FACGFACG
Insights
Insights

Plain-English writing on the things that matter.

No vendor word salad. Practical writing from the team that does the work, on the topics our clients keep asking about.

ComplianceCyber securityCloudIncident responseAI
What ISO 27001:2022 actually changed (and what it didn't)
FeaturedCompliance 9 min read

What ISO 27001:2022 actually changed (and what it didn't)

The 2022 revision is widely misunderstood. We unpack the new Annex A, the four themes, the 11 new controls and what it really means for organisations recertifying in 2026.

Read the article

More from the team

Five Microsoft 365 settings every UK business should turn on this week
Cyber security

Five Microsoft 365 settings every UK business should turn on this week

Conditional Access, Defender for Office 365 anti-phishing, Safe Links, audit log retention and Sign-in risk policies. Free to enable on most plans, ten minutes each, huge security uplift.

April 2026 6 min read
FinOps for founders: cutting your Azure bill without slowing the team down
Cloud

FinOps for founders: cutting your Azure bill without slowing the team down

A pragmatic checklist for reducing cloud spend by 20 to 35 percent in the first 60 days, written for technical founders who do not want a consulting engagement.

March 2026 8 min read
Anatomy of a modern business email compromise attack
Incident response

Anatomy of a modern business email compromise attack

Step by step, with the actual artefacts and timestamps from a real (anonymised) incident we contained for a UK property client last quarter. Plus the controls that would have stopped it on day one.

March 2026 11 min read
Cyber Essentials Plus: the 12 things that fail organisations on first attempt
Compliance

Cyber Essentials Plus: the 12 things that fail organisations on first attempt

We have led over 60 CE Plus assessments. These are the recurring failures we see, ranked by how often they sink an audit, with practical fixes you can apply this afternoon.

February 2026 7 min read
How to actually measure security: a board-ready KPI and KRI sheet
Cyber security

How to actually measure security: a board-ready KPI and KRI sheet

A one-page set of operational and risk indicators we use with our clients. You can copy it, adapt the thresholds and start reporting against it next quarter.

February 2026 5 min read
AI assistants in the back office: where the ROI is actually real
AI

AI assistants in the back office: where the ROI is actually real

Where retrieval-augmented chat, document intelligence and copilots are paying back for finance, HR and customer support teams today, with examples and rough payback numbers.

January 2026 8 min read

Want one short, useful email a month?

No marketing, no sales scripts. Just the most useful thing our team published or learned that month.

Subscribe via the contact form