Cyber Horizon

// Cyber Horizon Blog

GRC insights & guides

Practical compliance guides, security frameworks explained, and risk management insights — written by practitioners, for practitioners.

ISO 27001Risk ManagementAudit

SoA vs Risk Treatment Plan: Two Documents Teams Always Confuse

The Statement of Applicability and the Risk Treatment Plan are both required by ISO 27001 and constantly muddled. What each is for, how they connect, and how to keep them in sync.

17 July 2026·6 min readRead more
AuditEvidenceCompliance

Audit Evidence: What Auditors Actually Accept (and Reject)

Most audit pain is evidence pain. Point-in-time vs operating effectiveness, what makes a screenshot admissible, how sampling works, and how to collect evidence continuously.

12 July 2026·8 min readRead more
Access ControlSOC 2ISO 27001

User Access Reviews That Actually Pass Audits

The most-sampled control in SOC 2 and ISO 27001 audits — and the most rubber-stamped. Cadence, scope, reviewers, evidence, and how auditors catch box-ticking.

8 July 2026·7 min readRead more
ISO 27001Internal AuditAudit

ISO 27001 Internal Audits: How to Run One That Actually Helps

Clause 9.2 requires internal ISMS audits — done well, they’re your best pre-certification dress rehearsal. The programme, auditor independence, and turning findings into improvement.

4 July 2026·8 min readRead more
ISO 27001SoAAudit

The Statement of Applicability: ISO 27001’s Most Important Document

The SoA links your risk assessment to the 93 Annex A controls — and it’s the first document your auditor opens. What it must contain and the mistakes that cause findings.

1 July 2026·7 min readRead more
UK CAFCritical InfrastructureUK

The UK Cyber Assessment Framework (CAF): A Practical Guide

The NCSC’s CAF is how UK critical infrastructure, NIS-regulated operators and government departments are assessed. The four objectives, 14 principles, and outcome-based scoring.

28 June 2026·8 min readRead more
PIPEDAPrivacyCanada

PIPEDA: Canada’s Federal Privacy Law Explained

Canada’s private-sector privacy law: the ten fair information principles, breach reporting with real teeth, how it compares to GDPR, and where Quebec’s Law 25 goes further.

26 June 2026·8 min readRead more
ISO 27017ISO 27018Cloud

ISO 27017 & ISO 27018: Cloud Security and Privacy Explained

ISO 27017 adds cloud-specific security controls to your ISMS; ISO 27018 protects PII in public clouds. What each adds, how certification really works, and who needs them.

24 June 2026·7 min readRead more
APRA CPS 234Financial ServicesAPAC

APRA CPS 234: Information Security for Australian Financial Services

CPS 234 makes boards of APRA-regulated entities accountable for information security. The core requirements, the 72-hour incident notification, and a pragmatic compliance sequence.

22 June 2026·8 min readRead more

Want GRC insights in your inbox?

We publish practical guides regularly. No fluff, no sales pitches.

We’ll only use your email for these updates. See our Privacy Policy.