How Does a Firewall Work — And What Auditors Actually Check When They Assess One
Three years ago I raised a PCI DSS finding on a bank that the IT team did not take well.
April 30, 2026
Latest Articles 11 total
network-security
ISO 27001 Scope Definition: The Decision That Makes or Breaks Your Certification
The certification audit was three hours old when the auditor stopped. The scope statement listed a data centre address that didn't match the site we were standi
April 8, 2026
ISO 27001
How to Write IT Audit Findings That Management Actually Acts On
I documented 14 critical observations in a single engagement. The auditee looked at the draft report and told me clearly: he was not presenting 14 findings to m
April 8, 2026
IT / IS Audit
PCI DSS v4.0.1: What Actually Changed in Real Bank Assessments After March 2025
The evidence package arrived on a Tuesday. Seventeen folders, meticulously labelled — policies, network diagrams, scan reports. By Thursday, three of those fold
April 8, 2026
PCI DSS
How to Build a Risk Register That Actually Drives Decisions
I walked into the risk management review and the register had 212 rows. Forty-seven columns. A colour-coded heat map that required a legend to read. The risk ow
April 8, 2026
Risk & Governance
How to Become a SWIFT CSP Assessor: The Complete Career Path
Every year, thousands of banks and financial institutions are required to submit an independently assessed attestation against the SWIFT Customer Security Progr
March 27, 2026
I Passed the SWIFT CSP Assessor Exam in Two Weeks. Here's Exactly How.
Before anything else: this is not a general guide assembled from official documentation. This is the exact preparation method I used to pass the SWIFT CSP Asses
March 26, 2026
SWIFT CSCF Mandatory vs Advisory Controls: What the Difference Actually Means for Your Assessment
Every bank preparing for a SWIFT CSP independent assessment eventually hits the same question: does it matter if a control is advisory?
March 26, 2026
