Guides, playbooks and comparison research written by our engagement partners. Preserved from the CHNYD Trace archive and continuously extended.
The five Trust Services Criteria, the CC1–CC9 controls, and why SOC 2 compliance now decides which SaaS vendors close enterprise deals.
Organizational, people, physical and technological controls: how the 93-control 2022 revision reshapes ISMS implementation.
Controller and processor extensions, the GDPR crosswalk, and how PIMS certification changes DPA negotiations.
The §164.308 risk analysis, encryption expectations, and where BAAs quietly break in real audits.
A pragmatic method for mapping every processing activity, lawful basis, retention and international transfer.
Framework coverage, integration depth, evidence quality, and what auditors actually accept from each platform.
The three inflection points where a virtual CISO outperforms a full-time hire, and the deliverables you should demand in month one.
Beyond OWASP Top 10: business-logic testing, authenticated fuzzing, and reporting that survives an enterprise remediation review.
Customised approach, targeted risk analyses, and the March 2025 future-dated requirements that quietly reshape scoping.
The sixth function, organisational profiles, and how CSF 2.0 finally becomes usable outside critical infrastructure.
IG1 as basic cyber hygiene, IG2 for growing enterprises, IG3 for regulated. Where each control belongs in a real programme.
The five pillars, third-party register requirements, and threat-led penetration testing under Article 26.
Essential vs important entities, management-body liability, and the €10M / 2% turnover ceiling.
NIST SP 800-171 alignment, POA&M rules, and the evidence structure C3PAOs actually accept.
IAM, network, data protection, logging, and workload isolation checks against real-world attacker paths.
Conditional access, PIM, Defender for Cloud recommendations, and Azure Landing Zone guardrails.
Admission controllers, workload identity, image supply chain, and runtime detection in production clusters.
Secure Score is a starting point. The controls that actually stop tenant compromise.
NIST SP 800-207 alignment, identity-first sequencing, and how to avoid the 'ZTNA product' trap.
SSO, MFA, PAM, JML automation and identity governance in a single 12-month programme.
Tiering, due diligence depth, continuous monitoring, and the questionnaires that actually reduce risk.
BIA, RTO/RPO calibration, exercise cadence, and the plan format regulators expect.
NIST SP 800-61r3 alignment, ransomware runbooks, and the tabletop cadence that actually improves response.
MSSP vs MDR vs co-managed SOC: coverage models, detection engineering ownership, and the SLAs that matter.
EPSS, KEV, asset criticality, and building an SLA regime that engineering will actually meet.
Authorisation flaws, business-logic abuse, and testing GraphQL and gRPC alongside REST.
Storage, cryptography, authentication, network and platform-interaction testing on iOS and Android.
SAST, SCA, DAST, IaC scanning, secret detection, and where each fits in the pipeline without slowing delivery.
Beyond annual e-learning: role-based training, phishing simulations, and metrics your board will accept.
AI risk registers, model cards, EU AI Act crosswalks, and how AIMS extends 27001 without duplicating it.
Monthly. Regulator updates, framework revisions, and the questionnaires enterprise buyers are asking this quarter.
Existing archive content, blogs and framework guides are being professionally rewritten and republished here. All prior URLs will be redirected to preserve SEO equity.
Request the migration map →