// Cyber Horizon Blog
GRC insights & guides
Practical compliance guides, security frameworks explained, and risk management insights — written by practitioners, for practitioners.
One Control, Many Frameworks: How Crosswalk Mapping Cuts Compliance Work
You’re not managing 72 frameworks — you’re managing one control set that 72 frameworks ask about differently. How crosswalk mapping makes evidence count everywhere.
NYDFS Part 500: A Cybersecurity Compliance Guide for Financial Services
New York’s 23 NYCRR Part 500 sets binding cybersecurity rules for licensed financial firms. The core requirements, the Amendment 2 changes, and how to comply.
SWIFT Customer Security Programme (CSP): What Institutions Must Do
The SWIFT CSP and its Customer Security Controls Framework set mandatory controls for everyone on the network — attested annually and independently assessed.
EU AI Act: A Practical Compliance Guide for 2026
The world’s first comprehensive AI law is here. Understand the four risk tiers, who counts as a provider vs deployer, the obligations for high-risk systems, and the deadlines to plan for.
ISO 42001: Building an AI Management System
The first certifiable standard for AI management systems. What an AIMS covers, how it relates to ISO 27001 and the EU AI Act, and a practical path to certification.
CMMC 2.0: A Defense Contractor’s Roadmap
Cybersecurity is now a contractual gate for US Department of Defense work. The three levels, how Level 2 maps to NIST 800-171, and how to reach certification.
The Essential Eight Explained: Australia’s Cyber Baseline
Australia’s prioritised baseline of eight mitigation strategies. The controls, the four maturity levels, and how to lift all eight to the level you need.
HITRUST CSF: The Healthcare Security Certification Explained
HIPAA tells you what to protect; HITRUST certifies that you do. The three assessment types (e1/i1/r2), how it harmonises HIPAA, NIST and ISO, and how to certify.
ISO 27701: A Privacy Extension to Your ISMS
ISO 27701 extends ISO 27001 into a Privacy Information Management System. What it adds for controllers and processors, how it maps to GDPR, and how to certify on top of your ISMS.
FedRAMP Authorization: A Guide for Cloud Providers
FedRAMP is the gateway to selling cloud services to US federal agencies. The impact levels, the two authorization paths, and what the journey actually involves.
ISO 22301: Business Continuity Management That Works
The international standard for business continuity. The BIA, RTO and RPO, continuity strategies, and how to build a BCMS you can actually rely on under disruption.
NIST 800-171: Protecting Controlled Unclassified Information
The control set behind CMMC Level 2. The 14 families, the SPRS score, the mandatory SSP, and how to close the gaps and keep your score defensible.
SOC 1 vs SOC 2: When You Need a Financial-Controls Report
SOC 2 is about security; SOC 1 is about controls that affect your customers’ financial reporting. When you need a SOC 1, how it differs, and how to prepare for both.
MAS TRM: Singapore’s Technology Risk Guidelines Explained
The Monetary Authority of Singapore’s expectations for financial institutions — governance, resilience, access and third-party risk — and how to operationalise them with evidence.
CIS Controls v8: A Prioritised Path to Cyber Hygiene
The CIS Critical Security Controls distil cyber defence into 18 prioritised controls and three Implementation Groups. Where to start with IG1 and how to scale to IG2/IG3.
India’s DPDP Act: A Practical Compliance Guide
The Digital Personal Data Protection Act gives Indian data principals new rights and data fiduciaries new duties. What it requires, how it compares to GDPR, and how to comply.
Korea ISMS-P: The Combined Security & Privacy Certification
ISMS-P is South Korea’s integrated information-security and privacy certification — mandatory for many operators. Who must certify, how the scheme is structured, and how to prepare.
HIPAA Compliance for Health-Tech Companies: A Practical Guide
There is no “HIPAA certification” — but your healthcare customers will require a compliant programme. Covered entities vs business associates, the three rules, BAAs, and the required risk analysis.
LGPD: Brazil’s Data Protection Law Explained
Brazil’s LGPD gives data subjects strong rights and imposes GDPR-style obligations, enforced by the ANPD. What it requires, its ten legal bases, and how it compares to GDPR.
NIST AI Risk Management Framework: Governing AI in Practice
The NIST AI RMF manages AI risk through four functions — Govern, Map, Measure, Manage. What it covers and how it complements the EU AI Act and ISO 42001.
PCI DSS 4.0: What Changed and How to Prepare
PCI DSS 4.0 is now fully in force. The customised approach, stronger MFA, client-side script protection, targeted risk analyses — what changed from 3.2.1 and how to prepare.
SOX IT General Controls (ITGC): A Guide for Public Companies
SOX requires reliable IT controls over systems that affect financial reporting. The four ITGC domains, what auditors test, and how to stay audit-ready year-round.
CCPA & CPRA: California’s Privacy Laws Explained
The CCPA, strengthened by the CPRA, gives Californians broad data rights and creates obligations for businesses worldwide. Who’s in scope, the rights, and how to comply.
