Blog details
basic principles of cyber security compliance
Nick Prescot
15 April 2025

Core Considerations For Achieving Cyber Security Compliance

CyberKainos. Reading time: 5 minutes

Information security compliance standards help protect organisations from cyber attacks. They also give customers confidence that their personal data is being handled responsibly. If an organisation takes payments, or holds / processes personal data, it will need to demonstrate its competency to do so to least one regulator or assessor, usually on an annual basis.

Some of these information security standards are very familiar, like GDPR or ISO 27001, while others are less well known. If you do not work in banking or finance for example, the acronym DORA is unlikely to mean anything to you.

In this blog, we will look at the basic principles of cyber security compliance. We will also explain how automation can help start or improve a compliance program, without hiring more staff or increasing costs.

The building blocks of cyber security compliance

How many of these do you have in place?

Being compliant means an organisation’s cyber security actions, policies, assessments, and risk management controls meet the framework requirements laid out by a regulator or assessor.

There are multiple compliance standards in the UK around information security, but there is one principal that applies to them all; that controls and processes are in place to address data confidentiality, integrity, and availability (known as CIA). As a starting point, it is important that organisations can:

1.Demonstrate good cyber hygiene:

Like most thefts, most cyber attacks are not complex in nature. They often occur as a result of an opportunity presenting itself because of an error or oversight. The good news is that we can mitigate a vast majority by implementing some fundamental actions. If you cannot show that these basic controls are in place, meeting any compliance standard will be difficult.

  • Have an up-to-date malware protection and patching programme (in 2025, 77% of organisations do this)
  • Have formal password policies in place (in 2025, 52% of organisations do this)
  • There is utilisation of network firewalls (in 2025, 72% of organisations do this)
  • Data is backed up securely (in 2025, 71% of organisations do this)
  • Staff training and processes are in place for reporting phishing emails (in 2025, 76% of organisations do this)
  • Restriction of admin rights (in 2025, 68% of organisations do this)

Source: ‘Cyber security breaches survey‘. Dept of Science, Innovation, and Technology, April 2025.

2.Effective Risk Management and Supply Chain Monitoring:

Another key requirement for many compliance standards is being able to demonstrate an awareness of the security risks your organisation faces. This includes documenting the steps taken to mitigate those risks as much as possible if or when they happen.

Risk takes many forms, but assessors will look for evidence of and preparation for mitigation in the key areas below, again with data Confidentiality, Integrity, and Availability in mind:

  • You have written incident response plans for different situations in place. This means if unauthorised access to a network is detected, or a service is compromised, your teams should know how to respond and who to contact.
  • You have conducted risk assessments that cover cyber security and your information handling practices. (in 2024 just 31% of organisations did this)
  • You have reviewed the risks posed by your immediate suppliers and partners. Weak cyber security in your supply chain can allow bad actors use suppliers to reach your systems. You need to know who in your world is taking data CIA seriously, so their problems do not become yours. (in 2024 just 14% of organisations did this)

Source: ‘Cyber security breaches survey‘. Dept of Science, Innovation, and Technology, April 2025.

3.Board engagement and good corporate governance

In any business, an ever improving, positive culture is almost impossible to achieve without the buy in from leadership. Information security standards will ask for clear ownership and responsibility at board level when it comes to securing data and preventing cyber attacks.

However, while 72% of organisations say cyber security is a “high priority” for them, only 27% have a board member with responsibility for cyber security. Additionally, only 42% actively seek outside information or help on cyber security issues.

Source: ‘Cyber security breaches survey‘. Dept of Science, Innovation, and Technology, April 2025.

Manual processes: A key reason organisations struggle with cybersecurity compliance

From the numbers above, we can see it is a mixed picture in the UK when it comes to implementing effective risk awareness and controls. Some organisations are clearly very good at it, others are having a hard time. There is often a common reason for this. Those who struggle tend to rely on manual processes, which causes issues with communication, reporting, staying on top of changing policies, and task duplication.

  • Communication: A common tool used by organisations who rely on manual processes to track compliance and business continuity actions is Excel, purely because they do not have anything else to use. While a useful tool for many situations, Excel does not help teams communicate clearly and offers very little in the way of tracking or version control.
  • Reporting: Even if teams have been able to source and input all the required information accurately, they will inevitably have to create reports for leadership. The problem is Cyber security moves quickly, and teams just don’t have the time to update these large Excel sheets on a regular basis.
  • Changing policies: Compliance frameworks like NIST, ISO 27001 and PCI DSS are frequently updated to reflect emerging risks. It is unrealistic to expect internal teams to keep track of, understand, and share all updates using a spreadsheet that can run to hundreds of lines without errors creeping in.
  • Duplication of tasks: Different information security standards will have overlapping requirements. We regularly see scenarios where different teams are repeating tasks for individual standards that should only have been done once, because they do not know where these overlaps are.

How automating IT compliance can help to remove these pain points

The good news is AI driven automation has arrived. Platforms like Aegis give compliance teams up to 50% of their time back by addressing these issues:

  • Communication: Aegis stores everything you need to know about the state of your cyber posture and supplier risks in one place. Updates are immediate and sharing is straightforward.
  • Reporting: Your teams can use Aegis to create and share detailed dynamic reporting on demand. Your leadership or assessors no longer need to wait until the next month or quarter to see progress, everything is updated in real time.
  • Policy updates: Aegis informs your teams about upcoming changes to compliance standards. It will also alert them if a new third-party risk is found, saving time that would have been spent researching or checking updates from multiple sources.
  • Duplication of tasks: AI automation helps your teams find useful existing assets. These include vulnerability scanning reports, third-party risk assessments, and inventory mapping exercises which can often be used in multiple submissions.

Embracing AI driven automation for information security compliance is a smart decision for IT departments. With immediate time and cost savings available, having everything you need in one place, and the reduction errors via the removal of many manual tasks, the way cyber security compliance is managed is about to undergo a significant and positive evolution.

To learn more about the Aegis platform or to book a demonstration please click here:

Contact:

CyberKainos

hello@cyberkainos.com

www.cyberkainos.com

Services
Latest Posts