Compliance Guides: Step-by-Step Implementation

A practical walkthrough for organisations beginning their ISO 27001:2022 journey. This guide covers scoping, risk assessment, control selection, and the path to certification audit, giving compliance teams a clear roadmap from day one.

This guide walks compliance and quality teams through the implementation of an ISO 9001:2015 Quality Management System. It covers the process approach, documentation requirements, internal auditing, and strategies for continual improvement.

A starter guide for building a Business Continuity Management System aligned with ISO 22301. Covers Business Impact Analysis, recovery strategy development, and the importance of regular testing and exercising.

ISO 42001 is the first international standard for AI Management Systems. This guide explains its structure, core requirements, alignment with the EU AI Act, and how organisations can pursue certification to demonstrate responsible AI governance.

The NIST Cybersecurity Framework 2.0 introduces the Govern function and expanded guidance for all organisations. This guide covers what changed from version 1.1, how to build Current and Target Profiles, and a practical adoption roadmap.

The CIS Controls v8 provide a prioritised set of cybersecurity actions organised into Implementation Groups. This guide explains how to assess your organisation's group, select appropriate controls, and build a phased implementation plan.

The Australian Signals Directorate's Essential Eight strategies provide a baseline of cyber defence for Australian organisations. This guide covers all eight strategies, the maturity model levels, and practical steps to achieve compliance.

NIST SP 800-53 Revision 5 provides a comprehensive catalog of security and privacy controls for federal information systems. This guide explains control families, baselines, the tailoring process, and alignment with FISMA compliance requirements.

Preparing for a SOC 2 Type II audit requires careful planning, robust evidence collection, and a thorough readiness assessment. This guide provides a structured checklist covering Trust Services Criteria, evidence requirements, and the differences between Type I and Type II reports.

A well-structured internal audit programme is essential for maintaining management system compliance and driving improvement. This guide covers audit planning, auditor competence requirements, handling nonconformities, and implementing effective corrective actions.

The General Data Protection Regulation remains one of the most consequential privacy laws globally. This guide provides practical implementation steps covering lawful bases for processing, data subject rights, Data Protection Impact Assessments, and breach notification procedures.

California's consumer privacy laws, the CCPA and its amendment the CPRA, create significant obligations for businesses handling California residents' personal information. This guide covers consumer rights, opt-out requirements, data inventory, and service provider contract requirements.

A Privacy Impact Assessment (PIA) helps organisations identify and mitigate privacy risks before they materialise. This beginner-friendly guide provides a step-by-step template for conducting PIAs, including risk identification, mitigation planning, and documentation best practices.

The COSO Enterprise Risk Management framework integrates risk management with strategy and performance. This guide covers risk appetite, strategy integration, building a risk-aware culture, and the role of board oversight in effective ERM implementation.

Many organisations manage governance, risk, and compliance in silos, creating inefficiency and blind spots. This guide explains how to build an integrated GRC programme that unifies policy management, control frameworks, and reporting into a cohesive system.

Third-party relationships introduce risks that organisations cannot ignore. This guide covers due diligence processes, vendor questionnaire design, ongoing monitoring strategies, and contractual controls that protect your organisation throughout the vendor lifecycle.

HIPAA compliance requires covered entities and business associates to implement administrative, physical, and technical safeguards for protected health information. This guide covers the Security Rule, Privacy Rule, breach notification requirements, and Business Associate Agreement essentials.

As organisations migrate to the cloud, maintaining a strong security posture becomes both more important and more complex. This guide covers the shared responsibility model, identity and access management, encryption strategies, and continuous monitoring approaches for cloud environments.

PCI DSS 4.0 introduces the Customised Approach, stronger authentication requirements, and expanded e-commerce protections. This guide covers the major changes from version 3.2.1, the transition timeline, and practical preparation steps for merchants and service providers.

APRA CPS 230 sets new expectations for operational risk management in Australian financial services. This guide covers the standard's requirements for operational resilience, critical operations identification, service provider management, and testing obligations.

The EU AI Act is the world's first comprehensive AI regulation, establishing a risk-based framework for AI systems in the European Union. This guide covers risk classification, obligations for high-risk AI, prohibited practices, and the conformity assessment process for providers.

The NIST AI Risk Management Framework provides a voluntary, flexible approach to managing AI risks. This guide covers the framework's structure, the Govern function, trustworthy AI characteristics, and practical approaches to addressing bias and fairness in AI systems.

ESG reporting is rapidly shifting from voluntary disclosure to mandatory compliance in many jurisdictions. This guide covers the ISSB standards, EU Corporate Sustainability Reporting Directive, climate disclosures, and the concept of double materiality.