How to Build a Cyber Incident Response Plan
The six phases, named roles, severity classification, scenario runbooks, and a communications plan — how to write an IR plan that works under pressure, not just on the audit shelf.
OWASP ASVS: A Standard for Application Security Verification
Beyond the Top 10: the Application Security Verification Standard gives you a testable checklist for building and verifying secure software, across three assurance levels.
CSA STAR: Cloud Security Assurance Explained
The Cloud Security Alliance STAR programme lets providers demonstrate security against the Cloud Controls Matrix. The levels, the CAIQ, and how to use it.
Cyber Essentials & Cyber Essentials Plus: A UK Guide for 2026
The UK NCSC-backed scheme explained — the five technical controls, the difference between Cyber Essentials and Plus, why it matters for public-sector contracts, and how to certify.
Replacing the GRC Point-Tool Stack: A Consolidation Guide
Most teams run a compliance tool, a vendor-risk tool, a threat feed and a pile of spreadsheets. How to consolidate onto one shared data model without losing capability — or evidence.
GDPR for SaaS in 2026: A Practical Compliance Guide
Controller vs processor, lawful basis, DPAs and sub-processors, data subject rights, international transfers, and breach notification — what a SaaS team actually needs in place.
Building Your First Risk Register: A Step-by-Step Guide
What to capture, how to score inherent vs residual risk, the four treatment options, and how to keep a register alive instead of letting it rot in a spreadsheet.
Penetration Testing vs Vulnerability Scanning: What’s the Difference?
Often confused, frequently conflated in contracts. What each does, why you need both, how often to run them, and what the frameworks actually expect.
SOC 2 Type I vs Type II: Which Do You Need?
Type I tests control design at a point in time; Type II tests how controls operate over months. The real difference, which to get first, and how to plan the observation window.
Security Questionnaires: How to Answer Them 10× Faster
SIG, CAIQ and bespoke questionnaires drain your team and stall deals. Build an answer library, map it to your controls, and respond in hours instead of weeks.
A CISO's Guide to Board Reporting on Cyber Risk
What boards actually want, the metrics that land, what to leave out, and a reusable board-pack structure that earns budget instead of blank stares.
MITRE ATT&CK for Defenders: A Practical Primer
How tactics and techniques fit together, and how defenders use ATT&CK to map detection coverage, prioritise gaps, and run threat-informed defence.
Continuous Compliance: Moving Beyond Point-in-Time Audits
Annual audits prove you were compliant on one day. Continuous compliance proves you stay compliant every day — here is what it means and how to get there.
ISO 27001 vs SOC 2: Which Certification Should You Pursue First?
Both prove you take security seriously — but they serve different buyers and audits differently. Here is how to choose the right one first, and how to run them together without doubling the work.
How to Run a Cyber Tabletop Exercise: A Step-by-Step Guide
Tabletop exercises are the cheapest way to find gaps in your incident response before an attacker does. Here is how to plan, facilitate, and learn from one — with three ready-to-use scenarios.
Cyber Risk Quantification: Turning Your Risk Register into Financial Impact
Heat maps do not survive a board meeting. Learn how to express cyber risk in pounds and probabilities using FAIR — so you can prioritise spend and justify the budget.
DORA Compliance Guide 2026: What Financial Firms Must Do Now
The Digital Operational Resilience Act is now in force. Exactly what EU financial institutions need — ICT risk management, incident reporting, TLPT, and third-party oversight.
NIS2 Directive: A Complete Compliance Guide for 2026
NIS2 expands cybersecurity obligations to thousands more EU organisations. Understand scope, requirements, penalties, and how to build a compliant security programme.
SOC 2 Compliance for Startups: A Complete Guide for 2026
Everything you need to know about getting SOC 2 Type II certified — from scoping your first audit to choosing the right tools, without the six-figure consultant bill.
ISO 27001:2022 Implementation Guide: From Zero to Certified
A practical step-by-step guide to implementing ISO 27001:2022 — the updated Annex A controls, the Statement of Applicability, and how to prepare for certification audit.
AI in GRC: How Artificial Intelligence is Transforming Risk and Compliance
From automated evidence collection to AI-powered risk scoring, explore how leading security teams are using AI to do more with less — and where the limits still are.
NIST CSF 2.0: A Practical Guide for Small and Medium Businesses
The updated NIST Cybersecurity Framework is more accessible than ever for SMBs. Here is how to implement it without a dedicated security team.
Third-Party Vendor Risk Management: A Practical Guide for 2026
Supply chain attacks are the fastest-growing threat vector. Here is how to build a vendor risk programme that actually identifies and reduces third-party risk.
Cyber Insurance Requirements in 2026: What Insurers Actually Want
Premiums are rising and underwriters are getting stricter. Exactly what controls, documentation, and evidence you need to get covered — and keep costs down.
Want GRC insights in your inbox?
We publish practical guides regularly. No fluff, no sales pitches.
Subscribe via Email