// Cyber Horizon Blog
GRC insights & guides
Practical compliance guides, security frameworks explained, and risk management insights — written by practitioners, for practitioners.
HIPAA Compliance for Health-Tech Companies: A Practical Guide
There is no “HIPAA certification” — but your healthcare customers will require a compliant programme. Covered entities vs business associates, the three rules, BAAs, and the required risk analysis.
PCI DSS 4.0: What Changed and How to Prepare
PCI DSS 4.0 is now fully in force. The customised approach, stronger MFA, client-side script protection, targeted risk analyses — what changed from 3.2.1 and how to prepare.
How to Build a Cyber Incident Response Plan
The six phases, named roles, severity classification, scenario runbooks, and a communications plan — how to write an IR plan that works under pressure, not just on the audit shelf.
Cyber Essentials & Cyber Essentials Plus: A UK Guide for 2026
The UK NCSC-backed scheme explained — the five technical controls, the difference between Cyber Essentials and Plus, why it matters for public-sector contracts, and how to certify.
GDPR for SaaS in 2026: A Practical Compliance Guide
Controller vs processor, lawful basis, DPAs and sub-processors, data subject rights, international transfers, and breach notification — what a SaaS team actually needs in place.
Building Your First Risk Register: A Step-by-Step Guide
What to capture, how to score inherent vs residual risk, the four treatment options, and how to keep a register alive instead of letting it rot in a spreadsheet.
Penetration Testing vs Vulnerability Scanning: What’s the Difference?
Often confused, frequently conflated in contracts. What each does, why you need both, how often to run them, and what the frameworks actually expect.
SOC 2 Type I vs Type II: Which Do You Need?
Type I tests control design at a point in time; Type II tests how controls operate over months. The real difference, which to get first, and how to plan the observation window.
Security Questionnaires: How to Answer Them 10× Faster
SIG, CAIQ and bespoke questionnaires drain your team and stall deals. Build an answer library, map it to your controls, and respond in hours instead of weeks.
A CISO's Guide to Board Reporting on Cyber Risk
What boards actually want, the metrics that land, what to leave out, and a reusable board-pack structure that earns budget instead of blank stares.
MITRE ATT&CK for Defenders: A Practical Primer
How tactics and techniques fit together, and how defenders use ATT&CK to map detection coverage, prioritise gaps, and run threat-informed defence.
Continuous Compliance: Moving Beyond Point-in-Time Audits
Annual audits prove you were compliant on one day. Continuous compliance proves you stay compliant every day — here is what it means and how to get there.
ISO 27001 vs SOC 2: Which Certification Should You Pursue First?
Both prove you take security seriously — but they serve different buyers and audits differently. Here is how to choose the right one first, and how to run them together without doubling the work.
How to Run a Cyber Tabletop Exercise: A Step-by-Step Guide
Tabletop exercises are the cheapest way to find gaps in your incident response before an attacker does. Here is how to plan, facilitate, and learn from one — with three ready-to-use scenarios.
Cyber Risk Quantification: Turning Your Risk Register into Financial Impact
Heat maps do not survive a board meeting. Learn how to express cyber risk in pounds and probabilities using FAIR — so you can prioritise spend and justify the budget.
DORA Compliance Guide 2026: What Financial Firms Must Do Now
The Digital Operational Resilience Act is now in force. Exactly what EU financial institutions need — ICT risk management, incident reporting, TLPT, and third-party oversight.
NIS2 Directive: A Complete Compliance Guide for 2026
NIS2 expands cybersecurity obligations to thousands more EU organisations. Understand scope, requirements, penalties, and how to build a compliant security programme.
SOC 2 Compliance for Startups: A Complete Guide for 2026
Everything you need to know about getting SOC 2 Type II certified — from scoping your first audit to choosing the right tools, without the six-figure consultant bill.
ISO 27001:2022 Implementation Guide: From Zero to Certified
A practical step-by-step guide to implementing ISO 27001:2022 — the updated Annex A controls, the Statement of Applicability, and how to prepare for certification audit.
AI in GRC: How Artificial Intelligence is Transforming Risk and Compliance
From automated evidence collection to AI-powered risk scoring, explore how leading security teams are using AI to do more with less — and where the limits still are.
NIST CSF 2.0: A Practical Guide for Small and Medium Businesses
The updated NIST Cybersecurity Framework is more accessible than ever for SMBs. Here is how to implement it without a dedicated security team.
Third-Party Vendor Risk Management: A Practical Guide for 2026
Supply chain attacks are the fastest-growing threat vector. Here is how to build a vendor risk programme that actually identifies and reduces third-party risk.
Cyber Insurance Requirements in 2026: What Insurers Actually Want
Premiums are rising and underwriters are getting stricter. Exactly what controls, documentation, and evidence you need to get covered — and keep costs down.
Want GRC insights in your inbox?
We publish practical guides regularly. No fluff, no sales pitches.
Subscribe via Email