// Cyber Horizon Blog
GRC insights & guides
Practical compliance guides, security frameworks explained, and risk management insights — written by practitioners, for practitioners.
SoA vs Risk Treatment Plan: Two Documents Teams Always Confuse
The Statement of Applicability and the Risk Treatment Plan are both required by ISO 27001 and constantly muddled. What each is for, how they connect, and how to keep them in sync.
Audit Evidence: What Auditors Actually Accept (and Reject)
Most audit pain is evidence pain. Point-in-time vs operating effectiveness, what makes a screenshot admissible, how sampling works, and how to collect evidence continuously.
User Access Reviews That Actually Pass Audits
The most-sampled control in SOC 2 and ISO 27001 audits — and the most rubber-stamped. Cadence, scope, reviewers, evidence, and how auditors catch box-ticking.
ISO 27001 Internal Audits: How to Run One That Actually Helps
Clause 9.2 requires internal ISMS audits — done well, they’re your best pre-certification dress rehearsal. The programme, auditor independence, and turning findings into improvement.
The Statement of Applicability: ISO 27001’s Most Important Document
The SoA links your risk assessment to the 93 Annex A controls — and it’s the first document your auditor opens. What it must contain and the mistakes that cause findings.
The UK Cyber Assessment Framework (CAF): A Practical Guide
The NCSC’s CAF is how UK critical infrastructure, NIS-regulated operators and government departments are assessed. The four objectives, 14 principles, and outcome-based scoring.
PIPEDA: Canada’s Federal Privacy Law Explained
Canada’s private-sector privacy law: the ten fair information principles, breach reporting with real teeth, how it compares to GDPR, and where Quebec’s Law 25 goes further.
ISO 27017 & ISO 27018: Cloud Security and Privacy Explained
ISO 27017 adds cloud-specific security controls to your ISMS; ISO 27018 protects PII in public clouds. What each adds, how certification really works, and who needs them.
APRA CPS 234: Information Security for Australian Financial Services
CPS 234 makes boards of APRA-regulated entities accountable for information security. The core requirements, the 72-hour incident notification, and a pragmatic compliance sequence.
Want GRC insights in your inbox?
We publish practical guides regularly. No fluff, no sales pitches.