Templates, frameworks, and field-tested guides we use on real engagements. No gated content, no sales follow-up — just useful material, because the security community is better when we share. Subscribe to The Notebook (one email a month) at the bottom of this page if you want new pieces in your inbox.
A complete week-by-week breakdown of how a real ISMS gets stood up in a mid-sized regulated firm — from kick-off, through policy ratification, internal audit, and the management review, to Stage 1 and Stage 2 audit attendance. With sample artefact templates, a project plan, and the conversations to expect with the certification body.
Read the guide →A working risk register with methodology notes, scoring criteria, and treatment plan structure. Used on real engagements with mid-sized regulated firms. Drop your assets in, follow the process, and you will be able to defend the output to your auditor and your audit committee.
Read more → Article · PCI DSS · March 2026A plain-English breakdown of the substantive changes from v3.2.1 to v4.0.1, the customised implementation option and when to use it, the deadlines you've already missed, and the requirements that hit hardest in practice for service providers and merchants.
Read more → Framework · CQUEST · March 2026Structured workbook for capturing CQUEST evidence, computing baseline scores, and tracking gap-to-target across the assessment cycle. Drops directly into your Bank of England submission and supports the proportionality narrative the supervisor wants to see.
Read more → Guide · Phishing · February 2026Why click-rate is the wrong metric, what to measure instead, and how to structure a 12-month phishing maturity programme that survives board scrutiny. With sample campaign designs for the four most common attack types and a recommended quarterly cadence.
Read more → Template · Policy · February 2026A starter Information Security Policy mapped to ISO 27001 Annex A, FCA SYSC, and DORA RTS. Plain language, sensibly structured, ready to adapt to your business. Twelve pages instead of the usual sixty, with no loss of audit coverage.
Read more → Article · DORA · January 2026Even though DORA is an EU regulation, many UK firms operating in the EU need to comply. We unpack the in-scope criteria, the timeline, and the specific RTS provisions UK groups need to evidence — including how DORA interacts with PRA SS1/21 and the FCA's operational resilience framework.
Read more → Guide · Cloud · January 2026Findings synthesised from a cohort of recent Entra ID and Microsoft 365 security reviews across mid-sized regulated firms. The eight controls everyone gets wrong, the misconfigurations everyone shares, and the remediation sequence that maximises impact per hour spent.
Read more → Article · ISO 27001 · December 2025Two years after the 2022 revision, certain controls still draw audit findings consistently: 5.7 threat intelligence, 5.23 cloud services security, 8.16 monitoring activities, and 8.28 secure coding. This article explains what 'good' looks like for each, with sample evidence.
Read more →Field notes, regulatory updates, and the occasional template — sent to the inbox once a month. Read by CISOs, GRC leads and audit committee members at UK building societies, banks, fintechs and SaaS firms. No spam, ever.
