attack vector for data breaches, and the sophistication of phishing campaigns has increased markedly with the availability of large language models and AI tools. Organisations need to understand how the threat is evolving and adapt their defences accordingly.
Traditional phishing emails were often identifiable by grammatical errors, generic greetings, and implausible scenarios. AI-generated phishing content eliminates many of these red flags. Current-generation attacks feature:
No single control will stop all phishing attacks. Effective defence requires layered technical and human controls:
Our approach: Primelo Cyber delivers bespoke phishing simulation campaigns and security awareness programmes that measure your organisation's susceptibility and track improvement over time. Our simulations use realistic, industry-relevant scenarios — not generic templates.
To assess your organisation's resilience to social engineering, contact our team about our phishing simulation and awareness training services.