Ffion

Hey everyone, I'm currently reviewing approaches to ISO 27001 Annex A 6.1 screening and it’s interesting to see how differently organisations interpret the ongoing/periodic aspect of people screening. I’ve seen some organisations take a broad approach across all employees, while others seem to align it more closely to role sensitivity, access levels, or overall risk exposure. There also appears to be quite a bit of variation in how these expectations are documented internally, whether through contracts, onboarding processes, policies, or elsewhere. I would be interested to hear how others have approached this in practice, particularly what has worked well operationally and during audits.

Hi all, quick question on the upcoming Cyber Essentials changes, specifically around MFA 🔐 I understand MFA is already required, but the updated wording seems stricter:

I’m trying to clarify what “offered as a paid option” really means in practice. Does this imply organisations are expected to upgrade to higher-tier plans purely to enable MFA? In a lot of cases, MFA isn’t included in standard plans and requires a fairly significant cost jump to access it. It would be useful to understand whether that scenario is now effectively mandatory under CE. Appreciate any insight from anyone who’s looked into this, thanks!