Security Program & Risk

The NIST AI RMF is the leading voluntary framework for managing AI risk. This is what it is, its four core functions, and how to use it alongside the EU AI Act and ISO 42001.

AI governance is how an organization controls the AI it builds and uses. This is what it covers, the documentation it requires, and a practical way to start.

The EU AI Act is the first comprehensive law governing artificial intelligence. This is how its risk tiers work, what high-risk providers must do, the timeline, and the penalties.

ISO 42001 is the first certifiable standard for an AI management system, the AI equivalent of ISO 27001. This is what it covers, who needs it, and how it fits with the EU AI Act.

Shadow AI is the unsanctioned use of AI tools by employees, and it is one of the fastest-growing data risks. This is why it happens, the risks it creates, and how to manage it.

A virtual CISO gives you senior security leadership on a fractional basis. Here is what the role covers, how it differs from a full-time CISO or a consultant, and the situations where it is the right choice.

NIS2 raises the cybersecurity baseline across 18 sectors of the EU economy, and it holds management personally accountable. Here is who it covers, what it demands, and what to do now.

A risk assessment is the foundation of any serious security program. Without it you invest at random. Here is how to run a risk assessment step by step and turn it into a plan.

A risk assessment tells you where you are exposed. Risk management is what you do about it. Here is how to run risk as a continuous process, not a one-off document.

When a system goes down, the question is not whether but how fast you get back to work. Here is what a business continuity plan and a disaster recovery plan are, and how to build them.

Your security is only as strong as your vendors' security. Here is why third-party risk keeps growing, and how to manage it before a partner's weakness becomes yours.

An ISMS turns security from a pile of tools into a system you can actually manage. Here is what an ISMS is, what it rests on, and why it is the heart of an ISO 27001 certificate.

Annex A is the catalog of security controls that ISO 27001 relies on. Here is how it is organized into four themes, what the controls cover, and how you choose the ones that apply to you.

The Statement of Applicability is one of the most important documents in ISO 27001. Here is what the SoA contains, why auditors look at it first, and how to produce one correctly.

DORA has applied across the EU financial sector since January 2025. It rests on five pillars. This checklist turns them into concrete work you can assign and track.

Two EU cybersecurity rules, overlapping but not identical. NIS2 is broad. DORA is the financial sector specialist. Here is how to tell which governs your organization.

ISO 27001 certifies that you manage information security as a governed, ongoing process. Here is what it involves, how the certification runs, and why the security has to come before the certificate.

A SOC 2 report tells customers you have security controls and follow them. Here is what the report covers, the difference between Type I and Type II, and how to get ready without faking it.

Both prove you take security seriously. One is a US attestation, the other an international certification. The right first move depends on who you sell to. Here is how to choose.

Three reports, one confusing naming scheme. SOC 1 is about financial controls, SOC 2 about security, SOC 3 about showing the world. Here is which one a customer is actually asking for.

A clean report tells a customer you have controls. It does not tell an attacker to stay out.